diff options
author | Marek Vasut <marex@denx.de> | 2023-10-09 18:26:22 +0200 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-10-13 05:47:07 -1000 |
commit | 3ee56c9b975efc22fd535879d2ab6aaa7c67e1a7 (patch) | |
tree | f9a0feadd855553ff8679a2efe85a1b3b73baa77 /meta/recipes-core/busybox/busybox | |
parent | eebb034b2195f6b27ac17f436653db28ebdcfa4c (diff) | |
download | poky-3ee56c9b975efc22fd535879d2ab6aaa7c67e1a7.tar.gz |
busybox: Backport CVE-2022-48174 fix
There is a stack overflow vulnerability in ash.c:6030 in busybox before
1.35. In the environment of Internet of Vehicles, this vulnerability can
be executed from command to arbitrary code execution.
https://nvd.nist.gov/vuln/detail/CVE-2022-48174
CVE: CVE-2022-48174
(From OE-Core rev: 634daf953e4bd8c6df3ee341b5e93cc81e1a620d)
Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-core/busybox/busybox')
-rw-r--r-- | meta/recipes-core/busybox/busybox/CVE-2022-48174.patch | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch new file mode 100644 index 0000000000..dfba2a7e0f --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch | |||
@@ -0,0 +1,82 @@ | |||
1 | From c18ebf861528ef24958dd99a146482d2a40014c7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Denys Vlasenko <vda.linux@googlemail.com> | ||
3 | Date: Mon, 12 Jun 2023 17:48:47 +0200 | ||
4 | Subject: [PATCH] shell: avoid segfault on ${0::0/0~09J}. Closes 15216 | ||
5 | |||
6 | function old new delta | ||
7 | evaluate_string 1011 1053 +42 | ||
8 | |||
9 | CVE: CVE-2022-48174 | ||
10 | Upstream-Status: Backport [d417193cf37ca1005830d7e16f5fa7e1d8a44209] | ||
11 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> | ||
12 | --- | ||
13 | shell/math.c | 39 +++++++++++++++++++++++++++++++++++---- | ||
14 | 1 file changed, 35 insertions(+), 4 deletions(-) | ||
15 | |||
16 | diff --git a/shell/math.c b/shell/math.c | ||
17 | index af1ab55c0..79824e81f 100644 | ||
18 | --- a/shell/math.c | ||
19 | +++ b/shell/math.c | ||
20 | @@ -578,6 +578,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr) | ||
21 | # endif | ||
22 | #endif | ||
23 | |||
24 | +//TODO: much better estimation than expr_len/2? Such as: | ||
25 | +//static unsigned estimate_nums_and_names(const char *expr) | ||
26 | +//{ | ||
27 | +// unsigned count = 0; | ||
28 | +// while (*(expr = skip_whitespace(expr)) != '\0') { | ||
29 | +// const char *p; | ||
30 | +// if (isdigit(*expr)) { | ||
31 | +// while (isdigit(*++expr)) | ||
32 | +// continue; | ||
33 | +// count++; | ||
34 | +// continue; | ||
35 | +// } | ||
36 | +// p = endofname(expr); | ||
37 | +// if (p != expr) { | ||
38 | +// expr = p; | ||
39 | +// count++; | ||
40 | +// continue; | ||
41 | +// } | ||
42 | +// } | ||
43 | +// return count; | ||
44 | +//} | ||
45 | + | ||
46 | static arith_t FAST_FUNC | ||
47 | evaluate_string(arith_state_t *math_state, const char *expr) | ||
48 | { | ||
49 | @@ -585,10 +607,12 @@ evaluate_string(arith_state_t *math_state, const char *expr) | ||
50 | const char *errmsg; | ||
51 | const char *start_expr = expr = skip_whitespace(expr); | ||
52 | unsigned expr_len = strlen(expr) + 2; | ||
53 | - /* Stack of integers */ | ||
54 | - /* The proof that there can be no more than strlen(startbuf)/2+1 | ||
55 | - * integers in any given correct or incorrect expression | ||
56 | - * is left as an exercise to the reader. */ | ||
57 | + /* Stack of integers/names */ | ||
58 | + /* There can be no more than strlen(startbuf)/2+1 | ||
59 | + * integers/names in any given correct or incorrect expression. | ||
60 | + * (modulo "09v09v09v09v09v" case, | ||
61 | + * but we have code to detect that early) | ||
62 | + */ | ||
63 | var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0])); | ||
64 | var_or_num_t *numstackptr = numstack; | ||
65 | /* Stack of operator tokens */ | ||
66 | @@ -657,6 +681,13 @@ evaluate_string(arith_state_t *math_state, const char *expr) | ||
67 | numstackptr->var = NULL; | ||
68 | errno = 0; | ||
69 | numstackptr->val = strto_arith_t(expr, (char**) &expr); | ||
70 | + /* A number can't be followed by another number, or a variable name. | ||
71 | + * We'd catch this later anyway, but this would require numstack[] | ||
72 | + * to be twice as deep to handle strings where _every_ char is | ||
73 | + * a new number or name. Example: 09v09v09v09v09v09v09v09v09v | ||
74 | + */ | ||
75 | + if (isalnum(*expr) || *expr == '_') | ||
76 | + goto err; | ||
77 | if (errno) | ||
78 | numstackptr->val = 0; /* bash compat */ | ||
79 | goto num; | ||
80 | -- | ||
81 | 2.40.1 | ||
82 | |||