Bugzilla – Bug 1194177
VUL-0: CVE-2022-23098: connman: dnsproxy TCP Receive Path Triggers 100 % CPU loop if DNS server does not Send Back Data
Last modified: 2022-03-29 12:21:03 UTC
+++ This bug was initially created as a clone of Bug #1193801 This is to track finding 3) from the parent bug: 3) TCP Receive Path Triggers 100 % CPU loop if DNS server does not Send Back Data ================================================================================= In the TCP server reply case, if the server simply does not send back any data at all but keeps the socket connection open, then Connman enters a 100 % CPU loop. This is probably related to the event watch configuration in `dnsproxy.c:2523`, where also `G_IO_OUT` is set, meaning that the event loop will wake up when data can be written to the TCP connection, which is true all the time. Allthough there is a 30 second timeout configured `tcp_idle_timeout()`, the 100 % CPU loop does not seem to stop after that time. I did not further investigate the reasons for this. To fix this the watch condition could be altered after the logic in `dnsproxy.c:2318` has run once (i.e. after the server is connected). Removing the `G_IO_OUT` bit after this should then prevent the 100 % CPU loop.
Mitre assigned CVE-2022-23098 for this issue.
The issue is public now via Connman's mailing list and oss-sec. Please also provide fixes for the SUSE packages.
https://build.opensuse.org/request/show/948995
This is an autogenerated message for OBS integration: This bug (1194177) was mentioned in https://build.opensuse.org/request/show/950446 Factory / connman
Hi Daniel, please also submit for: - openSUSE:Backports:SLE-15-SP3 - openSUSE:Backports:SLE-15-SP4
This is an autogenerated message for OBS integration: This bug (1194177) was mentioned in https://build.opensuse.org/request/show/953781 Backports:SLE-15-SP3 / connman https://build.opensuse.org/request/show/953783 Backports:SLE-15-SP4 / connman
openSUSE-SU-2022:0056-1: An update that solves 17 vulnerabilities and has 62 fixes is now available. Category: security (important) Bug References: 1139944,1151927,1152489,1153275,1154353,1154355,1161907,1164565,1166780,1169514,1176242,1176447,1176536,1176544,1176545,1176546,1176548,1176558,1176559,1176774,1176940,1176956,1177440,1178134,1178270,1179211,1179424,1179426,1179427,1179599,1181148,1181507,1181710,1182404,1183534,1183540,1183897,1184318,1185726,1185902,1186332,1187541,1189126,1189158,1191793,1191876,1192267,1192320,1192507,1192511,1192569,1192606,1192691,1192845,1192847,1192874,1192877,1192946,1192969,1192987,1192990,1192998,1193002,1193042,1193139,1193169,1193306,1193318,1193349,1193440,1193442,1193655,1193993,1194087,1194094,1194175,1194176,1194177,1194266 CVE References: CVE-2020-24504,CVE-2020-27820,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-33098,CVE-2021-4001,CVE-2021-4002,CVE-2021-43975,CVE-2021-43976,CVE-2021-45485,CVE-2021-45486,CVE-2022-23096,CVE-2022-23097,CVE-2022-23098 JIRA References: Sources used: openSUSE Leap 15.3 (src): kernel-azure-5.3.18-38.34.1, kernel-source-azure-5.3.18-38.34.1, kernel-syms-azure-5.3.18-38.34.1 openSUSE Backports SLE-15-SP3 (src): connman-1.41-bp153.2.3.1
done