mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-01-12 03:24:08 +00:00
Code Issues Projects Releases Wiki Activity

dlt-daemon: fix CVE-2022-39836 and CVE-2022-39837

Browse Source 
CVE-2022-39836:
An issue was discovered in Connected Vehicle Systems Alliance (COVESA)
dlt-daemon through 2.18.8. Due to a faulty DLT file parser, a crafted
DLT file that crashes the process can be created. This is due to missing
validation checks. There is a heap-based buffer over-read of one byte.

CVE-2022-39837:
An issue was discovered in Connected Vehicle Systems Alliance (COVESA)
dlt-daemon through 2.18.8. Due to a faulty DLT file parser, a crafted
DLT file that crashes the process can be created. This is due to missing
validation checks. There is a NULL pointer dereference.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-39836
https://nvd.nist.gov/vuln/detail/CVE-2022-39837

Upstream patch:
855e0017a9

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Yogita Urade
2025-02-21 05:11:07 +00:00
committed by Armin Kuster
parent 5c9db7a2b0
commit 92a5b3ebf0
2 changed files with 252 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

251
meta-oe/recipes-extended/dlt-daemon/dlt-daemon/CVE-2022-39836-CVE-2022-39837.patch Normal file
View File

@@ -0,0 +1,251 @@
From 855e0017a980d2990c16f7dbf3b4983b48fac272 Mon Sep 17 00:00:00 2001
From: Bui Nguyen Quoc Thanh <49302843+thanhbnq@users.noreply.github.com>
Date: Thu, 7 Jul 2022 11:00:34 +0700
Subject: [PATCH] Fix handle returned value (#384)
* common: Handle returned value
- The returned value of supporting APIs should be checked correctly.
- In case of extended header, the buffer of header must be checked
before proceeding further.
Signed-off-by: Bui Nguyen Quoc Thanh <thanh.buinguyenquoc@vn.bosch.com>
* console: Handle returned value
In case of parsing dlt file, the failed messages
should be skipped by evaluating returned value
Signed-off-by: Bui Nguyen Quoc Thanh <thanh.buinguyenquoc@vn.bosch.com>
CVE: CVE-2022-39836 and CVE-2022-39837
Upstream-Status: Backport [https://github.com/COVESA/dlt-daemon/commit/855e0017a980d2990c16f7dbf3b4983b48fac272]
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
src/console/dlt-convert.c | 18 ++++++----
src/console/dlt-sortbytimestamp.c | 6 ++--
src/shared/dlt_common.c | 60 ++++++++++++++++++++++---------
3 files changed, 59 insertions(+), 25 deletions(-)
diff --git a/src/console/dlt-convert.c b/src/console/dlt-convert.c
index b82c104..30ea09a 100644
--- a/src/console/dlt-convert.c
+++ b/src/console/dlt-convert.c
@@ -432,31 +432,37 @@ int main(int argc, char *argv[])
}
for (num = begin; num <= end; num++) {
- dlt_file_message(&file, num, vflag);
+ if (dlt_file_message(&file, num, vflag) < DLT_RETURN_OK)
+ continue;
if (xflag) {
printf("%d ", num);
- dlt_message_print_hex(&(file.msg), text, DLT_CONVERT_TEXTBUFSIZE, vflag);
+ if (dlt_message_print_hex(&(file.msg), text, DLT_CONVERT_TEXTBUFSIZE, vflag) < DLT_RETURN_OK)
+ continue;
}
else if (aflag) {
printf("%d ", num);
- dlt_message_header(&(file.msg), text, DLT_CONVERT_TEXTBUFSIZE, vflag);
+ if (dlt_message_header(&(file.msg), text, DLT_CONVERT_TEXTBUFSIZE, vflag) < DLT_RETURN_OK)
+ continue;
printf("%s ", text);
- dlt_message_payload(&file.msg, text, DLT_CONVERT_TEXTBUFSIZE, DLT_OUTPUT_ASCII, vflag);
+ if (dlt_message_payload(&file.msg, text, DLT_CONVERT_TEXTBUFSIZE, DLT_OUTPUT_ASCII, vflag) < DLT_RETURN_OK)
+ continue;
printf("[%s]\n", text);
}
else if (mflag) {
printf("%d ", num);
- dlt_message_print_mixed_plain(&(file.msg), text, DLT_CONVERT_TEXTBUFSIZE, vflag);
+ if (dlt_message_print_mixed_plain(&(file.msg), text, DLT_CONVERT_TEXTBUFSIZE, vflag) < DLT_RETURN_OK)
+ continue;
}
else if (sflag) {
printf("%d ", num);
- dlt_message_header(&(file.msg), text, DLT_CONVERT_TEXTBUFSIZE, vflag);
+ if (dlt_message_header(&(file.msg), text, DLT_CONVERT_TEXTBUFSIZE, vflag) < DLT_RETURN_OK)
