From: Yogita Urade <yogita.ur...@windriver.com> CVE-2022-39836: An issue was discovered in Connected Vehicle Systems Alliance (COVESA) dlt-daemon through 2.18.8. Due to a faulty DLT file parser, a crafted DLT file that crashes the process can be created. This is due to missing validation checks. There is a heap-based buffer over-read of one byte.
CVE-2022-39837: An issue was discovered in Connected Vehicle Systems Alliance (COVESA) dlt-daemon through 2.18.8. Due to a faulty DLT file parser, a crafted DLT file that crashes the process can be created. This is due to missing validation checks. There is a NULL pointer dereference. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-39836 https://nvd.nist.gov/vuln/detail/CVE-2022-39837 Upstream patch: https://github.com/COVESA/dlt-daemon/commit/855e0017a980d2990c16f7dbf3b4983b48fac272 Signed-off-by: Yogita Urade <yogita.ur...@windriver.com> --- .../CVE-2022-39836-CVE-2022-39837.patch | 251 ++++++++++++++++++ .../dlt-daemon/dlt-daemon_2.18.8.bb | 1 + 2 files changed, 252 insertions(+) create mode 100644 meta-oe/recipes-extended/dlt-daemon/dlt-daemon/CVE-2022-39836-CVE-2022-39837.patch diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/CVE-2022-39836-CVE-2022-39837.patch b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/CVE-2022-39836-CVE-2022-39837.patch new file mode 100644 index 0000000000..49fb9db3e2 --- /dev/null +++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/CVE-2022-39836-CVE-2022-39837.patch @@ -0,0 +1,251 @@ +From 855e0017a980d2990c16f7dbf3b4983b48fac272 Mon Sep 17 00:00:00 2001 +From: Bui Nguyen Quoc Thanh <49302843+thanh...@users.noreply.github.com> +Date: Thu, 7 Jul 2022 11:00:34 +0700 +Subject: [PATCH] Fix handle returned value (#384) + +* common: Handle returned value + +- The returned value of supporting APIs should be checked correctly. +- In case of extended header, the buffer of header must be checked +before proceeding further. + +Signed-off-by: Bui Nguyen Quoc Thanh <thanh.buinguyenq...@vn.bosch.com> + +* console: Handle returned value + +In case of parsing dlt file, the failed messages +should be skipped by evaluating returned value + +Signed-off-by: Bui Nguyen Quoc Thanh <thanh.buinguyenq...@vn.bosch.com> + +CVE: CVE-2022-39836 and CVE-2022-39837 +Upstream-Status: Backport [https://github.com/COVESA/dlt-daemon/commit/855e0017a980d2990c16f7dbf3b4983b48fac272] + +Signed-off-by: Yogita Urade <yogita.ur...@windriver.com> +--- + src/console/dlt-convert.c | 18 ++++++---- + src/console/dlt-sortbytimestamp.c | 6 ++-- + src/shared/dlt_common.c | 60 ++++++++++++++++++++++--------- + 3 files changed, 59 insertions(+), 25 deletions(-) + +diff --git a/src/console/dlt-convert.c b/src/console/dlt-convert.c +index b82c104..30ea09a 100644 +--- a/src/console/dlt-convert.c ++++ b/src/console/dlt-convert.c +@@ -432,31 +432,37 @@ int main(int argc, char *argv[]) + } + + for (num = begin; num <= end; num++) { +- dlt_file_message(&file, num, vflag); ++ if (dlt_file_message(&file, num, vflag) < DLT_RETURN_OK) ++ continue; + + if (xflag) { + printf("%d ", num); +- dlt_message_print_hex(&(file.msg), text, DLT_CONVERT_TEXTBUFSIZE, vflag); ++ if (dlt_message_print_hex(&(file.msg), text, DLT_CONVERT_TEXTBUFSIZE, vflag) < DLT_RETURN_OK) ++ continue; + } + else if (aflag) { + printf("%d ", num); + +- dlt_message_header(&(file.msg), text, DLT_CONVERT_TEXTBUFSIZE, vflag); ++ if (dlt_message_header(&(file.msg), text, DLT_CONVERT_TEXTBUFSIZE, vflag) < DLT_RETURN_OK) ++ continue; + + printf("%s ", text); + +- dlt_message_payload(&file.msg, text, DLT_CONVERT_TEXTBUFSIZE, DLT_OUTPUT_ASCII, vflag); ++ if (dlt_message_payload(&file.msg, text, DLT_CONVERT_TEXTBUFSIZE, DLT_OUTPUT_ASCII, vflag) < DLT_RETURN_OK) ++ continue; + + printf("[%s]\n", text); + } + else if (mflag) { + printf("%d ", num); +- dlt_message_print_mixed_plain(&(file.msg), text, DLT_CONVERT_TEXTBUFSIZE, vflag); ++ if (dlt_message_print_mixed_plain(&(file.msg), text, DLT_CONVERT_TEXTBUFSIZE, vflag) < DLT_RETURN_OK) ++ continue; + } + else if (sflag) { + printf("%d ", num); + +- dlt_message_header(&(file.msg), text, DLT_CONVERT_TEXTBUFSIZE, vflag); ++ if (dlt_message_header(&(file.msg), text, DLT_CONVERT_TEXTBUFSIZE, vflag) < DLT_RETURN_OK) ++ continue; + + printf("%s \n", text); + } +diff --git a/src/console/dlt-sortbytimestamp.c b/src/console/dlt-sortbytimestamp.c +index 3e418e1..82fd5d0 100644 +--- a/src/console/dlt-sortbytimestamp.c ++++ b/src/console/dlt-sortbytimestamp.c +@@ -160,7 +160,8 @@ void write_messages(int ohandle, DltFile *file, + if ((0 == i % 1001) || (i == message_count - 1)) + verbose(2, "Writing message %d\r", i); + +- dlt_file_message(file, timestamps[i].num, 0); ++ if (dlt_file_message(file, timestamps[i].num, 0) < DLT_RETURN_OK) ++ continue; + iov[0].iov_base = file->msg.headerbuffer; + iov[0].iov_len = file->msg.headersize; + iov[1].iov_base = file->msg.databuffer; +@@ -402,7 +403,8 @@ int main(int argc, char *argv[]) { + verbose(1, "Filling %d entries\n", message_count); + + for (num = begin; num <= end; num++) { +- dlt_file_message(&file, num, vflag); ++ if (dlt_file_message(&file, num, vflag) < DLT_RETURN_OK) ++ continue; + timestamp_index[num - begin].num = num; + timestamp_index[num - begin].systmsp = file.msg.storageheader->seconds; + timestamp_index[num - begin].tmsp = file.msg.headerextra.tmsp; +diff --git a/src/shared/dlt_common.c b/src/shared/dlt_common.c +index 427044b..4303c50 100644 +--- a/src/shared/dlt_common.c ++++ b/src/shared/dlt_common.c +@@ -202,7 +202,10 @@ DltReturnValue dlt_print_mixed_string(char *text, int textlength, uint8_t *ptr, + /* Hex-Output */ + /* It is not required to decrement textlength, as it was already checked, that + * there is enough space for the complete output */ +- dlt_print_hex_string(text, textlength, (uint8_t *)(ptr + (lines * DLT_COMMON_HEX_CHARS)), DLT_COMMON_HEX_CHARS); ++ if (dlt_print_hex_string(text, textlength, ++ (uint8_t *)(ptr + (lines * DLT_COMMON_HEX_CHARS)), ++ DLT_COMMON_HEX_CHARS) < DLT_RETURN_OK) ++ return DLT_RETURN_ERROR; + text += ((2 * DLT_COMMON_HEX_CHARS) + (DLT_COMMON_HEX_CHARS - 1)); /* 32 characters + 15 spaces */ + + snprintf(text, 2, " "); +@@ -211,8 +214,10 @@ DltReturnValue dlt_print_mixed_string(char *text, int textlength, uint8_t *ptr, + /* Char-Output */ + /* It is not