busybox: Security Fix CVE-2016-2148

busybox <= 1.24.2 (From OE-Core rev: 1d7ad5f32ae39f84626bb71ded75439062dd717c) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-04-27 13:28:01 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-05-14 09:40:16 +0100
commit: ba15486e27410ebf2a22c687a1b0ac4ffa15726b (patch)
tree: d71029d970f80fb2ee821376422367624141758d /meta
parent: 2ef5feeb3d50203a5754308c2e1c16a9388802bf (diff)
download: poky-ba15486e27410ebf2a22c687a1b0ac4ffa15726b.tar.gz
2 files changed, 75 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2148.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2148.patch
new file mode 100644
index 0000000000..af04a7f5bd
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2016-2148.patch
@@ -0,0 +1,74 @@
+From 352f79acbd759c14399e39baef21fc4ffe180ac2 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Fri, 26 Feb 2016 15:54:56 +0100
+Subject: [PATCH] udhcpc: fix OPTION_6RD parsing (could overflow its malloced
+ buffer)
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Upstream-Status: Backport
+CVE: CVE-2016-2148
+https://git.busybox.net/busybox/commit/?id=352f79
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ networking/udhcp/common.c | 15 +++++++++++++--
+ networking/udhcp/dhcpc.c  |  4 ++--
+ 2 files changed, 15 insertions(+), 4 deletions(-)
+Index: busybox-1.23.2/networking/udhcp/common.c
+===================================================================
+--- busybox-1.23.2.orig/networking/udhcp/common.c
+++ busybox-1.23.2/networking/udhcp/common.c
+@@ -142,7 +142,7 @@ const char dhcp_option_strings[] ALIGN1
+  * udhcp_str2optset: to determine how many bytes to allocate.
+  * xmalloc_optname_optval: to estimate string length
+  * from binary option length: (option[LEN] / dhcp_option_lengths[opt_type])
+- * is the number of elements, multiply in by one element's string width
+ * is the number of elements, multiply it by one element's string width
+  * (len_of_option_as_string[opt_type]) and you know how wide string you need.
+  */
+ const uint8_t dhcp_option_lengths[] ALIGN1 = {
+@@ -162,7 +162,18 @@ const uint8_t dhcp_option_lengths[] ALIG
+        [OPTION_S32] =     4,
+        /* Just like OPTION_STRING, we use minimum length here */
+        [OPTION_STATIC_ROUTES] = 5,
+-       [OPTION_6RD] =    22,  /* ignored by udhcp_str2optset */
+       [OPTION_6RD] =    12,  /* ignored by udhcp_str2optset */
+       /* The above value was chosen as follows:
+        * len_of_option_as_string[] for this option is >60: it's a string of the form
+        * "32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 ".
+        * Each additional ipv4 address takes 4 bytes in binary option and appends
+        * another "255.255.255.255 " 16-byte string. We can set [OPTION_6RD] = 4
+        * but this severely overestimates string length: instead of 16 bytes,
+        * it adds >60 for every 4 bytes in binary option.
+        * We cheat and declare here that option is in units of 12 bytes.
+        * This adds more than 60 bytes for every three ipv4 addresses - more than enough.
+        * (Even 16 instead of 12 should work, but let's be paranoid).
+        */
+ };
+ 
+ 
+Index: busybox-1.23.2/networking/udhcp/dhcpc.c
+===================================================================
+--- busybox-1.23.2.orig/networking/udhcp/dhcpc.c
+++ busybox-1.23.2/networking/udhcp/dhcpc.c
+@@ -103,7 +103,7 @@ static const uint8_t len_of_option_as_st
+        [OPTION_IP              ] = sizeof("255.255.255.255 "),
+        [OPTION_IP_PAIR         ] = sizeof("255.255.255.255 ") * 2,
+        [OPTION_STATIC_ROUTES   ] = sizeof("255.255.255.255/32 255.255.255.255 "),
+-       [OPTION_6RD             ] = sizeof("32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
+       [OPTION_6RD             ] = sizeof("132 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
+        [OPTION_STRING          ] = 1,
+        [OPTION_STRING_HOST     ] = 1,
+ #if ENABLE_FEATURE_UDHCP_RFC3397
+@@ -214,7 +214,7 @@ static NOINLINE char *xmalloc_optname_op
+        type = optflag->flags & OPTION_TYPE_MASK;
+        optlen = dhcp_option_lengths[type];
+        upper_length = len_of_option_as_string[type]
+-               * ((unsigned)(len + optlen - 1) / (unsigned)optlen);
+               * ((unsigned)(len + optlen) / (unsigned)optlen);
+ 
+        dest = ret = xmalloc(upper_length + strlen(opt_name) + 2);
+        dest += sprintf(ret, "%s=", opt_name);
diff --git a/meta/recipes-core/busybox/busybox_1.23.2.bb b/meta/recipes-core/busybox/busybox_1.23.2.bb
index 5edcbfd8df..955de9c907 100644
--- a/meta/recipes-core/busybox/busybox_1.23.2.bb
+++ b/meta/recipes-core/busybox/busybox_1.23.2.bb
@@ -41,6 +41,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
           file://sha1sum.cfg \
           file://sha256sum.cfg \
           file://getopts.cfg \
+           file://CVE-2016-2148.patch \
 "
 SRC_URI[tarball.md5sum] = "7925683d7dd105aabe9b6b618d48cc73"
author	Armin Kuster <akuster@mvista.com>	2016-04-27 13:28:01 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-05-14 09:40:16 +0100
commit	ba15486e27410ebf2a22c687a1b0ac4ffa15726b (patch)
tree	d71029d970f80fb2ee821376422367624141758d /meta
parent	2ef5feeb3d50203a5754308c2e1c16a9388802bf (diff)
download	poky-ba15486e27410ebf2a22c687a1b0ac4ffa15726b.tar.gz

diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2148.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2148.patch new file mode 100644 index 0000000000..af04a7f5bd --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2016-2148.patch
@@ -0,0 +1,74 @@
		1	From 352f79acbd759c14399e39baef21fc4ffe180ac2 Mon Sep 17 00:00:00 2001
		2	From: Denys Vlasenko <vda.linux@googlemail.com>
		3	Date: Fri, 26 Feb 2016 15:54:56 +0100
		4	Subject: [PATCH] udhcpc: fix OPTION_6RD parsing (could overflow its malloced
		5	buffer)
		6
		7	Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
		8
		9	Upstream-Status: Backport
		10	CVE: CVE-2016-2148
		11	https://git.busybox.net/busybox/commit/?id=352f79
		12
		13	Signed-off-by: Armin Kuster <akuster@mvista.com>
		14
		15	---
		16	networking/udhcp/common.c \| 15 +++++++++++++--
		17	networking/udhcp/dhcpc.c \| 4 ++--
		18	2 files changed, 15 insertions(+), 4 deletions(-)
		19
		20	Index: busybox-1.23.2/networking/udhcp/common.c
		21	===================================================================
		22	--- busybox-1.23.2.orig/networking/udhcp/common.c
		23	+++ busybox-1.23.2/networking/udhcp/common.c
		24	@@ -142,7 +142,7 @@ const char dhcp_option_strings[] ALIGN1
		25	* udhcp_str2optset: to determine how many bytes to allocate.
		26	* xmalloc_optname_optval: to estimate string length
		27	* from binary option length: (option[LEN] / dhcp_option_lengths[opt_type])
		28	- * is the number of elements, multiply in by one element's string width
		29	+ * is the number of elements, multiply it by one element's string width
		30	* (len_of_option_as_string[opt_type]) and you know how wide string you need.
		31	*/
		32	const uint8_t dhcp_option_lengths[] ALIGN1 = {
		33	@@ -162,7 +162,18 @@ const uint8_t dhcp_option_lengths[] ALIG
		34	[OPTION_S32] = 4,
		35	/* Just like OPTION_STRING, we use minimum length here */
		36	[OPTION_STATIC_ROUTES] = 5,
		37	- [OPTION_6RD] = 22, /* ignored by udhcp_str2optset */
		38	+ [OPTION_6RD] = 12, /* ignored by udhcp_str2optset */
		39	+ /* The above value was chosen as follows:
		40	+ * len_of_option_as_string[] for this option is >60: it's a string of the form
		41	+ * "32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 ".
		42	+ * Each additional ipv4 address takes 4 bytes in binary option and appends
		43	+ * another "255.255.255.255 " 16-byte string. We can set [OPTION_6RD] = 4
		44	+ * but this severely overestimates string length: instead of 16 bytes,
		45	+ * it adds >60 for every 4 bytes in binary option.
		46	+ * We cheat and declare here that option is in units of 12 bytes.
		47	+ * This adds more than 60 bytes for every three ipv4 addresses - more than enough.
		48	+ * (Even 16 instead of 12 should work, but let's be paranoid).
		49	+ */
		50	};
		51
		52
		53	Index: busybox-1.23.2/networking/udhcp/dhcpc.c
		54	===================================================================
		55	--- busybox-1.23.2.orig/networking/udhcp/dhcpc.c
		56	+++ busybox-1.23.2/networking/udhcp/dhcpc.c
		57	@@ -103,7 +103,7 @@ static const uint8_t len_of_option_as_st
		58	[OPTION_IP ] = sizeof("255.255.255.255 "),
		59	[OPTION_IP_PAIR ] = sizeof("255.255.255.255 ") * 2,
		60	[OPTION_STATIC_ROUTES ] = sizeof("255.255.255.255/32 255.255.255.255 "),
		61	- [OPTION_6RD ] = sizeof("32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
		62	+ [OPTION_6RD ] = sizeof("132 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
		63	[OPTION_STRING ] = 1,
		64	[OPTION_STRING_HOST ] = 1,
		65	#if ENABLE_FEATURE_UDHCP_RFC3397
		66	@@ -214,7 +214,7 @@ static NOINLINE char *xmalloc_optname_op
		67	type = optflag->flags & OPTION_TYPE_MASK;
		68	optlen = dhcp_option_lengths[type];
		69	upper_length = len_of_option_as_string[type]
		70	- * ((unsigned)(len + optlen - 1) / (unsigned)optlen);
		71	+ * ((unsigned)(len + optlen) / (unsigned)optlen);
		72
		73	dest = ret = xmalloc(upper_length + strlen(opt_name) + 2);
		74	dest += sprintf(ret, "%s=", opt_name);


diff --git a/meta/recipes-core/busybox/busybox_1.23.2.bb b/meta/recipes-core/busybox/busybox_1.23.2.bb index 5edcbfd8df..955de9c907 100644 --- a/meta/recipes-core/busybox/busybox_1.23.2.bb +++ b/meta/recipes-core/busybox/busybox_1.23.2.bb
@@ -41,6 +41,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
41	file://sha1sum.cfg \	41	file://sha1sum.cfg \
42	file://sha256sum.cfg \	42	file://sha256sum.cfg \
43	file://getopts.cfg \	43	file://getopts.cfg \
		44	file://CVE-2016-2148.patch \
44	"	45	"
45		46
46	SRC_URI[tarball.md5sum] = "7925683d7dd105aabe9b6b618d48cc73"	47	SRC_URI[tarball.md5sum] = "7925683d7dd105aabe9b6b618d48cc73"