summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core/busybox/busybox
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-core/busybox/busybox')
-rw-r--r--meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch51
-rw-r--r--meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch38
-rw-r--r--meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch81
-rw-r--r--meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch64
-rw-r--r--meta/recipes-core/busybox/busybox/CVE-2021-42374.patch53
-rw-r--r--meta/recipes-core/busybox/busybox/CVE-2021-42376.patch138
-rw-r--r--meta/recipes-core/busybox/busybox/CVE-2022-48174.patch82
7 files changed, 507 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
new file mode 100644
index 0000000000..b75f0907e7
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
@@ -0,0 +1,51 @@
1From fe791386ebc270219ca00406c9fdadc5130b64ee Mon Sep 17 00:00:00 2001
2From: Samuel Sapalski <samuel.sapalski@nokia.com>
3Date: Wed, 3 Mar 2021 16:31:22 +0100
4Subject: [PATCH] decompress_gunzip: Fix DoS if gzip is corrupt
5
6On certain corrupt gzip files, huft_build will set the error bit on
7the result pointer. If afterwards abort_unzip is called huft_free
8might run into a segmentation fault or an invalid pointer to
9free(p).
10
11In order to mitigate this, we check in huft_free if the error bit
12is set and clear it before the linked list is freed.
13
14Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>
15Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com>
16Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
17
18Upstream-Status: Backport
19CVE: CVE-2021-28831
20Comment: One hunk from this patch is removed as it was not relevant.
21Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
22Signed-off-by: Akash Hadke <Akash.Hadke@kpit.com>
23---
24 archival/libarchive/decompress_gunzip.c | 12 ++++++++++--
25 1 file changed, 10 insertions(+), 2 deletions(-)
26
27diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
28index eb3b64930..e93cd5005 100644
29--- a/archival/libarchive/decompress_gunzip.c
30+++ b/archival/libarchive/decompress_gunzip.c
31@@ -220,10 +220,20 @@ static const uint8_t border[] ALIGN1 = {
32 * each table.
33 * t: table to free
34 */
35+#define BAD_HUFT(p) ((uintptr_t)(p) & 1)
36+#define ERR_RET ((huft_t*)(uintptr_t)1)
37 static void huft_free(huft_t *p)
38 {
39 huft_t *q;
40
41+ /*
42+ * If 'p' has the error bit set we have to clear it, otherwise we might run
43+ * into a segmentation fault or an invalid pointer to free(p)
44+ */
45+ if (BAD_HUFT(p)) {
46+ p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET));
47+ }
48+
49 /* Go through linked list, freeing from the malloced (t[-1]) address. */
50 while (p) {
51 q = (--p)->v.t;
diff --git a/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch b/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
new file mode 100644
index 0000000000..18bf5f19e4
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
@@ -0,0 +1,38 @@
1From c7e181fdf58c392e06ab805e2c044c3e57d5445a Mon Sep 17 00:00:00 2001
2From: Ariadne Conill <ariadne@dereferenced.org>
3Date: Sun, 3 Apr 2022 12:14:33 +0000
4Subject: [PATCH] libbb: sockaddr2str: ensure only printable characters are
5 returned for the hostname part
6
7CVE: CVE-2022-28391
8Upstream-Status: Pending
9Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
10Signed-off-by: Steve Sakoman <steve@sakoman.com>
11---
12 libbb/xconnect.c | 5 +++--
13 1 file changed, 3 insertions(+), 2 deletions(-)
14
15diff --git a/libbb/xconnect.c b/libbb/xconnect.c
16index eb2871cb1..b5520bb21 100644
17--- a/libbb/xconnect.c
18+++ b/libbb/xconnect.c
19@@ -501,8 +501,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
20 );
21 if (rc)
22 return NULL;
23+ /* ensure host contains only printable characters */
24 if (flags & IGNORE_PORT)
25- return xstrdup(host);
26+ return xstrdup(printable_string(host));
27 #if ENABLE_FEATURE_IPV6
28 if (sa->sa_family == AF_INET6) {
29 if (strchr(host, ':')) /* heh, it's not a resolved hostname */
30@@ -513,7 +514,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
31 #endif
32 /* For now we don't support anything else, so it has to be INET */
33 /*if (sa->sa_family == AF_INET)*/
34- return xasprintf("%s:%s", host, serv);
35+ return xasprintf("%s:%s", printable_string(host), serv);
36 /*return xstrdup(host);*/
37 }
38
diff --git a/meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch b/meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch
new file mode 100644
index 0000000000..4a1960dff2
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch
@@ -0,0 +1,81 @@
1From ceb378209f953ea745ed93a8645567196380ce3c Mon Sep 17 00:00:00 2001
2From: Andrej Valek <andrej.valek@siemens.com>
3Date: Thu, 24 Jun 2021 19:13:22 +0200
4Subject: [PATCH] mktemp: add tmpdir option
5
6Make mktemp more compatible with coreutils.