+ continue;
printf("%s \n", text);
}
diff --git a/src/console/dlt-sortbytimestamp.c b/src/console/dlt-sortbytimestamp.c
index 3e418e1..82fd5d0 100644
--- a/src/console/dlt-sortbytimestamp.c
+++ b/src/console/dlt-sortbytimestamp.c
@@ -160,7 +160,8 @@ void write_messages(int ohandle, DltFile *file,
if ((0 == i % 1001) || (i == message_count - 1))
verbose(2, "Writing message %d\r", i);
- dlt_file_message(file, timestamps[i].num, 0);
+ if (dlt_file_message(file, timestamps[i].num, 0) < DLT_RETURN_OK)
+ continue;
iov[0].iov_base = file->msg.headerbuffer;
iov[0].iov_len = file->msg.headersize;
iov[1].iov_base = file->msg.databuffer;
@@ -402,7 +403,8 @@ int main(int argc, char *argv[]) {
verbose(1, "Filling %d entries\n", message_count);
for (num = begin; num <= end; num++) {
- dlt_file_message(&file, num, vflag);
+ if (dlt_file_message(&file, num, vflag) < DLT_RETURN_OK)
+ continue;
timestamp_index[num - begin].num = num;
timestamp_index[num - begin].systmsp = file.msg.storageheader->seconds;
timestamp_index[num - begin].tmsp = file.msg.headerextra.tmsp;
diff --git a/src/shared/dlt_common.c b/src/shared/dlt_common.c
index 427044b..4303c50 100644
--- a/src/shared/dlt_common.c
+++ b/src/shared/dlt_common.c
@@ -202,7 +202,10 @@ DltReturnValue dlt_print_mixed_string(char *text, int textlength, uint8_t *ptr,
/* Hex-Output */
/* It is not required to decrement textlength, as it was already checked, that
* there is enough space for the complete output */
- dlt_print_hex_string(text, textlength, (uint8_t *)(ptr + (lines * DLT_COMMON_HEX_CHARS)), DLT_COMMON_HEX_CHARS);
+ if (dlt_print_hex_string(text, textlength,
+ (uint8_t *)(ptr + (lines * DLT_COMMON_HEX_CHARS)),
+ DLT_COMMON_HEX_CHARS) < DLT_RETURN_OK)
+ return DLT_RETURN_ERROR;
text += ((2 * DLT_COMMON_HEX_CHARS) + (DLT_COMMON_HEX_CHARS - 1)); /* 32 characters + 15 spaces */
snprintf(text, 2, " ");
@@ -211,8 +214,10 @@ DltReturnValue dlt_print_mixed_string(char *text, int textlength, uint8_t *ptr,
/* Char-Output */
/* It is not required to decrement textlength, as it was already checked, that
* there is enough space for the complete output */
- dlt_print_char_string(&text, textlength, (uint8_t *)(ptr + (lines * DLT_COMMON_HEX_CHARS)),
- DLT_COMMON_HEX_CHARS);
+ if (dlt_print_char_string(&text, textlength,
+ (uint8_t *)(ptr + (lines * DLT_COMMON_HEX_CHARS)),
+ DLT_COMMON_HEX_CHARS) < DLT_RETURN_OK)
+ return DLT_RETURN_ERROR;
if (html == 0) {
snprintf(text, 2, "\n");
@@ -240,10 +245,11 @@ DltReturnValue dlt_print_mixed_string(char *text, int textlength, uint8_t *ptr,
/* Hex-Output */
/* It is not required to decrement textlength, as it was already checked, that
* there is enough space for the complete output */
- dlt_print_hex_string(text,
+ if (dlt_print_hex_string(text,
textlength,
(uint8_t *)(ptr + ((size / DLT_COMMON_HEX_CHARS) * DLT_COMMON_HEX_CHARS)),
- rest);
+ rest) < DLT_RETURN_OK)
+ return DLT_RETURN_ERROR;
text += 2 * rest + (rest - 1);
for (i = 0; i < (DLT_COMMON_HEX_CHARS - rest); i++) {
@@ -257,8 +263,10 @@ DltReturnValue dlt_print_mixed_string(char *text, int textlength, uint8_t *ptr,
/* Char-Output */
/* It is not required to decrement textlength, as it was already checked, that
* there is enough space for the complete output */
- dlt_print_char_string(&text, textlength,
- (uint8_t *)(ptr + ((size / DLT_COMMON_HEX_CHARS) * DLT_COMMON_HEX_CHARS)), rest);
+ if (dlt_print_char_string(&text, textlength,
+ (uint8_t *)(ptr + ((size / DLT_COMMON_HEX_CHARS) * DLT_COMMON_HEX_CHARS)),
+ rest) < DLT_RETURN_OK)
+ return DLT_RETURN_ERROR;
}
return DLT_RETURN_OK;
@@ -672,6 +680,9 @@ DltReturnValue dlt_message_header_flags(DltMessage *msg, char *text, size_t text
if ((msg == NULL) || (text == NULL) || (textlength <= 0))
return DLT_RETURN_WRONG_PARAMETER;
+ if ((DLT_IS_HTYP_UEH(msg->standardheader->htyp)) && (msg->extendedheader == NULL))
