MIRRORS/poky
1
0
Fork 0
mirror of git://git.yoctoproject.org/poky.git synced 2025-07-19 12:59:02 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

ofono: patch CVE-2024-7537

Browse Source 
Pick commit
https://web.git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=e6d8d526d5077c0b6ab459efeb6b882c28e0fdeb

(From OE-Core rev: 54ce53f7c2daf4f9d536e4e1f721035064c57b30)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Peter Marko 2025-04-04 23:40:15 +02:00 committed by Steve Sakoman
parent 78626a6f18
commit 92c44bc788
2 changed files with 60 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
meta/recipes-connectivity/ofono/ofono/CVE-2024-7537.patch Normal file
View File

@ -0,0 +1,59 @@
From e6d8d526d5077c0b6ab459efeb6b882c28e0fdeb Mon Sep 17 00:00:00 2001
From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
Date: Sun, 16 Mar 2025 12:26:42 +0200
Subject: [PATCH] qmi: sms: Fix possible out-of-bounds read
Fixes: CVE-2024-7537
CVE: CVE-2024-7537
Upstream-Status: Backport [https://web.git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=e6d8d526d5077c0b6ab459efeb6b882c28e0fdeb]
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
drivers/qmimodem/sms.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/drivers/qmimodem/sms.c b/drivers/qmimodem/sms.c
index 3e2bef6e..75863480 100644
--- a/drivers/qmimodem/sms.c
+++ b/drivers/qmimodem/sms.c
@@ -467,6 +467,8 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data)
const struct qmi_wms_result_msg_list *list;
uint32_t cnt = 0;
uint16_t tmp;
+ uint16_t length;
+ size_t msg_size;
DBG("");
@@ -476,7 +478,7 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data)
goto done;
}
- list = qmi_result_get(result, QMI_WMS_RESULT_MSG_LIST, NULL);
+ list = qmi_result_get(result, QMI_WMS_RESULT_MSG_LIST, &length);
if (list == NULL) {
DBG("Err: get msg list empty");
goto done;
@@ -485,6 +487,13 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data)
cnt = GUINT32_FROM_LE(list->cnt);
DBG("msgs found %d", cnt);
+ msg_size = cnt * sizeof(list->msg[0]);
+
+ if (length != sizeof(list->cnt) + msg_size) {
+ DBG("Err: invalid msg list count");
+ goto done;
+ }
+
for (tmp = 0; tmp < cnt; tmp++) {
DBG("unread type %d ndx %d", list->msg[tmp].type,
GUINT32_FROM_LE(list->msg[tmp].ndx));
@@ -498,8 +507,6 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data)
/* save list and get 1st msg */
if (cnt) {
- int msg_size = cnt * sizeof(list->msg[0]);
-
data->msg_list = g_try_malloc0(sizeof(list->cnt) + msg_size);
if (data->msg_list == NULL)
goto done;

1
meta/recipes-connectivity/ofono/ofono_2.4.bb
View File

@ -25,6 +25,7 @@ SRC_URI = "\
file://CVE-2024-7540_CVE-2024-7541_CVE-2024-7542.patch \
file://CVE-2023-4232.patch \
file://CVE-2023-4235.patch \
file://CVE-2024-7537.patch \
"
SRC_URI[sha256sum] = "93580adc1afd1890dc516efb069de0c5cdfef014415256ddfb28ab172df2d11d"