mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-08 17:19:20 +00:00
Code Issues Projects Releases Wiki Activity

ofono: patch CVE-2024-7537

Browse Source 
Pick commit
https://web.git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=e6d8d526d5077c0b6ab459efeb6b882c28e0fdeb

(From OE-Core rev: 7f3a567b8e1446863e6c5c4336b4cb174592f799)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Peter Marko
2025-04-04 23:40:38 +02:00
committed by Steve Sakoman
parent b5b884bc1a
commit 57c7ce9193
2 changed files with 60 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-connectivity/ofono/ofono/CVE-2024-7537.patch
+59
View File
@@ -0,0 +1,59 @@
From e6d8d526d5077c0b6ab459efeb6b882c28e0fdeb Mon Sep 17 00:00:00 2001
From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
Date: Sun, 16 Mar 2025 12:26:42 +0200
Subject: [PATCH] qmi: sms: Fix possible out-of-bounds read
Fixes: CVE-2024-7537
CVE: CVE-2024-7537
Upstream-Status: Backport [https://web.git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=e6d8d526d5077c0b6ab459efeb6b882c28e0fdeb]
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
drivers/qmimodem/sms.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/drivers/qmimodem/sms.c b/drivers/qmimodem/sms.c
index 3e2bef6e..75863480 100644
--- a/drivers/qmimodem/sms.c
+++ b/drivers/qmimodem/sms.c
@@ -485,6 +485,8 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data)
const struct qmi_wms_result_msg_list *list;
uint32_t cnt = 0;
uint16_t tmp;
+ uint16_t length;
+ size_t msg_size;
DBG("");
@@ -494,7 +496,7 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data)
goto done;
}
- list = qmi_result_get(result, QMI_WMS_RESULT_MSG_LIST, NULL);
+ list = qmi_result_get(result, QMI_WMS_RESULT_MSG_LIST, &length);
if (list == NULL) {
DBG("Err: get msg list empty");
goto done;
@@ -503,6 +505,13 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data)
cnt = GUINT32_FROM_LE(list->cnt);
DBG("msgs found %d", cnt);
+ msg_size = cnt * sizeof(list->msg[0]);
+
+ if (length != sizeof(list->cnt) + msg_size) {
+ DBG("Err: invalid msg list count");
+ goto done;
+ }
+
for (tmp = 0; tmp < cnt; tmp++) {
DBG("unread type %d ndx %d", list->msg[tmp].type,
GUINT32_FROM_LE(list->msg[tmp].ndx));
@@ -516,8 +525,6 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data)
/* save list and get 1st msg */
if (cnt) {
- int msg_size = cnt * sizeof(list->msg[0]);
-
data->msg_list = g_try_malloc0(sizeof(list->cnt) + msg_size);
if (data->msg_list == NULL)
goto done;
meta/recipes-connectivity/ofono/ofono_1.34.bb
+1
View File
@@ -25,6 +25,7 @@ SRC_URI = "\
file://CVE-2024-7546.patch \
file://CVE-2024-7547.patch \
file://CVE-2024-7540_CVE-2024-7541_CVE-2024-7542.patch \
file://CVE-2024-7537.patch \
"
SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"