+ return DLT_RETURN_WRONG_PARAMETER;
+
if ((flags < DLT_HEADER_SHOW_NONE) || (flags > DLT_HEADER_SHOW_ALL))
return DLT_RETURN_WRONG_PARAMETER;
@@ -3239,7 +3250,8 @@ DltReturnValue dlt_message_print_header(DltMessage *message, char *text, uint32_
if ((message == NULL) || (text == NULL))
return DLT_RETURN_WRONG_PARAMETER;
- dlt_message_header(message, text, size, verbose);
+ if (dlt_message_header(message, text, size, verbose) < DLT_RETURN_OK)
+ return DLT_RETURN_ERROR;
dlt_user_printf("%s\n", text);
return DLT_RETURN_OK;
@@ -3250,9 +3262,12 @@ DltReturnValue dlt_message_print_hex(DltMessage *message, char *text, uint32_t s
if ((message == NULL) || (text == NULL))
return DLT_RETURN_WRONG_PARAMETER;
- dlt_message_header(message, text, size, verbose);
+ if (dlt_message_header(message, text, size, verbose) < DLT_RETURN_OK)
+ return DLT_RETURN_ERROR;
dlt_user_printf("%s ", text);
- dlt_message_payload(message, text, size, DLT_OUTPUT_HEX, verbose);
+
+ if (dlt_message_payload(message, text, size, DLT_OUTPUT_HEX, verbose) < DLT_RETURN_OK)
+ return DLT_RETURN_ERROR;
dlt_user_printf("[%s]\n", text);
return DLT_RETURN_OK;
@@ -3263,9 +3278,12 @@ DltReturnValue dlt_message_print_ascii(DltMessage *message, char *text, uint32_t
if ((message == NULL) || (text == NULL))
return DLT_RETURN_WRONG_PARAMETER;
- dlt_message_header(message, text, size, verbose);
+ if (dlt_message_header(message, text, size, verbose) < DLT_RETURN_OK)
+ return DLT_RETURN_ERROR;
dlt_user_printf("%s ", text);
- dlt_message_payload(message, text, size, DLT_OUTPUT_ASCII, verbose);
+
+ if (dlt_message_payload(message, text, size, DLT_OUTPUT_ASCII, verbose) < DLT_RETURN_OK)
+ return DLT_RETURN_ERROR;
dlt_user_printf("[%s]\n", text);
return DLT_RETURN_OK;
@@ -3276,9 +3294,12 @@ DltReturnValue dlt_message_print_mixed_plain(DltMessage *message, char *text, ui
if ((message == NULL) || (text == NULL))
return DLT_RETURN_WRONG_PARAMETER;
- dlt_message_header(message, text, size, verbose);
+ if (dlt_message_header(message, text, size, verbose) < DLT_RETURN_OK)
+ return DLT_RETURN_ERROR;
dlt_user_printf("%s \n", text);
- dlt_message_payload(message, text, size, DLT_OUTPUT_MIXED_FOR_PLAIN, verbose);
+
+ if (dlt_message_payload(message, text, size, DLT_OUTPUT_MIXED_FOR_PLAIN, verbose) < DLT_RETURN_OK)
+ return DLT_RETURN_ERROR;
dlt_user_printf("[%s]\n", text);
return DLT_RETURN_OK;
@@ -3289,9 +3310,13 @@ DltReturnValue dlt_message_print_mixed_html(DltMessage *message, char *text, uin
if ((message == NULL) || (text == NULL))
return DLT_RETURN_WRONG_PARAMETER;
- dlt_message_header(message, text, size, verbose);
+ if (dlt_message_header(message, text, size, verbose) < DLT_RETURN_OK)
+ return DLT_RETURN_ERROR;
dlt_user_printf("%s \n", text);
- dlt_message_payload(message, text, size, DLT_OUTPUT_MIXED_FOR_HTML, verbose);
+
+ if (dlt_message_payload(message, text, size, DLT_OUTPUT_MIXED_FOR_HTML, verbose) < DLT_RETURN_OK)
+ return DLT_RETURN_ERROR;
+
dlt_user_printf("[%s]\n", text);
return DLT_RETURN_OK;
@@ -3901,7 +3926,8 @@ DltReturnValue dlt_message_argument_print(DltMessage *msg,
if ((*datalength) < length)
return DLT_RETURN_ERROR;
- dlt_print_hex_string_delim(value_text, (int) textlength, *ptr, length, '\'');
+ if (dlt_print_hex_string_delim(value_text, (int) textlength, *ptr, length, '\'') < DLT_RETURN_OK)
+ return DLT_RETURN_ERROR;
*ptr += length;
*datalength -= length;
}
--
2.40.0

1
meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.8.bb
View File

@@ -19,6 +19,7 @@ SRC_URI = "git://github.com/GENIVI/${BPN}.git;protocol=https;branch=master \
file://0004-Modify-systemd-config-directory.patch \
file://0001-cmake-Link-with-libatomic-on-rv32-rv64.patch \
file://0001-Fix-memory-leak.patch \
file://CVE-2022-39836-CVE-2022-39837.patch \
"
SRCREV = "6a3bd901d825c7206797e36ea98e10a218f5aad2"