Bug 1194177 - (CVE-2022-23098) VUL-0: CVE-2022-23098: connman: dnsproxy TCP Receive Path Triggers 100 % CPU loop if DNS server does not Send Back Data
VUL-0: CVE-2022-23098: connman: dnsproxy TCP Receive Path Triggers 100 % CPU ...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Audits
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
Blocks: 1193801
  Show dependency treegraph
Reported: 2021-12-30 11:45 UTC by Matthias Gerstner
Modified: 2022-03-29 12:21 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2021-12-30 11:45:55 UTC
+++ This bug was initially created as a clone of Bug #1193801

This is to track finding 3) from the parent bug:

3) TCP Receive Path Triggers 100 % CPU loop if DNS server does not Send Back Data

In the TCP server reply case, if the server simply does not send back any data
at all but keeps the socket connection open, then Connman enters a 100 % CPU
loop. This is probably related to the event watch configuration in
`dnsproxy.c:2523`, where also `G_IO_OUT` is set, meaning that the event loop
will wake up when data can be written to the TCP connection, which is true all
the time.

Allthough there is a 30 second timeout configured `tcp_idle_timeout()`, the
100 % CPU loop does not seem to stop after that time. I did not further
investigate the reasons for this.

To fix this the watch condition could be altered after the logic in
`dnsproxy.c:2318` has run once (i.e. after the server is connected). Removing
the `G_IO_OUT` bit after this should then prevent the 100 % CPU loop.
Comment 1 Matthias Gerstner 2022-01-11 09:02:12 UTC
Mitre assigned CVE-2022-23098 for this issue.
Comment 2 Matthias Gerstner 2022-01-25 09:33:24 UTC
The issue is public now via Connman's mailing list and oss-sec. Please also
provide fixes for the SUSE packages.
Comment 3 Daniel Wagner 2022-01-25 10:51:06 UTC
Comment 4 OBSbugzilla Bot 2022-02-01 14:20:07 UTC
This is an autogenerated message for OBS integration:
This bug (1194177) was mentioned in
https://build.opensuse.org/request/show/950446 Factory / connman
Comment 5 Gabriele Sonnu 2022-02-11 10:35:36 UTC
Hi Daniel, please also submit for:

- openSUSE:Backports:SLE-15-SP3
- openSUSE:Backports:SLE-15-SP4
Comment 6 OBSbugzilla Bot 2022-02-11 16:30:07 UTC
This is an autogenerated message for OBS integration:
This bug (1194177) was mentioned in
https://build.opensuse.org/request/show/953781 Backports:SLE-15-SP3 / connman
https://build.opensuse.org/request/show/953783 Backports:SLE-15-SP4 / connman
Comment 7 Swamp Workflow Management 2022-03-01 20:32:15 UTC
openSUSE-SU-2022:0056-1: An update that solves 17 vulnerabilities and has 62 fixes is now available.

Category: security (important)
Bug References: 1139944,1151927,1152489,1153275,1154353,1154355,1161907,1164565,1166780,1169514,1176242,1176447,1176536,1176544,1176545,1176546,1176548,1176558,1176559,1176774,1176940,1176956,1177440,1178134,1178270,1179211,1179424,1179426,1179427,1179599,1181148,1181507,1181710,1182404,1183534,1183540,1183897,1184318,1185726,1185902,1186332,1187541,1189126,1189158,1191793,1191876,1192267,1192320,1192507,1192511,1192569,1192606,1192691,1192845,1192847,1192874,1192877,1192946,1192969,1192987,1192990,1192998,1193002,1193042,1193139,1193169,1193306,1193318,1193349,1193440,1193442,1193655,1193993,1194087,1194094,1194175,1194176,1194177,1194266
CVE References: CVE-2020-24504,CVE-2020-27820,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-33098,CVE-2021-4001,CVE-2021-4002,CVE-2021-43975,CVE-2021-43976,CVE-2021-45485,CVE-2021-45486,CVE-2022-23096,CVE-2022-23097,CVE-2022-23098
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kernel-azure-5.3.18-38.34.1, kernel-source-azure-5.3.18-38.34.1, kernel-syms-azure-5.3.18-38.34.1
openSUSE Backports SLE-15-SP3 (src):    connman-1.41-bp153.2.3.1
Comment 8 Gianluca Gabrielli 2022-03-29 12:21:03 UTC