From d40b2587766f27a1506ad7572c161ab8ad74c42f Mon Sep 17 00:00:00 2001 From: Jean-Marie Lemetayer Date: Mon, 12 Aug 2024 10:51:34 +0200 Subject: [PATCH 01/11] smsutil: check that user data length fits in internal buffer This addresses CVE-2023-2794. --- ofono/src/smsutil.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ofono/src/smsutil.c b/ofono/src/smsutil.c index 1f20ba7ff..c9837aa8b 100644 --- a/ofono/src/smsutil.c +++ b/ofono/src/smsutil.c @@ -783,6 +783,9 @@ static gboolean decode_deliver(const unsigned char *pdu, int len, expected = sms_udl_in_bytes(out->deliver.udl, out->deliver.dcs); + if (expected < 0 || expected > (int)sizeof(out->deliver.ud)) + return FALSE; + if ((len - offset) < expected) return FALSE; From 463b263318bb3956bca8356debf8ddbda93b325b Mon Sep 17 00:00:00 2001 From: Ivaylo Dimitrov Date: Tue, 3 Dec 2024 21:43:49 +0200 Subject: [PATCH 02/11] stkutil: Fix CVE-2024-7544 --- ofono/src/stkutil.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ofono/src/stkutil.c b/ofono/src/stkutil.c index da5ecd5ec..6a8bf722d 100644 --- a/ofono/src/stkutil.c +++ b/ofono/src/stkutil.c @@ -1927,6 +1927,10 @@ static bool parse_dataobj_mms_id(struct comprehension_tlv_iter *iter, data = comprehension_tlv_iter_get_data(iter); mi->len = len; + + if (len > sizeof(mi->id)) + return false; + memcpy(mi->id, data, len); return true; From 4f51a41cc08eae7e0921247579d0a6eb8b298922 Mon Sep 17 00:00:00 2001 From: Ivaylo Dimitrov Date: Tue, 3 Dec 2024 21:43:50 +0200 Subject: [PATCH 03/11] stkutil: Fix CVE-2024-7543 --- ofono/src/stkutil.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ofono/src/stkutil.c b/ofono/src/stkutil.c index 6a8bf722d..dd4a94de5 100644 --- a/ofono/src/stkutil.c +++ b/ofono/src/stkutil.c @@ -1909,6 +1909,10 @@ static bool parse_dataobj_mms_reference(struct comprehension_tlv_iter *iter, data = comprehension_tlv_iter_get_data(iter); mr->len = len; + + if (len > sizeof(mr->ref)) + return false; + memcpy(mr->ref, data, len); return true; From 02dded4a84a2198795e768a1596c449f6b6aac2b Mon Sep 17 00:00:00 2001 From: Ivaylo Dimitrov Date: Tue, 3 Dec 2024 21:43:51 +0200 Subject: [PATCH 04/11] Fix CVE-2024-7547 --- ofono/src/smsutil.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ofono/src/smsutil.c b/ofono/src/smsutil.c index c9837aa8b..21567f0c8 100644 --- a/ofono/src/smsutil.c +++ b/ofono/src/smsutil.c @@ -1477,6 +1477,9 @@ static gboolean decode_command(const unsigned char *pdu, int len, if ((len - offset) < out->command.cdl) return FALSE; + if (out->command.cdl > sizeof(out->command.cd)) + return FALSE; + memcpy(out->command.cd, pdu + offset, out->command.cdl); return TRUE; From f65bb725d08697b8c7f589c7b8b813923833c598 Mon Sep 17 00:00:00 2001 From: Ivaylo Dimitrov Date: Tue, 3 Dec 2024 21:43:52 +0200 Subject: [PATCH 05/11] Fix CVE-2024-7546 --- ofono/src/stkutil.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ofono/src/stkutil.c b/ofono/src/stkutil.c index dd4a94de5..c0befb052 100644 --- a/ofono/src/stkutil.c +++ b/ofono/src/stkutil.c @@ -1816,6 +1816,10 @@ static bool parse_dataobj_frame_layout(struct comprehension_tlv_iter *iter, fl->layout = data[0]; fl->len = len - 1; + + if (fl->len > sizeof(fl->size)) + return false; + memcpy(fl->size, data + 1, fl->len); return true; From 0a2cc76b72fe5b8f47ee9f2894519a81d7842b62 Mon Sep 17 00:00:00 2001 From: "Sicelo A. Mhlongo" Date: Wed, 4 Dec 2024 12:07:34 +0200 Subject: [PATCH 06/11] stkutil: ensure data fits in buffer Fixes CVE-2024-7545 --- ofono/src/stkutil.