diff options
author | Peter Marko <peter.marko@siemens.com> | 2024-07-12 23:38:54 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2024-07-13 23:28:31 +0100 |
commit | c862902172878cbd204f23e461d7b49fa1437857 (patch) | |
tree | b4f301d08447949a8406796dfc52b434af89d7cd /meta/recipes-core | |
parent | 700febff616db30152d7728c6f465d88701941de (diff) | |
download | poky-c862902172878cbd204f23e461d7b49fa1437857.tar.gz |
busybox: Patch CVE-2023-42363
Backport patch for CVE-2023-42363.
(From OE-Core rev: 814f97922e1d6c24a36b03ee0e865f2210ff6d7c)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r-- | meta/recipes-core/busybox/busybox/CVE-2023-42363.patch | 67 | ||||
-rw-r--r-- | meta/recipes-core/busybox/busybox_1.36.1.bb | 1 |
2 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2023-42363.patch b/meta/recipes-core/busybox/busybox/CVE-2023-42363.patch new file mode 100644 index 0000000000..379f6f83b1 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2023-42363.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa Mon Sep 17 00:00:00 2001 | ||
2 | From: Natanael Copa <ncopa@alpinelinux.org> | ||
3 | Date: Mon, 20 May 2024 17:55:28 +0200 | ||
4 | Subject: [PATCH] awk: fix use after free (CVE-2023-42363) | ||
5 | |||
6 | function old new delta | ||
7 | evaluate 3377 3385 +8 | ||
8 | |||
9 | Fixes https://bugs.busybox.net/show_bug.cgi?id=15865 | ||
10 | |||
11 | Signed-off-by: Natanael Copa <ncopa@alpinelinux.org> | ||
12 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> | ||
13 | |||
14 | CVE: CVE-2023-42363 | ||
15 | Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa] | ||
16 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
17 | --- | ||
18 | editors/awk.c | 21 +++++++++++++-------- | ||
19 | 1 file changed, 13 insertions(+), 8 deletions(-) | ||
20 | |||
21 | diff --git a/editors/awk.c b/editors/awk.c | ||
22 | index 0981c6735..ff6d6350b 100644 | ||
23 | --- a/editors/awk.c | ||
24 | +++ b/editors/awk.c | ||
25 | @@ -2910,19 +2910,14 @@ static var *evaluate(node *op, var *res) | ||
26 | /* yes, remember where Fields[] is */ | ||
27 | old_Fields_ptr = Fields; | ||
28 | } | ||
29 | - if (opinfo & OF_STR1) { | ||
30 | - L.s = getvar_s(L.v); | ||
31 | - debug_printf_eval("L.s:'%s'\n", L.s); | ||
32 | - } | ||
33 | if (opinfo & OF_NUM1) { | ||
34 | L_d = getvar_i(L.v); | ||
35 | debug_printf_eval("L_d:%f\n", L_d); | ||
36 | } | ||
37 | } | ||
38 | - /* NB: Must get string/numeric values of L (done above) | ||
39 | - * _before_ evaluate()'ing R.v: if both L and R are $NNNs, | ||
40 | - * and right one is large, then L.v points to Fields[NNN1], | ||
41 | - * second evaluate() reallocates and moves (!) Fields[], | ||
42 | + /* NB: if both L and R are $NNNs, and right one is large, | ||
43 | + * then at this pint L.v points to Fields[NNN1], second | ||
44 | + * evaluate() below reallocates and moves (!) Fields[], | ||
45 | * R.v points to Fields[NNN2] but L.v now points to freed mem! | ||
46 | * (Seen trying to evaluate "$444 $44444") | ||
47 | */ | ||
48 | @@ -2942,6 +2937,16 @@ static var *evaluate(node *op, var *res) | ||
49 | debug_printf_eval("R.s:'%s'\n", R.s); | ||
50 | } | ||
51 | } | ||
52 | + /* Get L.s _after_ R.v is evaluated: it may have realloc'd L.v | ||
53 | + * so we must get the string after "old_Fields_ptr" correction | ||
54 | + * above. Testcase: x = (v = "abc", gsub("b", "X", v)); | ||
55 | + */ | ||
56 | + if (opinfo & OF_RES1) { | ||
57 | + if (opinfo & OF_STR1) { | ||
58 | + L.s = getvar_s(L.v); | ||
59 | + debug_printf_eval("L.s:'%s'\n", L.s); | ||
60 | + } | ||
61 | + } | ||
62 | |||
63 | debug_printf_eval("switch(0x%x)\n", XC(opinfo & OPCLSMASK)); | ||
64 | switch (XC(opinfo & OPCLSMASK)) { | ||
65 | -- | ||
66 | 2.30.2 | ||
67 | |||
diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb index 46e719845a..7ce57bb0d0 100644 --- a/meta/recipes-core/busybox/busybox_1.36.1.bb +++ b/meta/recipes-core/busybox/busybox_1.36.1.bb | |||
@@ -51,6 +51,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ | |||
51 | file://start-stop-false.patch \ | 51 | file://start-stop-false.patch \ |
52 | file://CVE-2021-42380.patch \ | 52 | file://CVE-2021-42380.patch \ |
53 | file://0001-awk-fix-segfault-when-compiled-by-clang.patch \ | 53 | file://0001-awk-fix-segfault-when-compiled-by-clang.patch \ |
54 | file://CVE-2023-42363.patch \ | ||
54 | " | 55 | " |
55 | SRC_URI:append:libc-musl = " file://musl.cfg " | 56 | SRC_URI:append:libc-musl = " file://musl.cfg " |
56 | # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html | 57 | # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html |