diff options
author | Armin Kuster <akuster808@gmail.com> | 2019-05-30 09:46:57 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-27 18:05:18 +0100 |
commit | 14d23c29a2d6a9944233983d64109037077db49e (patch) | |
tree | 71b4519ec2bb76ef81b0a1e2d8f97b932aab2c6a /meta/recipes-core/busybox | |
parent | 016a0b830e65cdd71830ddf12fec8ca795b0f264 (diff) | |
download | poky-14d23c29a2d6a9944233983d64109037077db49e.tar.gz |
busybox: Security fixes for CVE-2018-20679 CVE-2019-5747
Source: busybox.git
MR: 97332
Type: Security Fix
Disposition: Backport from busybox.git
ChangeID: ec203c79e7322de1ed5721d08b6f59b1eca67c7d
Description:
Affects < 1.30.0
Fixes:
CVE-2018-20679
CVE-2019-5747
(From OE-Core rev: 7db146abad6d2bbb7d7a549e7091412e0e494db2)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/busybox')
-rw-r--r-- | meta/recipes-core/busybox/busybox/CVE-2018-20679.patch | 142 | ||||
-rw-r--r-- | meta/recipes-core/busybox/busybox/CVE-2019-5747.patch | 60 | ||||
-rw-r--r-- | meta/recipes-core/busybox/busybox_1.29.3.bb | 2 |
3 files changed, 204 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2018-20679.patch b/meta/recipes-core/busybox/busybox/CVE-2018-20679.patch new file mode 100644 index 0000000000..e4693768e0 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2018-20679.patch | |||
@@ -0,0 +1,142 @@ | |||
1 | From 6d3b4bb24da9a07c263f3c1acf8df85382ff562c Mon Sep 17 00:00:00 2001 | ||
2 | From: Denys Vlasenko <vda.linux@googlemail.com> | ||
3 | Date: Mon, 17 Dec 2018 18:07:18 +0100 | ||
4 | Subject: [PATCH] udhcpc: check that 4-byte options are indeed 4-byte, closes | ||
5 | 11506 | ||
6 | |||
7 | function old new delta | ||
8 | udhcp_get_option32 - 27 +27 | ||
9 | udhcp_get_option 231 248 +17 | ||
10 | ------------------------------------------------------------------------------ | ||
11 | (add/remove: 1/0 grow/shrink: 1/0 up/down: 44/0) Total: 44 bytes | ||
12 | |||
13 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | CVE: CVE-2018-20679 | ||
17 | |||
18 | Affects < 1.30.0 | ||
19 | |||
20 | signed-off-by: Armin Kuster <akuster@mvista.com> | ||
21 | |||
22 | --- | ||
23 | networking/udhcp/common.c | 19 +++++++++++++++++++ | ||
24 | networking/udhcp/common.h | 4 ++++ | ||
25 | networking/udhcp/dhcpc.c | 6 +++--- | ||
26 | networking/udhcp/dhcpd.c | 6 +++--- | ||
27 | 4 files changed, 29 insertions(+), 6 deletions(-) | ||
28 | |||
29 | Index: busybox-1.29.3/networking/udhcp/common.c | ||
30 | =================================================================== | ||
31 | --- busybox-1.29.3.orig/networking/udhcp/common.c | ||
32 | +++ busybox-1.29.3/networking/udhcp/common.c | ||
33 | @@ -270,6 +270,15 @@ uint8_t* FAST_FUNC udhcp_get_option(stru | ||
34 | goto complain; /* complain and return NULL */ | ||
35 | |||
36 | if (optionptr[OPT_CODE] == code) { | ||
37 | + if (optionptr[OPT_LEN] == 0) { | ||
38 | + /* So far no valid option with length 0 known. | ||
39 | + * Having this check means that searching | ||
40 | + * for DHCP_MESSAGE_TYPE need not worry | ||
41 | + * that returned pointer might be unsafe | ||
42 | + * to dereference. | ||
43 | + */ | ||
44 | + goto complain; /* complain and return NULL */ | ||
45 | + } | ||
46 | log_option("option found", optionptr); | ||
47 | return optionptr + OPT_DATA; | ||
48 | } | ||
49 | @@ -287,6 +296,16 @@ uint8_t* FAST_FUNC udhcp_get_option(stru | ||
50 | return NULL; | ||
51 | } | ||
52 | |||
53 | +uint8_t* FAST_FUNC udhcp_get_option32(struct dhcp_packet *packet, int code) | ||
54 | +{ | ||
55 | + uint8_t *r = udhcp_get_option(packet, code); | ||
56 | + if (r) { | ||
57 | + if (r[-1] != 4) | ||
58 | + r = NULL; | ||
59 | + } | ||
60 | + return r; | ||
61 | +} | ||
62 | + | ||
63 | /* Return the position of the 'end' option (no bounds checking) */ | ||
64 | int FAST_FUNC udhcp_end_option(uint8_t *optionptr) | ||
65 | { | ||
66 | Index: busybox-1.29.3/networking/udhcp/common.h | ||
