Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-32293: [PATCH 3/6] wispr: Add reference counter to portal context

In ConnMan through 1.41, a man-in-the-middle attack against a WISPR HTTP query could be used to trigger a use-after-free in WISPR handling, leading to crashes or code execution.

CVE
#web#linux#git#auth

From: Daniel Wagner [email protected] To: [email protected] Cc: Daniel Wagner [email protected] Subject: [PATCH 3/6] wispr: Add reference counter to portal context Date: Mon, 1 Aug 2022 10:00:40 +0200 [thread overview] Message-ID: [email protected] (raw) In-Reply-To: <[email protected]>

Track the connman_wispr_portal_context live time via a refcounter. This only adds the infrastructure to do proper reference counting.

Fixes: CVE-2022-32293

src/wispr.c | 52 +++++++++++++++++++++++++++++++++++++++++±--------- 1 file changed, 42 insertions(+), 10 deletions(-)

diff --git a/src/wispr.c b/src/wispr.c index a07896cabe48…bde7e63ba4b2 100644 — a/src/wispr.c +++ b/src/wispr.c @@ -56,6 +56,7 @@ struct wispr_route { };

struct connman_wispr_portal_context {

  • int refcount; struct connman_service *service; enum connman_ipconfig_type type; struct connman_wispr_portal *wispr_portal; @@ -97,6 +98,11 @@ static char *online_check_ipv4_url = NULL; static char *online_check_ipv6_url = NULL; static bool enable_online_to_ready_transition = false;

+#define wispr_portal_context_ref(wp_context) \

  • wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__) +#define wispr_portal_context_unref(wp_context) \
  • wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__)

static void connman_wispr_message_init(struct connman_wispr_message *msg) { DBG(“”); @@ -162,9 +168,6 @@ static void free_connman_wispr_portal_context( { DBG("context %p", wp_context);

- if (!wp_context)

  •   return;
    
  • if (wp_context->wispr_portal) { if (wp_context->wispr_portal->ipv4_context == wp_context) wp_context->wispr_portal->ipv4_context = NULL; @@ -201,9 +204,38 @@ static void free_connman_wispr_portal_context( g_free(wp_context); }

+static struct connman_wispr_portal_context * +wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context,

  •       const char \*file, int line, const char \*caller)
    

+{

  • DBG("%p ref %d by %s:%d:%s()", wp_context,
  •   wp\_context->refcount + 1, file, line, caller);
    
  • __sync_fetch_and_add(&wp_context->refcount, 1);
  • return wp_context; +}

+static void wispr_portal_context_unref_debug(

  •   struct connman\_wispr\_portal\_context \*wp\_context,
    
  •   const char \*file, int line, const char \*caller)
    

+{

  • if (!wp_context)
  •   return;
    
  • DBG("%p ref %d by %s:%d:%s()", wp_context,
  •   wp\_context->refcount - 1, file, line, caller);
    
  • if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1)
  •   return;
    
  • free_connman_wispr_portal_context(wp_context); +}

static struct connman_wispr_portal_context *create_wispr_portal_context(void) { - return g_try_new0(struct connman_wispr_portal_context, 1);

  • return wispr_portal_context_ref(
  •   g\_new0(struct connman\_wispr\_portal\_context, 1));
    

}

static void free_connman_wispr_portal(gpointer data) @@ -215,8 +247,8 @@ static void free_connman_wispr_portal(gpointer data) if (!wispr_portal) return;

- free_connman_wispr_portal_context(wispr_portal->ipv4_context);

  • free_connman_wispr_portal_context(wispr_portal->ipv6_context);
  • wispr_portal_context_unref(wispr_portal->ipv4_context);

  • wispr_portal_context_unref(wispr_portal->ipv6_context);

    g_free(wispr_portal); } @@ -452,7 +484,7 @@ static void portal_manage_status(GWebResult *result, connman_info("Client-Timezone: %s", str);

    if (!enable_online_to_ready_transition) - free_connman_wispr_portal_context(wp_context);

  •   wispr\_portal\_context\_unref(wp\_context);
    

    __connman_service_ipconfig_indicate_state(service, CONNMAN_SERVICE_STATE_ONLINE, type); @@ -616,7 +648,7 @@ static void wispr_portal_request_wispr_login(struct connman_service *service, return; }

- free_connman_wispr_portal_context(wp_context);

  •   wispr\_portal\_context\_unref(wp\_context);
      return;
    
    }

@@ -952,7 +984,7 @@ static int wispr_portal_detect(struct connman_wispr_portal_context *wp_context)

    if (wp\_context->token == 0) {
        err = -EINVAL;

- free_connman_wispr_portal_context(wp_context);

  •       wispr\_portal\_context\_unref(wp\_context);
      }
    

    } else if (wp_context->timeout == 0) { wp_context->timeout = g_idle_add(no_proxy_callback, wp_context); @@ -1001,7 +1033,7 @@ int __connman_wispr_start(struct connman_service *service,

    /* If there is already an existing context, we wipe it */ if (wp_context) - free_connman_wispr_portal_context(wp_context);

  •   wispr\_portal\_context\_unref(wp\_context);
    

    wp_context = create_wispr_portal_context(); if (!wp_context) – 2.37.1

next prev parent reply other threads:[~2022-08-01 8:07 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-08-01 8:00 [PATCH 1/6] wispr: Rename wispr_portal_list to wispr_portal_hash Daniel Wagner 2022-08-01 8:00 ` [PATCH 2/6] wispr: Ignore NULL proxy Daniel Wagner 2022-08-01 8:00 ` Daniel Wagner [this message] 2022-08-01 8:00 ` [PATCH 4/6] wispr: Update portal context references Daniel Wagner 2022-08-01 8:00 ` [PATCH 5/6] gweb: Fix OOB write in received_data() Daniel Wagner 2022-08-01 8:00 ` [PATCH 6/6] AUTHORS: Mention Nathan’s contributions Daniel Wagner

Reply instructions:

You may reply publicly to this message via plain-text email using any one of the following methods:

* Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox

Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the –to, –cc, and –in-reply-to switches of git-send-email(1):

git send-email \ –[email protected] \ –[email protected] \ –[email protected] \ –subject=’Re: [PATCH 3/6] wispr: Add reference counter to portal context’ \ /path/to/YOUR_REPLY

https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).

Related news

Gentoo Linux Security Advisory 202310-21

Gentoo Linux Security Advisory 202310-21 - Multiple vulnerabilities have been discovered in ConnMan, the worst of which can lead to remote code execution. Versions greater than or equal to 1.42_pre20220801 are affected.

Ubuntu Security Notice USN-6236-1

Ubuntu Security Notice 6236-1 - It was discovered that ConnMan could be made to write out of bounds. A remote attacker could possibly use this issue to cause ConnMan to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that ConnMan could be made to leak sensitive information via the gdhcp component. A remote attacker could possibly use this issue to obtain information for further exploitation. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.

CVE-2022-38108: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-36957: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907