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ofono/src/stkutil.c b/ofono/src/stkutil.c index c0befb052..dc8859023 100644 --- a/ofono/src/stkutil.c +++ b/ofono/src/stkutil.c @@ -1975,6 +1975,10 @@ static bool parse_dataobj_mms_content_id( data = comprehension_tlv_iter_get_data(iter); mci->len = len; + + if (len > sizeof(mci->id)) + return false; + memcpy(mci->id, data, len); return true; From 7649838ec173c04e39d8730a43a395fbe6fa5efd Mon Sep 17 00:00:00 2001 From: "Sicelo A. Mhlongo" Date: Wed, 4 Dec 2024 10:18:51 +0200 Subject: [PATCH 07/11] smsutil: check deliver reports fit in buffer Fixes CVE-2023-4235 --- ofono/src/smsutil.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ofono/src/smsutil.c b/ofono/src/smsutil.c index 21567f0c8..57b9b2422 100644 --- a/ofono/src/smsutil.c +++ b/ofono/src/smsutil.c @@ -1239,10 +1239,16 @@ static gboolean decode_deliver_report(const unsigned char *pdu, int len, return FALSE; if (out->type == SMS_TYPE_DELIVER_REPORT_ERROR) { + if (expected > (int) sizeof(out->deliver_err_report.ud)) + return FALSE; + out->deliver_err_report.udl = udl; memcpy(out->deliver_err_report.ud, pdu + offset, expected); } else { + if (expected > (int) sizeof(out->deliver_ack_report.ud)) + return FALSE; + out->deliver_ack_report.udl = udl; memcpy(out->deliver_ack_report.ud, pdu + offset, expected); From 3df702e03b737abc0ede27503b582e726a0bff71 Mon Sep 17 00:00:00 2001 From: "Sicelo A. Mhlongo" Date: Wed, 4 Dec 2024 10:18:52 +0200 Subject: [PATCH 08/11] smsutil: check status report fits in buffer Fixes CVE-2023-4232 --- ofono/src/smsutil.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ofono/src/smsutil.c b/ofono/src/smsutil.c index 57b9b2422..72874a98b 100644 --- a/ofono/src/smsutil.c +++ b/ofono/src/smsutil.c @@ -1090,6 +1090,9 @@ static gboolean decode_status_report(const unsigned char *pdu, int len, if ((len - offset) < expected) return FALSE; + if (expected > (int)sizeof(out->status_report.ud)) + return FALSE; + memcpy(out->status_report.ud, pdu + offset, expected); } From 822abb5965d8293c8ece5ee1eb8ced016e8f66a8 Mon Sep 17 00:00:00 2001 From: "Sicelo A. Mhlongo" Date: Tue, 17 Dec 2024 11:31:28 +0200 Subject: [PATCH 09/11] atmodem: sms: ensure buffer is initialized before use Fixes: CVE-2024-7540 Fixes: CVE-2024-7541 Fixes: CVE-2024-7542 --- ofono/drivers/atmodem/sms.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ofono/drivers/atmodem/sms.c b/ofono/drivers/atmodem/sms.c index 277d65175..e859a228f 100644 --- a/ofono/drivers/atmodem/sms.c +++ b/ofono/drivers/atmodem/sms.c @@ -407,7 +407,7 @@ static void at_cmt_notify(GAtResult *result, gpointer user_data) struct sms_data *data = ofono_sms_get_data(sms); GAtResultIter iter; const char *hexpdu; - unsigned char pdu[176]; + unsigned char pdu[176] = {0}; long pdu_len; int tpdu_len; @@ -473,7 +473,7 @@ static void at_cmgr_notify(GAtResult *result, gpointer user_data) struct sms_data *data = ofono_sms_get_data(sms); GAtResultIter iter; const char *hexpdu; - unsigned char pdu[176]; + unsigned char pdu[176] = {0}; long pdu_len; int tpdu_len; @@ -655,7 +655,7 @@ static void at_cmgl_notify(GAtResult *result, gpointer user_data) struct sms_data *data = ofono_sms_get_data(sms); GAtResultIter iter; const char *hexpdu; - unsigned char pdu[176]; + unsigned char pdu[176] = {0}; long pdu_len; int tpdu_len; int index; From b0720e92ed44b256cb94b57d56bdf440956707db