Bug 1194177 - (CVE-2022-23098) VUL-0: CVE-2022-23098: connman: dnsproxy TCP Receive Path Triggers 100 % CPU loop if DNS server does not Send Back Data
(CVE-2022-23098)
VUL-0: CVE-2022-23098: connman: dnsproxy TCP Receive Path Triggers 100 % CPU ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Audits
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/319294
CVSSv3.1:SUSE:CVE-2022-23098:7.5:(AV:...
:
Depends on:
Blocks: 1193801
  Show dependency treegraph
 
Reported: 2021-12-30 11:45 UTC by Matthias Gerstner
Modified: 2022-03-29 12:21 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2021-12-30 11:45:55 UTC
+++ This bug was initially created as a clone of Bug #1193801

This is to track finding 3) from the parent bug:

3) TCP Receive Path Triggers 100 % CPU loop if DNS server does not Send Back Data
=================================================================================

In the TCP server reply case, if the server simply does not send back any data
at all but keeps the socket connection open, then Connman enters a 100 % CPU
loop. This is probably related to the event watch configuration in
`dnsproxy.c:2523`, where also `G_IO_OUT` is set, meaning that the event loop
will wake up when data can be written to the TCP connection, which is true all
the time.

Allthough there is a 30 second timeout configured `tcp_idle_timeout()`, the
100 % CPU loop does not seem to stop after that time. I did not further
investigate the reasons for this.

To fix this the watch condition could be altered after the logic in
`dnsproxy.c:2318` has run once (i.e. after the server is connected). Removing
the `G_IO_OUT` bit after this should then prevent the 100 % CPU loop.
Comment 1 Matthias Gerstner 2022-01-11 09:02:12 UTC
Mitre assigned CVE-2022-23098 for this issue.
Comment 2 Matthias Gerstner 2022-01-25 09:33:24 UTC
The issue is public now via Connman's mailing list and oss-sec. Please also
provide fixes for the SUSE packages.
Comment 3 Daniel Wagner 2022-01-25 10:51:06 UTC
https://build.opensuse.org/request/show/948995
Comment 4 OBSbugzilla Bot 2022-02-01 14:20:07 UTC
This is an autogenerated message for OBS integration:
This bug (1194177) was mentioned in
https://build.opensuse.org/request/show/950446 Factory / connman
Comment 5 Gabriele Sonnu 2022-02-11 10:35:36 UTC
Hi Daniel, please also submit for:

- openSUSE:Backports:SLE-15-SP3
- openSUSE:Backports:SLE-15-SP4
Comment 6 OBSbugzilla Bot 2022-02-11 16:30:07 UTC
This is an autogenerated message for OBS integration:
This bug (1194177) was mentioned in
https://build.opensuse.org/request/show/953781 Backports:SLE-15-SP3 / connman
https://build.opensuse.org/request/show/953783 Backports:SLE-15-SP4 / connman
Comment 7 Swamp Workflow Management 2022-03-01 20:32:15 UTC
openSUSE-SU-2022:0056-1: An update that solves 17 vulnerabilities and has 62 fixes is now available.

Category: security (important)
Bug References: 1139944,1151927,1152489,1153275,1154353,1154355,1161907,1164565,1166780,1169514,1176242,1176447,1176536,1176544,1176545,1176546,1176548,1176558,1176559,1176774,1176940,1176956,1177440,1178134,1178270,1179211,1179424,1179426,1179427,1179599,1181148,1181507,1181710,1182404,1183534,1183540,1183897,1184318,1185726,1185902,1186332,1187541,1189126,1189158,1191793,1191876,1192267,1192320,1192507,1192511,1192569,1192606,1192691,1192845,1192847,1192874,1192877,1192946,1192969,1192987,1192990,1192998,1193002,1193042,1193139,1193169,1193306,1193318,1193349,1193440,1193442,1193655,1193993,1194087,1194094,1194175,1194176,1194177,1194266
CVE References: CVE-2020-24504,CVE-2020-27820,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-33098,CVE-2021-4001,CVE-2021-4002,CVE-2021-43975,CVE-2021-43976,CVE-2021-45485,CVE-2021-45486,CVE-2022-23096,CVE-2022-23097,CVE-2022-23098
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kernel-azure-5.3.18-38.34.1, kernel-source-azure-5.3.18-38.34.1, kernel-syms-azure-5.3.18-38.34.1
openSUSE Backports SLE-15-SP3 (src):    connman-1.41-bp153.2.3.1
Comment 8 Gianluca Gabrielli 2022-03-29 12:21:03 UTC
done