7- add "--tmpdir" option
8- add long variants for "d,q,u" options
9
10Upstream-Status: Submitted [http://lists.busybox.net/pipermail/busybox/2021-June/088932.html]
11
12Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
13Signed-off-by: Peter Marko <peter.marko@siemens.com>
14---
15 coreutils/mktemp.c | 26 ++++++++++++++++++--------
16 1 file changed, 18 insertions(+), 8 deletions(-)
17
18diff --git a/coreutils/mktemp.c b/coreutils/mktemp.c
19index 5393320a5..05c6d98c6 100644
20--- a/coreutils/mktemp.c
21+++ b/coreutils/mktemp.c
22@@ -39,16 +39,17 @@
23 //kbuild:lib-$(CONFIG_MKTEMP) += mktemp.o
24
25 //usage:#define mktemp_trivial_usage
26-//usage: "[-dt] [-p DIR] [TEMPLATE]"
27+//usage: "[-dt] [-p DIR, --tmpdir[=DIR]] [TEMPLATE]"
28 //usage:#define mktemp_full_usage "\n\n"
29 //usage: "Create a temporary file with name based on TEMPLATE and print its name.\n"
30 //usage: "TEMPLATE must end with XXXXXX (e.g. [/dir/]nameXXXXXX).\n"
31 //usage: "Without TEMPLATE, -t tmp.XXXXXX is assumed.\n"
32-//usage: "\n -d Make directory, not file"
33-//usage: "\n -q Fail silently on errors"
34-//usage: "\n -t Prepend base directory name to TEMPLATE"
35-//usage: "\n -p DIR Use DIR as a base directory (implies -t)"
36-//usage: "\n -u Do not create anything; print a name"
37+//usage: "\n -d Make directory, not file"
38+//usage: "\n -q Fail silently on errors"
39+//usage: "\n -t Prepend base directory name to TEMPLATE"
40+//usage: "\n -p DIR, --tmpdir[=DIR] Use DIR as a base directory (implies -t)"
41+//usage: "\n For --tmpdir is a optional one."
42+//usage: "\n -u Do not create anything; print a name"
43 //usage: "\n"
44 //usage: "\nBase directory is: -p DIR, else $TMPDIR, else /tmp"
45 //usage:
46@@ -72,13 +73,22 @@ int mktemp_main(int argc UNUSED_PARAM, char **argv)
47 OPT_t = 1 << 2,
48 OPT_p = 1 << 3,
49 OPT_u = 1 << 4,
50+ OPT_td = 1 << 5,
51 };
52
53 path = getenv("TMPDIR");
54 if (!path || path[0] == '\0')
55 path = "/tmp";
56
57- opts = getopt32(argv, "^" "dqtp:u" "\0" "?1"/*1 arg max*/, &path);
58+ opts = getopt32long(argv, "^"
59+ "dqtp:u\0"
60+ "?1" /* 1 arg max */,
61+ "directory\0" No_argument "d"
62+ "quiet\0" No_argument "q"
63+ "dry-run\0" No_argument "u"
64+ "tmpdir\0" Optional_argument "\xff"
65+ , &path, &path
66+ );
67
68 chp = argv[optind];
69 if (!chp) {
70@@ -95,7 +105,7 @@ int mktemp_main(int argc UNUSED_PARAM, char **argv)
71 goto error;
72 }
73 #endif
74- if (opts & (OPT_t|OPT_p))
75+ if (opts & (OPT_t|OPT_p|OPT_td))
76 chp = concat_path_file(path, chp);
77
78 if (opts & OPT_u) {
79--
802.11.0
81
diff --git a/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
new file mode 100644
index 0000000000..2c9da33a51
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
@@ -0,0 +1,64 @@
1From f8ad7c331b25ba90fd296b37c443b4114cb196e2 Mon Sep 17 00:00:00 2001
2From: Ariadne Conill <ariadne@dereferenced.org>
3Date: Sun, 3 Apr 2022 12:16:45 +0000
4Subject: [PATCH] nslookup: sanitize all printed strings with printable_string
5
6Otherwise, terminal sequences can be injected, which enables various terminal injection
7attacks from DNS results.
