ofono: patch CVE-2024-7537

author Peter Marko <peter.marko@siemens.com>

Fri, 4 Apr 2025 21:40:38 +0000 (23:40 +0200)

committer Steve Sakoman <steve@sakoman.com>

Mon, 7 Apr 2025 15:12:34 +0000 (08:12 -0700)
author Peter Marko <peter.marko@siemens.com>
Fri, 4 Apr 2025 21:40:38 +0000 (23:40 +0200)
committer Steve Sakoman <steve@sakoman.com>
Mon, 7 Apr 2025 15:12:34 +0000 (08:12 -0700)
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7537.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7537.patch

new file mode 100644 (file)

index 0000000..518b042
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7537.patch
@@ -0,0 +1,59 @@
+From e6d8d526d5077c0b6ab459efeb6b882c28e0fdeb Mon Sep 17 00:00:00 2001
+From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Date: Sun, 16 Mar 2025 12:26:42 +0200
+Subject: [PATCH] qmi: sms: Fix possible out-of-bounds read
+
+Fixes: CVE-2024-7537
+
+CVE: CVE-2024-7537
+Upstream-Status: Backport [https://web.git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=e6d8d526d5077c0b6ab459efeb6b882c28e0fdeb]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ drivers/qmimodem/sms.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/qmimodem/sms.c b/drivers/qmimodem/sms.c
+index 3e2bef6e..75863480 100644
+--- a/drivers/qmimodem/sms.c
++++ b/drivers/qmimodem/sms.c
+@@ -485,6 +485,8 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data)
+       const struct qmi_wms_result_msg_list *list;
+       uint32_t cnt = 0;
+       uint16_t tmp;
++      uint16_t length;
++      size_t msg_size;
+ 
+       DBG("");
+ 
+@@ -494,7 +496,7 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data)
+               goto done;
+       }
+ 
+-      list = qmi_result_get(result, QMI_WMS_RESULT_MSG_LIST, NULL);
++      list = qmi_result_get(result, QMI_WMS_RESULT_MSG_LIST, &length);
+       if (list == NULL) {
+               DBG("Err: get msg list empty");
+               goto done;
+@@ -503,6 +505,13 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data)
+       cnt = GUINT32_FROM_LE(list->cnt);
+       DBG("msgs found %d", cnt);
+ 
++      msg_size = cnt * sizeof(list->msg[0]);
++
++      if (length != sizeof(list->cnt) + msg_size) {
++              DBG("Err: invalid msg list count");
++              goto done;
++      }
++
+       for (tmp = 0; tmp < cnt; tmp++) {
+               DBG("unread type %d ndx %d", list->msg[tmp].type,
+                       GUINT32_FROM_LE(list->msg[tmp].ndx));
+@@ -516,8 +525,6 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data)
+ 
+       /* save list and get 1st msg */
+       if (cnt) {
+-              int msg_size = cnt * sizeof(list->msg[0]);
+-
+               data->msg_list = g_try_malloc0(sizeof(list->cnt) + msg_size);
+               if (data->msg_list == NULL)
+                       goto done;
diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb

index 1083b91d5686235b8e6c212249c8cdd08e6b4a19..9f11af9236fcd0a74447e3db15cae6dc16a152e9 100644 (file)
--- a/meta/recipes-connectivity/ofono/ofono_1.34.bb
+++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb
@@ -25,6 +25,7 @@ SRC_URI = "\
      file://CVE-2024-7546.patch \
      file://CVE-2024-7547.patch \
      file://CVE-2024-7540_CVE-2024-7541_CVE-2024-7542.patch \
+    file://CVE-2024-7537.patch \
  "
  SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"
author	Peter Marko <peter.marko@siemens.com>
	Fri, 4 Apr 2025 21:40:38 +0000 (23:40 +0200)
committer	Steve Sakoman <steve@sakoman.com>
	Mon, 7 Apr 2025 15:12:34 +0000 (08:12 -0700)
meta/recipes-connectivity/ofono/ofono/CVE-2024-7537.patch	[new file with mode: 0644]	patch \| blob
meta/recipes-connectivity/ofono/ofono_1.34.bb		patch \| blob \| blame \| history