busybox: Backport CVE-2022-48174 fix

There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. https://nvd.nist.gov/vuln/detail/CVE-2022-48174 CVE: CVE-2022-48174 (From OE-Core rev: 634daf953e4bd8c6df3ee341b5e93cc81e1a620d) Signed-off-by: Marek Vasut <marex@denx.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Marek Vasut <marex@denx.de> 2023-10-09 18:26:22 +0200
committer: Steve Sakoman <steve@sakoman.com> 2023-10-13 05:47:07 -1000
commit: 3ee56c9b975efc22fd535879d2ab6aaa7c67e1a7 (patch)
tree: f9a0feadd855553ff8679a2efe85a1b3b73baa77 /meta/recipes-core
parent: eebb034b2195f6b27ac17f436653db28ebdcfa4c (diff)
download: poky-3ee56c9b975efc22fd535879d2ab6aaa7c67e1a7.tar.gz
2 files changed, 83 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
new file mode 100644
index 0000000000..dfba2a7e0f
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
@@ -0,0 +1,82 @@
+From c18ebf861528ef24958dd99a146482d2a40014c7 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Mon, 12 Jun 2023 17:48:47 +0200
+Subject: [PATCH] shell: avoid segfault on ${0::0/0~09J}. Closes 15216
+function                                             old     new   delta
+evaluate_string                                     1011    1053     +42
+CVE: CVE-2022-48174
+Upstream-Status: Backport [d417193cf37ca1005830d7e16f5fa7e1d8a44209]
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
+ 1 file changed, 35 insertions(+), 4 deletions(-)
+diff --git a/shell/math.c b/shell/math.c
+index af1ab55c0..79824e81f 100644
+--- a/shell/math.c
+++ b/shell/math.c
+@@ -578,6 +578,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr)
+ # endif
+ #endif
+ 
+//TODO: much better estimation than expr_len/2? Such as:
+//static unsigned estimate_nums_and_names(const char *expr)
+//{
+//     unsigned count = 0;
+//     while (*(expr = skip_whitespace(expr)) != '\0') {
+//             const char *p;
+//             if (isdigit(*expr)) {
+//                     while (isdigit(*++expr))
+//                             continue;
+//                     count++;
+//                     continue;
+//             }
+//             p = endofname(expr);
+//             if (p != expr) {
+//                     expr = p;
+//                     count++;
+//                     continue;
+//             }
+//     }
+//     return count;
+//}
+
+ static arith_t FAST_FUNC
+ evaluate_string(arith_state_t *math_state, const char *expr)
+ {
+@@ -585,10 +607,12 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+        const char *errmsg;
+        const char *start_expr = expr = skip_whitespace(expr);
+        unsigned expr_len = strlen(expr) + 2;
+-       /* Stack of integers */
+-       /* The proof that there can be no more than strlen(startbuf)/2+1
+-        * integers in any given correct or incorrect expression
+-        * is left as an exercise to the reader. */
+       /* Stack of integers/names */
+       /* There can be no more than strlen(startbuf)/2+1
+        * integers/names in any given correct or incorrect expression.
+        * (modulo "09v09v09v09v09v" case,
+        * but we have code to detect that early)
+        */
+        var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
+        var_or_num_t *numstackptr = numstack;
+        /* Stack of operator tokens */
+@@ -657,6 +681,13 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+                        numstackptr->var = NULL;
+                        errno = 0;
+                        numstackptr->val = strto_arith_t(expr, (char**) &expr);
+                       /* A number can't be followed by another number, or a variable name.
+                        * We'd catch this later anyway, but this would require numstack[]
+                        * to be twice as deep to handle strings where _every_ char is
+                        * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
+                        */
+                       if (isalnum(*expr) || *expr == '_')
+                               goto err;
+                        if (errno)
+                                numstackptr->val = 0; /* bash compat */
+                        goto num;
+-- 
+2.40.1
diff --git a/meta/recipes-core/busybox/busybox_1.31.1.bb b/meta/recipes-core/busybox/busybox_1.31.1.bb
index d062f0f7dd..94aa1467df 100644
--- a/meta/recipes-core/busybox/busybox_1.31.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.31.1.bb
@@ -55,6 +55,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
           file://CVE-2021-42374.patch \
           file://CVE-2021-42376.patch \
           file://CVE-2021-423xx-awk.patch \
+           file://CVE-2022-48174.patch \
           file://0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch \
           file://0002-nslookup-sanitize-all-printed-strings-with-printable.patch \
           "
author	Marek Vasut <marex@denx.de>	2023-10-09 18:26:22 +0200
committer	Steve Sakoman <steve@sakoman.com>	2023-10-13 05:47:07 -1000
commit	3ee56c9b975efc22fd535879d2ab6aaa7c67e1a7 (patch)
tree	f9a0feadd855553ff8679a2efe85a1b3b73baa77 /meta/recipes-core
parent	eebb034b2195f6b27ac17f436653db28ebdcfa4c (diff)
download	poky-3ee56c9b975efc22fd535879d2ab6aaa7c67e1a7.tar.gz