67 | =================================================================== | ||
68 | --- busybox-1.29.3.orig/networking/udhcp/common.h | ||
69 | +++ busybox-1.29.3/networking/udhcp/common.h | ||
70 | @@ -204,6 +204,10 @@ extern const uint8_t dhcp_option_lengths | ||
71 | unsigned FAST_FUNC udhcp_option_idx(const char *name, const char *option_strings); | ||
72 | |||
73 | uint8_t *udhcp_get_option(struct dhcp_packet *packet, int code) FAST_FUNC; | ||
74 | +/* Same as above + ensures that option length is 4 bytes | ||
75 | + * (returns NULL if size is different) | ||
76 | + */ | ||
77 | +uint8_t *udhcp_get_option32(struct dhcp_packet *packet, int code) FAST_FUNC; | ||
78 | int udhcp_end_option(uint8_t *optionptr) FAST_FUNC; | ||
79 | void udhcp_add_binary_option(struct dhcp_packet *packet, uint8_t *addopt) FAST_FUNC; | ||
80 | #if ENABLE_UDHCPC || ENABLE_UDHCPD | ||
81 | Index: busybox-1.29.3/networking/udhcp/dhcpc.c | ||
82 | =================================================================== | ||
83 | --- busybox-1.29.3.orig/networking/udhcp/dhcpc.c | ||
84 | +++ busybox-1.29.3/networking/udhcp/dhcpc.c | ||
85 | @@ -1694,7 +1694,7 @@ int udhcpc_main(int argc UNUSED_PARAM, c | ||
86 | * They say ISC DHCP client supports this case. | ||
87 | */ | ||
88 | server_addr = 0; | ||
89 | - temp = udhcp_get_option(&packet, DHCP_SERVER_ID); | ||
90 | + temp = udhcp_get_option32(&packet, DHCP_SERVER_ID); | ||
91 | if (!temp) { | ||
92 | bb_error_msg("no server ID, using 0.0.0.0"); | ||
93 | } else { | ||
94 | @@ -1721,7 +1721,7 @@ int udhcpc_main(int argc UNUSED_PARAM, c | ||
95 | struct in_addr temp_addr; | ||
96 | uint8_t *temp; | ||
97 | |||
98 | - temp = udhcp_get_option(&packet, DHCP_LEASE_TIME); | ||
99 | + temp = udhcp_get_option32(&packet, DHCP_LEASE_TIME); | ||
100 | if (!temp) { | ||
101 | bb_error_msg("no lease time with ACK, using 1 hour lease"); | ||
102 | lease_seconds = 60 * 60; | ||
103 | @@ -1817,7 +1817,7 @@ int udhcpc_main(int argc UNUSED_PARAM, c | ||
104 | uint32_t svid; | ||
105 | uint8_t *temp; | ||
106 | |||
107 | - temp = udhcp_get_option(&packet, DHCP_SERVER_ID); | ||
108 | + temp = udhcp_get_option32(&packet, DHCP_SERVER_ID); | ||
109 | if (!temp) { | ||
110 | non_matching_svid: | ||
111 | log1("received DHCP NAK with wrong" | ||
112 | Index: busybox-1.29.3/networking/udhcp/dhcpd.c | ||
113 | =================================================================== | ||
114 | --- busybox-1.29.3.orig/networking/udhcp/dhcpd.c | ||
115 | +++ busybox-1.29.3/networking/udhcp/dhcpd.c | ||
116 | @@ -640,7 +640,7 @@ static void add_server_options(struct dh | ||
117 | static uint32_t select_lease_time(struct dhcp_packet *packet) | ||
118 | { | ||
119 | uint32_t lease_time_sec = server_config.max_lease_sec; | ||
120 | - uint8_t *lease_time_opt = udhcp_get_option(packet, DHCP_LEASE_TIME); | ||
121 | + uint8_t *lease_time_opt = udhcp_get_option32(packet, DHCP_LEASE_TIME); | ||
122 | if (lease_time_opt) { | ||
123 | move_from_unaligned32(lease_time_sec, lease_time_opt); | ||
124 | lease_time_sec = ntohl(lease_time_sec); | ||
125 | @@ -987,7 +987,7 @@ int udhcpd_main(int argc UNUSED_PARAM, c | ||
126 | } | ||
127 | |||
128 | /* Get SERVER_ID if present */ | ||
129 | - server_id_opt = udhcp_get_option(&packet, DHCP_SERVER_ID); | ||
130 | + server_id_opt = udhcp_get_option32(&packet, DHCP_SERVER_ID); | ||
131 | if (server_id_opt) { | ||
132 | uint32_t server_id_network_order; | ||
133 | move_from_unaligned32(server_id_network_order, server_id_opt); | ||
134 | @@ -1011,7 +1011,7 @@ int udhcpd_main(int argc UNUSED_PARAM, c | ||
135 | } | ||
136 | |||
137 | /* Get REQUESTED_IP if present */ | ||
138 | - requested_ip_opt = udhcp_get_option(&packet, DHCP_REQUESTED_IP); | ||
139 | + requested_ip_opt = udhcp_get_option32(&packet, DHCP_REQUESTED_IP); | ||
140 | if (requested_ip_opt) { | ||
141 | move_from_unaligned32(requested_nip, requested_ip_opt); | ||
