1 files changed, 82 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
new file mode 100644
index 0000000000..dfba2a7e0f
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
@@ -0,0 +1,82 @@
+From c18ebf861528ef24958dd99a146482d2a40014c7 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Mon, 12 Jun 2023 17:48:47 +0200
+Subject: [PATCH] shell: avoid segfault on ${0::0/0~09J}. Closes 15216
+function                                             old     new   delta
+evaluate_string                                     1011    1053     +42
+CVE: CVE-2022-48174
+Upstream-Status: Backport [d417193cf37ca1005830d7e16f5fa7e1d8a44209]
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
+ 1 file changed, 35 insertions(+), 4 deletions(-)
+diff --git a/shell/math.c b/shell/math.c
+index af1ab55c0..79824e81f 100644
+--- a/shell/math.c
+++ b/shell/math.c
+@@ -578,6 +578,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr)
+ # endif
+ #endif
+ 
+//TODO: much better estimation than expr_len/2? Such as:
+//static unsigned estimate_nums_and_names(const char *expr)
+//{
+//     unsigned count = 0;
+//     while (*(expr = skip_whitespace(expr)) != '\0') {
+//             const char *p;
+//             if (isdigit(*expr)) {
+//                     while (isdigit(*++expr))
+//                             continue;
+//                     count++;
+//                     continue;
+//             }
+//             p = endofname(expr);
+//             if (p != expr) {
+//                     expr = p;
+//                     count++;
+//                     continue;
+//             }
+//     }
+//     return count;
+//}
+
+ static arith_t FAST_FUNC
+ evaluate_string(arith_state_t *math_state, const char *expr)
+ {
+@@ -585,10 +607,12 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+        const char *errmsg;
+        const char *start_expr = expr = skip_whitespace(expr);
+        unsigned expr_len = strlen(expr) + 2;
+-       /* Stack of integers */
+-       /* The proof that there can be no more than strlen(startbuf)/2+1
+-        * integers in any given correct or incorrect expression
+-        * is left as an exercise to the reader. */
+       /* Stack of integers/names */
+       /* There can be no more than strlen(startbuf)/2+1
+        * integers/names in any given correct or incorrect expression.
+        * (modulo "09v09v09v09v09v" case,
+        * but we have code to detect that early)
+        */
+        var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
+        var_or_num_t *numstackptr = numstack;
+        /* Stack of operator tokens */
+@@ -657,6 +681,13 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+                        numstackptr->var = NULL;
+                        errno = 0;
+                        numstackptr->val = strto_arith_t(expr, (char**) &expr);
+                       /* A number can't be followed by another number, or a variable name.
+                        * We'd catch this later anyway, but this would require numstack[]
+                        * to be twice as deep to handle strings where _every_ char is
+                        * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
+                        */
+                       if (isalnum(*expr) || *expr == '_')
+                               goto err;
+                        if (errno)
+                                numstackptr->val = 0; /* bash compat */
+                        goto num;
+-- 
+2.40.1

diff --git a/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch new file mode 100644 index 0000000000..dfba2a7e0f --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
@@ -0,0 +1,82 @@
	1	From c18ebf861528ef24958dd99a146482d2a40014c7 Mon Sep 17 00:00:00 2001
	2	From: Denys Vlasenko <vda.linux@googlemail.com>
	3	Date: Mon, 12 Jun 2023 17:48:47 +0200
	4	Subject: [PATCH] shell: avoid segfault on ${0::0/0~09J}. Closes 15216
	5
	6	function old new delta
	7	evaluate_string 1011 1053 +42
	8
	9	CVE: CVE-2022-48174
	10	Upstream-Status: Backport [d417193cf37ca1005830d7e16f5fa7e1d8a44209]
	11	Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
	12	---
	13	shell/math.c \| 39 +++++++++++++++++++++++++++++++++++----
	14	1 file changed, 35 insertions(+), 4 deletions(-)
	15
	16	diff --git a/shell/math.c b/shell/math.c
	17	index af1ab55c0..79824e81f 100644
	18	--- a/shell/math.c
	19	+++ b/shell/math.c
	20	@@ -578,6 +578,28 @@ static arith_t strto_arith_t(const char nptr, char *endptr)
	21	# endif
	22	#endif
	23
	24	+//TODO: much better estimation than expr_len/2? Such as:
	25	+//static unsigned estimate_nums_and_names(const char *expr)
	26	+//{
	27	+// unsigned count = 0;
	28	+// while (*(expr = skip_whitespace(expr)) != '\0') {
	29	+// const char *p;
	30	+// if (isdigit(*expr)) {
	31	+// while (isdigit(*++expr))
	32	+// continue;
	33	+// count++;
	34	+// continue;
	35	+// }
	36	+// p = endofname(expr);
	37	+// if (p != expr) {
	38	+// expr = p;
	39	+// count++;
	40	+// continue;
	41	+// }
	42	+// }
	43	+// return count;
	44	+//}
	45	+
	46	static arith_t FAST_FUNC
	47	evaluate_string(arith_state_t math_state, const char expr)
	48	{
	49	@@ -585,10 +607,12 @@ evaluate_string(arith_state_t math_state, const char expr)
	50	const char *errmsg;
	51	const char *start_expr = expr = skip_whitespace(expr);
	52	unsigned expr_len = strlen(expr) + 2;
	53	- /* Stack of integers */
	54	- /* The proof that there can be no more than strlen(startbuf)/2+1
	55	- * integers in any given correct or incorrect expression
	56	- * is left as an exercise to the reader. */
	57	+ /* Stack of integers/names */
	58	+ /* There can be no more than strlen(startbuf)/2+1
	59	+ * integers/names in any given correct or incorrect expression.
	60	+ * (modulo "09v09v09v09v09v" case,
	61	+ * but we have code to detect that early)
	62	+ */
	63	var_or_num_t const numstack = alloca((expr_len / 2) sizeof(numstack[0]));
	64	var_or_num_t *numstackptr = numstack;
	65	/* Stack of operator tokens */
	66	@@ -657,6 +681,13 @@ evaluate_string(arith_state_t math_state, const char expr)
	67	numstackptr->var = NULL;
	68	errno = 0;
	69	numstackptr->val = strto_arith_t(expr, (char**) &expr);
	70	+ /* A number can't be followed by another number, or a variable name.
	71	+ * We'd catch this later anyway, but this would require numstack[]
	72	+ * to be twice as deep to handle strings where _every_ char is
	73	+ * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
	74	+ */
	75	+ if (isalnum(expr) \|\| expr == '_')
	76	+ goto err;
	77	if (errno)
	78	numstackptr->val = 0; /* bash compat */
	79	goto num;
	80	--
	81	2.40.1
	82