diff options
author | Pavel Zhukov <pavel.zhukov@huawei.com> | 2021-12-01 10:54:37 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-12-08 20:28:01 +0000 |
commit | 15d764e697b101d382a1f7834622bdd380908e6f (patch) | |
tree | 6f92aa21602cd0f9f0d17102af87cf9d71f535eb /meta | |
parent | 1f2cf291e767f2472d95ccee19c4d97bdc00f3d6 (diff) | |
download | poky-15d764e697b101d382a1f7834622bdd380908e6f.tar.gz |
busybox: Fix for CVE-2021-42376
A NULL pointer dereference in Busybox's hush applet leads to denial of service
when processing a crafted shell command, due to missing validation after
a \x03 delimiter character.
This may be used for DoS under very rare conditions of filtered command input.
Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42376
(From OE-Core rev: 58e49c94d5305875188110aecdefe77c0afdfcb7)
Signed-off-by: Pavel Zhukov <pavel.zhukov@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-core/busybox/busybox/CVE-2021-42376.patch | 138 | ||||
-rw-r--r-- | meta/recipes-core/busybox/busybox_1.31.1.bb | 1 |
2 files changed, 139 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2021-42376.patch b/meta/recipes-core/busybox/busybox/CVE-2021-42376.patch new file mode 100644 index 0000000000..c913eaee9c --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2021-42376.patch | |||
@@ -0,0 +1,138 @@ | |||
1 | From 56a335378ac100d51c30b21eee499a2effa37fba Mon Sep 17 00:00:00 2001 | ||
2 | From: Denys Vlasenko <vda.linux@googlemail.com> | ||
3 | Date: Tue, 15 Jun 2021 16:05:57 +0200 | ||
4 | Subject: hush: fix handling of \^C and "^C" | ||
5 | |||
6 | function old new delta | ||
7 | parse_stream 2238 2252 +14 | ||
8 | encode_string 243 256 +13 | ||
9 | ------------------------------------------------------------------------------ | ||
10 | (add/remove: 0/0 grow/shrink: 2/0 up/down: 27/0) Total: 27 bytes | ||
11 | |||
12 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> | ||
13 | (cherry picked from commit 1b7a9b68d0e9aa19147d7fda16eb9a6b54156985) | ||
14 | |||
15 | Signed-off-by: Pavel Zhukov <pavel.zhukov@huawei.com> | ||
16 | |||
17 | CVE: CVE-2021-42376 | ||
18 | Upstream-Status: Backport [https://git.busybox.net/busybox/patch/?id=56a335378ac100d51c30b21eee499a2effa37fba] | ||
19 | Comment: No changes in any hunk | ||
20 | --- | ||
21 | shell/ash_test/ash-misc/control_char3.right | 1 + | ||
22 | shell/ash_test/ash-misc/control_char3.tests | 2 ++ | ||
23 | shell/ash_test/ash-misc/control_char4.right | 1 + | ||
24 | shell/ash_test/ash-misc/control_char4.tests | 2 ++ | ||
25 | shell/hush.c | 11 +++++++++++ | ||
26 | shell/hush_test/hush-misc/control_char3.right | 1 + | ||
27 | shell/hush_test/hush-misc/control_char3.tests | 2 ++ | ||
28 | shell/hush_test/hush-misc/control_char4.right | 1 + | ||
29 | shell/hush_test/hush-misc/control_char4.tests | 2 ++ | ||
30 | 9 files changed, 23 insertions(+) | ||
31 | create mode 100644 shell/ash_test/ash-misc/control_char3.right | ||
32 | create mode 100755 shell/ash_test/ash-misc/control_char3.tests | ||
33 | create mode 100644 shell/ash_test/ash-misc/control_char4.right | ||
34 | create mode 100755 shell/ash_test/ash-misc/control_char4.tests | ||
35 | create mode 100644 shell/hush_test/hush-misc/control_char3.right | ||
36 | create mode 100755 shell/hush_test/hush-misc/control_char3.tests | ||
37 | create mode 100644 shell/hush_test/hush-misc/control_char4.right | ||
38 | create mode 100755 shell/hush_test/hush-misc/control_char4.tests | ||
39 | |||
40 | diff --git a/shell/ash_test/ash-misc/control_char3.right b/shell/ash_test/ash-misc/control_char3.right | ||
41 | new file mode 100644 | ||
42 | index 000000000..283e02cbb | ||
43 | --- /dev/null | ||
44 | +++ b/shell/ash_test/ash-misc/control_char3.right | ||
45 | @@ -0,0 +1 @@ | ||
46 | +SHELL: line 1: : not found | ||
47 | diff --git a/shell/ash_test/ash-misc/control_char3.tests b/shell/ash_test/ash-misc/control_char3.tests | ||
48 | new file mode 100755 | ||
49 | index 000000000..4359db3f3 | ||
50 | --- /dev/null | ||
51 | +++ b/shell/ash_test/ash-misc/control_char3.tests | ||
52 | @@ -0,0 +1,2 @@ | ||
53 | +# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages) | ||
54 | +$THIS_SH -c '\' SHELL | ||
55 | diff --git a/shell/ash_test/ash-misc/control_char4.right b/shell/ash_test/ash-misc/control_char4.right | ||
56 | new file mode 100644 | ||
57 | index 000000000..2bf18e684 | ||
58 | --- /dev/null | ||