diff --git a/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch new file mode 100644 index 0000000000..dfba2a7e0f --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
@@ -0,0 +1,82 @@
		1	From c18ebf861528ef24958dd99a146482d2a40014c7 Mon Sep 17 00:00:00 2001
		2	From: Denys Vlasenko <vda.linux@googlemail.com>
		3	Date: Mon, 12 Jun 2023 17:48:47 +0200
		4	Subject: [PATCH] shell: avoid segfault on ${0::0/0~09J}. Closes 15216
		5
		6	function old new delta
		7	evaluate_string 1011 1053 +42
		8
		9	CVE: CVE-2022-48174
		10	Upstream-Status: Backport [d417193cf37ca1005830d7e16f5fa7e1d8a44209]
		11	Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
		12	---
		13	shell/math.c \| 39 +++++++++++++++++++++++++++++++++++----
		14	1 file changed, 35 insertions(+), 4 deletions(-)
		15
		16	diff --git a/shell/math.c b/shell/math.c
		17	index af1ab55c0..79824e81f 100644
		18	--- a/shell/math.c
		19	+++ b/shell/math.c
		20	@@ -578,6 +578,28 @@ static arith_t strto_arith_t(const char nptr, char *endptr)
		21	# endif
		22	#endif
		23
		24	+//TODO: much better estimation than expr_len/2? Such as:
		25	+//static unsigned estimate_nums_and_names(const char *expr)
		26	+//{
		27	+// unsigned count = 0;
		28	+// while (*(expr = skip_whitespace(expr)) != '\0') {
		29	+// const char *p;
		30	+// if (isdigit(*expr)) {
		31	+// while (isdigit(*++expr))
		32	+// continue;
		33	+// count++;
		34	+// continue;
		35	+// }
		36	+// p = endofname(expr);
		37	+// if (p != expr) {
		38	+// expr = p;
		39	+// count++;
		40	+// continue;
		41	+// }
		42	+// }
		43	+// return count;
		44	+//}
		45	+
		46	static arith_t FAST_FUNC
		47	evaluate_string(arith_state_t math_state, const char expr)
		48	{
		49	@@ -585,10 +607,12 @@ evaluate_string(arith_state_t math_state, const char expr)
		50	const char *errmsg;
		51	const char *start_expr = expr = skip_whitespace(expr);
		52	unsigned expr_len = strlen(expr) + 2;
		53	- /* Stack of integers */
		54	- /* The proof that there can be no more than strlen(startbuf)/2+1
		55	- * integers in any given correct or incorrect expression
		56	- * is left as an exercise to the reader. */
		57	+ /* Stack of integers/names */
		58	+ /* There can be no more than strlen(startbuf)/2+1
		59	+ * integers/names in any given correct or incorrect expression.
		60	+ * (modulo "09v09v09v09v09v" case,
		61	+ * but we have code to detect that early)
		62	+ */
		63	var_or_num_t const numstack = alloca((expr_len / 2) sizeof(numstack[0]));
		64	var_or_num_t *numstackptr = numstack;
		65	/* Stack of operator tokens */
		66	@@ -657,6 +681,13 @@ evaluate_string(arith_state_t math_state, const char expr)
		67	numstackptr->var = NULL;
		68	errno = 0;
		69	numstackptr->val = strto_arith_t(expr, (char**) &expr);
		70	+ /* A number can't be followed by another number, or a variable name.
		71	+ * We'd catch this later anyway, but this would require numstack[]
		72	+ * to be twice as deep to handle strings where _every_ char is
		73	+ * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
		74	+ */
		75	+ if (isalnum(expr) \|\| expr == '_')
		76	+ goto err;
		77	if (errno)
		78	numstackptr->val = 0; /* bash compat */
		79	goto num;
		80	--
		81	2.40.1
		82


diff --git a/meta/recipes-core/busybox/busybox_1.31.1.bb b/meta/recipes-core/busybox/busybox_1.31.1.bb index d062f0f7dd..94aa1467df 100644 --- a/meta/recipes-core/busybox/busybox_1.31.1.bb +++ b/meta/recipes-core/busybox/busybox_1.31.1.bb
@@ -55,6 +55,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
55	file://CVE-2021-42374.patch \	55	file://CVE-2021-42374.patch \
56	file://CVE-2021-42376.patch \	56	file://CVE-2021-42376.patch \
57	file://CVE-2021-423xx-awk.patch \	57	file://CVE-2021-423xx-awk.patch \
		58	file://CVE-2022-48174.patch \
58	file://0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch \	59	file://0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch \
59	file://0002-nslookup-sanitize-all-printed-strings-with-printable.patch \	60	file://0002-nslookup-sanitize-all-printed-strings-with-printable.patch \
60	"	61	"