From f80b122315a3a8168152c0cee5a004761c602073 Mon Sep 17 00:00:00 2001 From: Praveen Kumar Date: Thu, 15 May 2025 11:42:22 +0530 Subject: [PATCH] connman :fix CVE-2025-32366 In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length that depends on an RR RDLENGTH value, i.e., *rdlen=ntohs(rr->rdlen) and memcpy(response+offset,*end,*rdlen) without a check for whether the sum of *end and *rdlen exceeds max. Consequently, *rdlen may be larger than the amount of remaining packet data in the current state of parsing. Values of stack memory locations may be sent over the network in a response. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-32366 Upstream-patch: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4 (From OE-Core rev: 02e046149b1cc5eca5188eec7b4e1a9970b97faf) Signed-off-by: Praveen Kumar Signed-off-by: Steve Sakoman --- .../connman/connman/CVE-2025-32366.patch | 41 +++++++++++++++++++ .../connman/connman_1.42.bb | 1 + 2 files changed, 42 insertions(+) create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch new file mode 100644 index 0000000000..0eb7360685 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch @@ -0,0 +1,41 @@ +From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001 +From: Yoonje Shin +Date: Mon, 12 May 2025 10:48:18 +0200 +Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability + +In Connman parse_rr in dnsproxy.c has a memcpy length +that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen) +and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger +than the amount of remaining packet data in the current state of +parsing. As a result, values of stack memory locations may be sent +over the network in a response. + +This patch adds a check to ensure that (*end + *rdlen) does not exceed +the valid range. If the condition is violated, the function returns +-EINVAL. + +CVE: CVE-2025-32366 + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4] + +Signed-off-by: Praveen Kumar +--- + src/dnsproxy.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/dnsproxy.c b/src/dnsproxy.c +index 1a5a4f3..50b2d55 100644 +--- a/src/dnsproxy.c ++++ b/src/dnsproxy.c +@@ -985,6 +985,9 @@ static int parse_rr(const unsigned char *buf, const unsigned char *start, + if ((offset + *rdlen) > *response_size) + return -ENOBUFS; + ++ if ((*end + *rdlen) > max) ++ return -EINVAL; ++ + memcpy(response + offset, *end, *rdlen); + + *end += *rdlen; +-- +2.40.0 diff --git a/meta/recipes-connectivity/connman/connman_1.42.bb b/meta/recipes-connectivity/connman/connman_1.42.bb index 3a1c9802bd..9b3abbe258 100644 --- a/meta/recipes-connectivity/connman/connman_1.42.bb +++ b/meta/recipes-connectivity/connman/connman_1.42.bb @@ -8,6 +8,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ file://0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch \ file://0001-src-log.c-Include-libgen.h-for-basename-API.patch \ file://CVE-2025-32743.patch \ + file://CVE-2025-32366.patch \ " SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"