required to decrement textlength, as it was already checked, that + * there is enough space for the complete output */ +- dlt_print_char_string(&text, textlength, (uint8_t *)(ptr + (lines * DLT_COMMON_HEX_CHARS)), +- DLT_COMMON_HEX_CHARS); ++ if (dlt_print_char_string(&text, textlength, ++ (uint8_t *)(ptr + (lines * DLT_COMMON_HEX_CHARS)), ++ DLT_COMMON_HEX_CHARS) < DLT_RETURN_OK) ++ return DLT_RETURN_ERROR; + + if (html == 0) { + snprintf(text, 2, "\n"); +@@ -240,10 +245,11 @@ DltReturnValue dlt_print_mixed_string(char *text, int textlength, uint8_t *ptr, + /* Hex-Output */ + /* It is not required to decrement textlength, as it was already checked, that + * there is enough space for the complete output */ +- dlt_print_hex_string(text, ++ if (dlt_print_hex_string(text, + textlength, + (uint8_t *)(ptr + ((size / DLT_COMMON_HEX_CHARS) * DLT_COMMON_HEX_CHARS)), +- rest); ++ rest) < DLT_RETURN_OK) ++ return DLT_RETURN_ERROR; + text += 2 * rest + (rest - 1); + + for (i = 0; i < (DLT_COMMON_HEX_CHARS - rest); i++) { +@@ -257,8 +263,10 @@ DltReturnValue dlt_print_mixed_string(char *text, int textlength, uint8_t *ptr, + /* Char-Output */ + /* It is not required to decrement textlength, as it was already checked, that + * there is enough space for the complete output */ +- dlt_print_char_string(&text, textlength, +- (uint8_t *)(ptr + ((size / DLT_COMMON_HEX_CHARS) * DLT_COMMON_HEX_CHARS)), rest); ++ if (dlt_print_char_string(&text, textlength, ++ (uint8_t *)(ptr + ((size / DLT_COMMON_HEX_CHARS) * DLT_COMMON_HEX_CHARS)), ++ rest) < DLT_RETURN_OK) ++ return DLT_RETURN_ERROR; + } + + return DLT_RETURN_OK; +@@ -672,6 +680,9 @@ DltReturnValue dlt_message_header_flags(DltMessage *msg, char *text, size_t text + if ((msg == NULL) || (text == NULL) || (textlength <= 0)) + return DLT_RETURN_WRONG_PARAMETER; + ++ if ((DLT_IS_HTYP_UEH(msg->standardheader->htyp)) && (msg->extendedheader == NULL)) ++ return DLT_RETURN_WRONG_PARAMETER; ++ + if ((flags < DLT_HEADER_SHOW_NONE) || (flags > DLT_HEADER_SHOW_ALL)) + return DLT_RETURN_WRONG_PARAMETER; + +@@ -3239,7 +3250,8 @@ DltReturnValue dlt_message_print_header(DltMessage *message, char *text, uint32_ + if ((message == NULL) || (text == NULL)) + return DLT_RETURN_WRONG_PARAMETER; + +- dlt_message_header(message, text, size, verbose); ++ if (dlt_message_header(message, text, size, verbose) < DLT_RETURN_OK) ++ return DLT_RETURN_ERROR; + dlt_user_printf("%s\n", text); + + return DLT_RETURN_OK; +@@ -3250,9 +3262,12 @@ DltReturnValue dlt_message_print_hex(DltMessage *message, char *text, uint32_t s + if ((message == NULL) || (text == NULL)) + return DLT_RETURN_WRONG_PARAMETER; + +- dlt_message_header(message, text, size, verbose); ++ if (dlt_message_header(message, text, size, verbose) < DLT_RETURN_OK) ++ return DLT_RETURN_ERROR; + dlt_user_printf("%s ", text); +- dlt_message_payload(message, text, size, DLT_OUTPUT_HEX, verbose); ++ ++ if (dlt_message_payload(message, text, size, DLT_OUTPUT_HEX, verbose) < DLT_RETURN_OK) ++ return DLT_RETURN_ERROR; + dlt_user_printf("[%s]\n", text); + + return DLT_RETURN_OK; +@@ -3263,9 +3278,12 @@ DltReturnValue dlt_message_print_ascii(DltMessage *message, char *text, uint32_t + if ((message == NULL) || (text == NULL)) + return DLT_RETURN_WRONG_PARAMETER; + +- dlt_message_header(message, text, size, verbose); ++ if (dlt_message_header(message, text, size, verbose) < DLT_RETURN_OK) ++ return DLT_RETURN_ERROR; + dlt_user_printf("%s ", text); +- dlt_message_payload(message, text, size, DLT_OUTPUT_ASCII, verbose); ++ ++ if (dlt_message_payload(message, text, size, DLT_OUTPUT_ASCII, verbose) < DLT_RETURN_OK) ++ return DLT_RETURN_ERROR; + dlt_user_printf("[%s]\n", text); + + return DLT_RETURN_OK; +@@ -3276,9 +3294,12 @@ DltReturnValue dlt_message_print_mixed_plain(DltMessage *message, char *text, ui + if ((message == NULL) || (text == NULL)) + return DLT_RETURN_WRONG_PARAMETER; + +- dlt_message_header(message, text, size, verbose); ++ if (dlt_message_header(message, text, size, verbose) < DLT_RETURN_OK) ++ return DLT_RETURN_ERROR; + dlt_user_printf("%s \n", text); +- dlt_message_payload(message, text, size, DLT_OUTPUT_MIXED_FOR_PLAIN, verbose); ++ ++ if (dlt_message_payload(message, text, size, DLT_OUTPUT_MIXED_FOR_PLAIN, verbose) < DLT_RETURN_OK) ++ return DLT_RETURN_ERROR; + dlt_user_printf("[%s]\n", text); + + return DLT_RETURN_OK; +@@ -3289,9 +3310,13 @@ DltReturnValue dlt_message_print_mixed_html(DltMessage *message, char *text, uin + if ((message == NULL) || (text == NULL)) + return DLT_RETURN_WRONG_PARAMETER; + +- dlt_message_header(message, text, size, verbose); ++ if (dlt_message_header(message, text, size, verbose) < DLT_RETURN_OK) ++ return DLT_RETURN_ERROR; + dlt_user_printf("%s \n", text); +- dlt_message_payload(message, text, size, DLT_OUTPUT_MIXED_FOR_HTML, verbose); ++ ++ if (dlt_message_payload(message, text, size, DLT_OUTPUT_MIXED_FOR_HTML, verbose) < DLT_RETURN_OK) ++ return DLT_RETURN_ERROR; ++ + dlt_user_printf("[%s]\n", text); + + return DLT_RETURN_OK; +@@ -3901,7 +3926,8 @@ DltReturnValue dlt_message_argument_print(DltMessage *msg, + if ((*datalength) < length) + return DLT_RETURN_ERROR; + +- dlt_print_hex_string_delim(value_text, (int) textlength, *ptr, length, '\''); ++ if (dlt_print_hex_string_delim(value_text, (int) textlength, *ptr, length, '\'') < DLT_RETURN_OK) ++ return DLT_RETURN_ERROR; + *ptr += length; + *datalength -= length; + } +-- +2.40.0 diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.8.bb b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.8.bb index b98cfadf3e..8ef056651b 100644 --- a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.8.bb +++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.8.bb @@ -19,6 +19,7 @@ SRC_URI = "git://github.com/GENIVI/${BPN}.git;protocol=https;branch=master \ file://0004-Modify-systemd-config-directory.patch \ file://0001-cmake-Link-with-libatomic-on-rv32-rv64.patch \ file://0001-Fix-memory-leak.patch \ + file://CVE-2022-39836-CVE-2022-39837.patch \ " SRCREV = "6a3bd901d825c7206797e36ea98e10a218f5aad2" -- 2.40.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#115531): https://lists.openembedded.org/g/openembedded-devel/message/115531 Mute This Topic: https://lists.openembedded.org/mt/111303719/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
