From d7e702dd5529860e3d97a84e387bad95573f5894 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=81LI=20G=C3=A1bor=20J=C3=A1nos?= Date: Sat, 16 Mar 2024 13:33:00 +0100 Subject: Update to Linux 6.6 & 6.8, and Alpine 3.19 - Update dhcpcd to 10.0.5 - Update iptables to 1.8.10 - Update linux-lts to 6.6.22 - Update linux-edge to 6.8.1 - Update openrc 0.52.1 - Update mDNSResponder to 2200.80.16 - Update rtl8821ce to snapshot of 20240120 - Update rtw88 to snapshot of 20231024 - Resolve driver conflict between rtw88 and rtl8821ce - Update rtw89 to snapshot of 20240310 - Update socat to 1.8.0.0 - Import security fixes for wpa_supplicant --- ...cp-Avoid-leaking-uninitialized-stale-data.patch | 75 ++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 aports/busybox/0034-udhcp-Avoid-leaking-uninitialized-stale-data.patch (limited to 'aports/busybox/0034-udhcp-Avoid-leaking-uninitialized-stale-data.patch') diff --git a/aports/busybox/0034-udhcp-Avoid-leaking-uninitialized-stale-data.patch b/aports/busybox/0034-udhcp-Avoid-leaking-uninitialized-stale-data.patch new file mode 100644 index 0000000..d61c5fb --- /dev/null +++ b/aports/busybox/0034-udhcp-Avoid-leaking-uninitialized-stale-data.patch @@ -0,0 +1,75 @@ +From e265c8d4c039729f2a68f3b1fb589c13c38d86f8 Mon Sep 17 00:00:00 2001 +From: Russ Dill +Date: Mon, 2 Oct 2023 12:34:50 -0700 +Subject: [PATCH] udhcp: Avoid leaking uninitialized/stale data + +I noticed a commit in connman: + +"gdhcp: Avoid leaking stack data via unitiialized variable" [1] + +Since gdhcp is just BusyBox udhcp with the serial numbers filed off, I +checked if BusyBox udhcp has a related issue. + +The issue is that the get_option logic assumes any data within the +memory area of the buffer is "valid". This reduces the complexity of the +function at the cost of reading past the end of the actually received +data in the case of specially crafted packets. This is not a problem +for the udhcp_recv_kernel_packet data path as the entire memory +area is zeroed. However, d4/d6_recv_raw_packet does not zero the +memory. + +Note that a related commit [2] is not required as we are zeroing +any data that can be read by the get_option function. + +[1] https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=a74524b3e3fad81b0fd1084ffdf9f2ea469cd9b1 +[2] https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=58d397ba74873384aee449690a9070bacd5676fa + +function old new delta +d4_recv_raw_packet 484 497 +13 +d6_recv_raw_packet 216 228 +12 +.rodata 105390 105381 -9 +------------------------------------------------------------------------------ +(add/remove: 0/0 grow/shrink: 2/1 up/down: 25/-9) Total: 16 bytes + +Signed-off-by: Russ Dill +Cc: Colin Wee +Cc: Denys Vlasenko +Signed-off-by: Denys Vlasenko +--- + networking/udhcp/d6_dhcpc.c | 1 + + networking/udhcp/dhcpc.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c +index cdd06188e..a72fd31bd 100644 +--- a/networking/udhcp/d6_dhcpc.c ++++ b/networking/udhcp/d6_dhcpc.c +@@ -961,6 +961,7 @@ static NOINLINE int d6_recv_raw_packet(struct in6_addr *peer_ipv6, struct d6_pac + d6_dump_packet(&packet.data); + + bytes -= sizeof(packet.ip6) + sizeof(packet.udp); ++ memset(d6_pkt, 0, sizeof(*d6_pkt)); + memcpy(d6_pkt, &packet.data, bytes); + return bytes; + } +diff --git a/networking/udhcp/dhcpc.c b/networking/udhcp/dhcpc.c +index 200a2fb8a..07e2eadfe 100644 +--- a/networking/udhcp/dhcpc.c ++++ b/networking/udhcp/dhcpc.c +@@ -966,7 +966,7 @@ static NOINLINE int d4_recv_raw_packet(struct dhcp_packet *dhcp_pkt, int fd) + check = packet.udp.check; + packet.udp.check = 0; + if (check && check != inet_cksum(&packet, bytes)) { +- log1s("packet with bad UDP checksum received, ignoring"); ++ log1s("packet with bad UDP checksum, ignoring"); + return -2; + } + skip_udp_sum_check: +@@ -981,6 +981,7 @@ static NOINLINE int d4_recv_raw_packet(struct dhcp_packet *dhcp_pkt, int fd) + udhcp_dump_packet(&packet.data); + + bytes -= sizeof(packet.ip) + sizeof(packet.udp); ++ memset(dhcp_pkt, 0, sizeof(*dhcp_pkt)); + memcpy(dhcp_pkt, &packet.data, bytes); + return bytes; + } -- cgit v1.2.3