59 | +++ b/shell/ash_test/ash-misc/control_char4.right | ||
60 | @@ -0,0 +1 @@ | ||
61 | +SHELL: line 1: -: not found | ||
62 | diff --git a/shell/ash_test/ash-misc/control_char4.tests b/shell/ash_test/ash-misc/control_char4.tests | ||
63 | new file mode 100755 | ||
64 | index 000000000..48010f154 | ||
65 | --- /dev/null | ||
66 | +++ b/shell/ash_test/ash-misc/control_char4.tests | ||
67 | @@ -0,0 +1,2 @@ | ||
68 | +# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages) | ||
69 | +$THIS_SH -c '"-"' SHELL | ||
70 | diff --git a/shell/hush.c b/shell/hush.c | ||
71 | index 9fead37da..249728b9d 100644 | ||
72 | --- a/shell/hush.c | ||
73 | +++ b/shell/hush.c | ||
74 | @@ -5235,6 +5235,11 @@ static int encode_string(o_string *as_string, | ||
75 | } | ||
76 | #endif | ||
77 | o_addQchr(dest, ch); | ||
78 | + if (ch == SPECIAL_VAR_SYMBOL) { | ||
79 | + /* Convert "^C" to corresponding special variable reference */ | ||
80 | + o_addchr(dest, SPECIAL_VAR_QUOTED_SVS); | ||
81 | + o_addchr(dest, SPECIAL_VAR_SYMBOL); | ||
82 | + } | ||
83 | goto again; | ||
84 | #undef as_string | ||
85 | } | ||
86 | @@ -5346,6 +5351,11 @@ static struct pipe *parse_stream(char **pstring, | ||
87 | if (ch == '\n') | ||
88 | continue; /* drop \<newline>, get next char */ | ||
89 | nommu_addchr(&ctx.as_string, '\\'); | ||
90 | + if (ch == SPECIAL_VAR_SYMBOL) { | ||
91 | + nommu_addchr(&ctx.as_string, ch); | ||
92 | + /* Convert \^C to corresponding special variable reference */ | ||
93 | + goto case_SPECIAL_VAR_SYMBOL; | ||
94 | + } | ||
95 | o_addchr(&ctx.word, '\\'); | ||
96 | if (ch == EOF) { | ||
97 | /* Testcase: eval 'echo Ok\' */ | ||
98 | @@ -5670,6 +5680,7 @@ static struct pipe *parse_stream(char **pstring, | ||
99 | /* Note: nommu_addchr(&ctx.as_string, ch) is already done */ | ||
100 | |||
101 | switch (ch) { | ||
102 | + case_SPECIAL_VAR_SYMBOL: | ||
103 | case SPECIAL_VAR_SYMBOL: | ||
104 | /* Convert raw ^C to corresponding special variable reference */ | ||
105 | o_addchr(&ctx.word, SPECIAL_VAR_SYMBOL); | ||
106 | diff --git a/shell/hush_test/hush-misc/control_char3.right b/shell/hush_test/hush-misc/control_char3.right | ||
107 | new file mode 100644 | ||
108 | index 000000000..94b4f8699 | ||
109 | --- /dev/null | ||
110 | +++ b/shell/hush_test/hush-misc/control_char3.right | ||
111 | @@ -0,0 +1 @@ | ||
112 | +hush: can't execute '': No such file or directory | ||
113 | diff --git a/shell/hush_test/hush-misc/control_char3.tests b/shell/hush_test/hush-misc/control_char3.tests | ||
114 | new file mode 100755 | ||
115 | index 000000000..4359db3f3 | ||
116 | --- /dev/null | ||
117 | +++ b/shell/hush_test/hush-misc/control_char3.tests | ||
118 | @@ -0,0 +1,2 @@ | ||
119 | +# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages) | ||
120 | +$THIS_SH -c '\' SHELL | ||
121 | diff --git a/shell/hush_test/hush-misc/control_char4.right b/shell/hush_test/hush-misc/control_char4.right | ||
122 | new file mode 100644 | ||
123 | index 000000000..698e21427 | ||
124 | --- /dev/null | ||
125 | +++ b/shell/hush_test/hush-misc/control_char4.right | ||
126 | @@ -0,0 +1 @@ | ||
127 | +hush: can't execute '-': No such file or directory | ||
128 | diff --git a/shell/hush_test/hush-misc/control_char4.tests b/shell/hush_test/hush-misc/control_char4.tests | ||
129 | new file mode 100755 | ||
130 | index 000000000..48010f154 | ||
131 | --- /dev/null | ||
132 | +++ b/shell/hush_test/hush-misc/control_char4.tests | ||
133 | @@ -0,0 +1,2 @@ | ||
134 | +# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages) | ||
135 | +$THIS_SH -c '"-"' SHELL | ||
136 | -- | ||
137 | cgit v1.2.3 | ||
138 | |||
diff --git a/meta/recipes-core/busybox/busybox_1.31.1.bb b/meta/recipes-core/busybox/busybox_1.31.1.bb index 55c00eb483..14ac710f3b 100644 --- a/meta/recipes-core/busybox/busybox_1.31.1.bb +++ b/meta/recipes-core/busybox/busybox_1.31.1.bb | |||
@@ -53,6 +53,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ | |||
53 | file://0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch \ | 53 | file://0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch \ |
54 | file://0001-mktemp-add-tmpdir-option.patch \ | 54 | file://0001-mktemp-add-tmpdir-option.patch \ |
55 | file://CVE-2021-42374.patch \ | 55 | file://CVE-2021-42374.patch \ |
56 | file://CVE-2021-42376.patch \ | ||
56 | " | 57 | " |
57 | SRC_URI_append_libc-musl = " file://musl.cfg " | 58 | SRC_URI_append_libc-musl = " file://musl.cfg " |
58 | 59 | ||