Mon Sep 17 00:00:00 2001 From: "Sicelo A. Mhlongo" Date: Tue, 17 Dec 2024 11:31:29 +0200 Subject: [PATCH 10/11] ussd: ensure ussd content fits in buffers Fixes: CVE-2024-7539 --- ofono/drivers/atmodem/ussd.c | 5 ++++- ofono/drivers/huaweimodem/ussd.c | 5 ++++- ofono/drivers/speedupmodem/ussd.c | 5 ++++- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/ofono/drivers/atmodem/ussd.c b/ofono/drivers/atmodem/ussd.c index 31c76b7a7..7cf4fbd8a 100644 --- a/ofono/drivers/atmodem/ussd.c +++ b/ofono/drivers/atmodem/ussd.c @@ -105,7 +105,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) const char *content; int dcs; enum sms_charset charset; - unsigned char msg[160]; + unsigned char msg[160] = {0}; const unsigned char *msg_ptr = NULL; long msg_len; @@ -123,6 +123,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) if (!g_at_result_iter_next_number(&iter, &dcs)) dcs = 0; + if (strlen(content) > sizeof(msg) * 2) + goto out; + if (!cbs_dcs_decode(dcs, NULL, NULL, &charset, NULL, NULL, NULL)) { ofono_error("Unsupported USSD data coding scheme (%02x)", dcs); status = 4; /* Not supported */ diff --git a/ofono/drivers/huaweimodem/ussd.c b/ofono/drivers/huaweimodem/ussd.c index fbed3cd04..4160b7d54 100644 --- a/ofono/drivers/huaweimodem/ussd.c +++ b/ofono/drivers/huaweimodem/ussd.c @@ -50,7 +50,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) GAtResultIter iter; int status, dcs; const char *content; - unsigned char msg[160]; + unsigned char msg[160] = {0}; const unsigned char *msg_ptr = NULL; long msg_len; @@ -68,6 +68,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) if (!g_at_result_iter_next_number(&iter, &dcs)) dcs = 0; + if (strlen(content) > sizeof(msg) * 2) + goto out; + msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg); out: diff --git a/ofono/drivers/speedupmodem/ussd.c b/ofono/drivers/speedupmodem/ussd.c index 57b91d761..99af19aa9 100644 --- a/ofono/drivers/speedupmodem/ussd.c +++ b/ofono/drivers/speedupmodem/ussd.c @@ -49,7 +49,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) GAtResultIter iter; int status, dcs; const char *content; - unsigned char msg[160]; + unsigned char msg[160] = {0}; const unsigned char *msg_ptr = NULL; long msg_len; @@ -67,6 +67,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) if (!g_at_result_iter_next_number(&iter, &dcs)) dcs = 0; + if (strlen(content) > sizeof(msg) * 2) + goto out; + msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg); out: From 11c71d6eadd18db10ce3feacf23a6bdcb7b95ea0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bellegarde?= Date: Sat, 25 Jan 2025 21:49:41 +0100 Subject: [PATCH 11/11] [packaging] Disable built-in upower plugin We modify Makefile.am as configure option does not work. --- debian/rules | 1 + ofono/Makefile.am | 4 ---- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/debian/rules b/debian/rules index ae7e38992..378ab5c5e 100755 --- a/debian/rules +++ b/debian/rules @@ -17,6 +17,7 @@ CONFIGURE_FLAGS := \ --disable-add-remove-context \ --disable-isimodem \ --disable-qmimodem \ + --disable-upower \ --with-systemdunitdir=/usr/lib/systemd/system %: diff --git a/ofono/Makefile.am b/ofono/Makefile.am index d067817db..d2c861492 100644 --- a/ofono/Makefile.am +++ b/ofono/Makefile.am @@ -583,10 +583,6 @@ builtin_sources += plugins/sailfish_bt.c endif endif -if UPOWER -builtin_modules += upower -builtin_sources += plugins/upower.c -endif endif if NETTIME