142 | } | ||
diff --git a/meta/recipes-core/busybox/busybox/CVE-2019-5747.patch b/meta/recipes-core/busybox/busybox/CVE-2019-5747.patch new file mode 100644 index 0000000000..4225b11e56 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2019-5747.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | From 74d9f1ba37010face4bd1449df4d60dd84450b06 Mon Sep 17 00:00:00 2001 | ||
2 | From: Denys Vlasenko <vda.linux@googlemail.com> | ||
3 | Date: Mon, 7 Jan 2019 15:33:42 +0100 | ||
4 | Subject: [PATCH] udhcpc: when decoding DHCP_SUBNET, ensure it is 4 bytes long | ||
5 | |||
6 | function old new delta | ||
7 | udhcp_run_script 795 801 +6 | ||
8 | |||
9 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | CVE: CVE-2019-5747 | ||
13 | Affects < 1.30.0 | ||
14 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
15 | |||
16 | --- | ||
17 | networking/udhcp/common.c | 2 +- | ||
18 | networking/udhcp/common.h | 2 +- | ||
19 | networking/udhcp/dhcpc.c | 2 +- | ||
20 | 3 files changed, 3 insertions(+), 3 deletions(-) | ||
21 | |||
22 | Index: busybox-1.29.3/networking/udhcp/common.c | ||
23 | =================================================================== | ||
24 | --- busybox-1.29.3.orig/networking/udhcp/common.c | ||
25 | +++ busybox-1.29.3/networking/udhcp/common.c | ||
26 | @@ -300,7 +300,7 @@ uint8_t* FAST_FUNC udhcp_get_option32(st | ||
27 | { | ||
28 | uint8_t *r = udhcp_get_option(packet, code); | ||
29 | if (r) { | ||
30 | - if (r[-1] != 4) | ||
31 | + if (r[-OPT_DATA + OPT_LEN] != 4) | ||
32 | r = NULL; | ||
33 | } | ||
34 | return r; | ||
35 | Index: busybox-1.29.3/networking/udhcp/common.h | ||
36 | =================================================================== | ||
37 | --- busybox-1.29.3.orig/networking/udhcp/common.h | ||
38 | +++ busybox-1.29.3/networking/udhcp/common.h | ||
39 | @@ -119,7 +119,7 @@ enum { | ||
40 | //#define DHCP_TIME_SERVER 0x04 /* RFC 868 time server (32-bit, 0 = 1.1.1900) */ | ||
41 | //#define DHCP_NAME_SERVER 0x05 /* IEN 116 _really_ ancient kind of NS */ | ||
42 | //#define DHCP_DNS_SERVER 0x06 | ||
43 | -//#define DHCP_LOG_SERVER 0x07 /* port 704 UDP log (not syslog) | ||
44 | +//#define DHCP_LOG_SERVER 0x07 /* port 704 UDP log (not syslog) */ | ||
45 | //#define DHCP_COOKIE_SERVER 0x08 /* "quote of the day" server */ | ||
46 | //#define DHCP_LPR_SERVER 0x09 | ||
47 | #define DHCP_HOST_NAME 0x0c /* either client informs server or server gives name to client */ | ||
48 | Index: busybox-1.29.3/networking/udhcp/dhcpc.c | ||
49 | =================================================================== | ||
50 | --- busybox-1.29.3.orig/networking/udhcp/dhcpc.c | ||
51 | +++ busybox-1.29.3/networking/udhcp/dhcpc.c | ||
52 | @@ -526,7 +526,7 @@ static char **fill_envp(struct dhcp_pack | ||
53 | temp = udhcp_get_option(packet, code); | ||
54 | *curr = xmalloc_optname_optval(temp, &dhcp_optflags[i], opt_name); | ||
55 | putenv(*curr++); | ||
56 | - if (code == DHCP_SUBNET) { | ||
57 | + if (code == DHCP_SUBNET && temp[-OPT_DATA + OPT_LEN] == 4) { | ||
58 | /* Subnet option: make things like "$ip/$mask" possible */ | ||
59 | uint32_t subnet; | ||
60 | move_from_unaligned32(subnet, temp); | ||
diff --git a/meta/recipes-core/busybox/busybox_1.29.3.bb b/meta/recipes-core/busybox/busybox_1.29.3.bb index 6064e9fdc6..5714d70768 100644 --- a/meta/recipes-core/busybox/busybox_1.29.3.bb +++ b/meta/recipes-core/busybox/busybox_1.29.3.bb | |||
@@ -41,6 +41,8 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ | |||
41 | file://rcS \ | 41 | file://rcS \ |
42 | file://rcK \ | 42 | file://rcK \ |
43 | file://makefile-libbb-race.patch \ | 43 | file://makefile-libbb-race.patch \ |
44 | file://CVE-2018-20679.patch \ | ||
45 | file://CVE-2019-5747.patch \ | ||
44 | " | 46 | " |
45 | SRC_URI_append_libc-musl = " file://musl.cfg " | 47 | SRC_URI_append_libc-musl = " file://musl.cfg " |
46 | 48 | ||