8
9MJ: One chunk wasn't applicable on 1.31.1 version, because parsing of
10SRV records was added only in newer 1.32.0 with:
11 commit 6b4960155e94076bf25518e4e268a7a5f849308e
12 Author: Jo-Philipp Wich <jo@mein.io>
13 Date: Thu Jun 27 17:27:29 2019 +0200
14
15 nslookup: implement support for SRV records
16
17CVE: CVE-2022-28391
18Upstream-Status: Pending
19Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
20Signed-off-by: Steve Sakoman <steve@sakoman.com>
21---
22 networking/nslookup.c | 8 ++++----
23 1 file changed, 4 insertions(+), 4 deletions(-)
24
25diff --git a/networking/nslookup.c b/networking/nslookup.c
26index 24e09d4f0..89b9c8a13 100644
27--- a/networking/nslookup.c
28+++ b/networking/nslookup.c
29@@ -404,7 +404,7 @@ static int parse_reply(const unsigned char *msg, size_t len)
30 //printf("Unable to uncompress domain: %s\n", strerror(errno));
31 return -1;
32 }
33- printf(format, ns_rr_name(rr), dname);
34+ printf(format, ns_rr_name(rr), printable_string(dname));
35 break;
36
37 case ns_t_mx:
38@@ -419,7 +419,7 @@ static int parse_reply(const unsigned char *msg, size_t len)
39 //printf("Cannot uncompress MX domain: %s\n", strerror(errno));
40 return -1;
41 }
42- printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname);
43+ printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname));
44 break;
45
46 case ns_t_txt:
47@@ -431,7 +431,7 @@ static int parse_reply(const unsigned char *msg, size_t len)
48 if (n > 0) {
49 memset(dname, 0, sizeof(dname));
50 memcpy(dname, ns_rr_rdata(rr) + 1, n);
51- printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname);
52+ printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname));
53 }
54 break;
55
56@@ -461,7 +461,7 @@ static int parse_reply(const unsigned char *msg, size_t len)
57 return -1;
58 }
59
60- printf("\tmail addr = %s\n", dname);
61+ printf("\tmail addr = %s\n", printable_string(dname));
62 cp += n;
63
64 printf("\tserial = %lu\n", ns_get32(cp));
diff --git a/meta/recipes-core/busybox/busybox/CVE-2021-42374.patch b/meta/recipes-core/busybox/busybox/CVE-2021-42374.patch
new file mode 100644
index 0000000000..aef8a3db85
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2021-42374.patch
@@ -0,0 +1,53 @@
1From 04f052c56ded5ab6a904e3a264a73dc0412b2e78 Mon Sep 17 00:00:00 2001
2From: Denys Vlasenko <vda.linux@googlemail.com>
3Date: Tue, 15 Jun 2021 15:07:57 +0200
4Subject: [PATCH] unlzma: fix a case where we could read before beginning of
5 buffer
6Cc: pavel@zhukoff.net
7
8Testcase:
9
10 21 01 01 00 00 00 00 00 e7 01 01 01 ef 00 df b6
11 00 17 02 10 11 0f ff 00 16 00 00
12
13Unfortunately, the bug is not reliably causing a segfault,
14the behavior depends on what's in memory before the buffer.
15
16function old new delta
17unpack_lzma_stream 2762 2768 +6
18
19Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
20
21Signed-off-by: Pavel Zhukov <pavel.zhukov@huawei.com>
22
23CVE: CVE-2021-42374
24Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?h=1_33_stable&id=d326be2850ea2bd78fe2c22d6c45c3b861d82937]
25Comment: testdata dropped because of binary format
26
27---
28 archival/libarchive/decompress_unlzma.c | 5 ++++-
29 testsuite/unlzma.tests | 17 +++++++++++++----
30 testsuite/unlzma_issue_3.lzma | Bin 0 -> 27 bytes
31 3 files changed, 17 insertions(+), 5 deletions(-)
32 create mode 100644 testsuite/unlzma_issue_3.lzma
33
34diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
35index 0744f231a1d64d92676b0cada2342f88f3b39b31..fb5aac8fe9ea0c53e0c2d7a7cbd05a753e39bc9d 100644
36--- a/archival/libarchive/decompress_unlzma.c
37+++ b/archival/libarchive/decompress_unlzma.c
38@@ -290,8 +290,11 @@ unpack_lzma_stream(transformer_state_t *xstate)
39 uint32_t pos;
40
41 pos = buffer_pos - rep0;
42- if ((int32_t)pos < 0)
43+ if ((int32_t)pos < 0) {
44 pos += header.dict_size;
45+ if ((int32_t)pos < 0)
46+ goto bad;
47+ }
48 match_byte = buffer[pos];
49 do {
50 int bit;
51--
522.34.0
53
diff --git a/meta/recipes-core/busybox/busybox/CVE-2021-42376.patch b/meta/recipes-core/busybox/busybox/CVE-2021-42376.patch
new file mode 100644
index 0000000000..c913eaee9c
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2021-42376.patch
@@ -0,0 +1,138 @@
1From 56a335378ac100d51c30b21eee499a2effa37fba Mon Sep 17 00:00:00 2001
2From: Denys Vlasenko <vda.linux@googlemail.com>
3Date: Tue, 15 Jun 2021 16:05:57 +0200
4Subject: hush: fix handling of \^C and "^C"
5
6function old new delta
7parse_stream 2238 2252 +14
8encode_string 243 256 +13
9------------------------------------------------------------------------------
10(add/remove: 0/0 grow/shrink: 2/0 up/down: 27/0) Total: 27 bytes
11
12Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
13(cherry picked from commit 1b7a9b68d0e9aa19147d7fda16eb9a6b54156985)
14
15Signed-off-by: Pavel Zhukov <pavel.zhukov@huawei.com>
16
17CVE: CVE-2021-42376
18Upstream-Status: Backport [https://git.busybox.net/busybox/patch/?id=56a335378ac100d51c30b21eee499a2effa37fba]
19Comment: No changes in any hunk
20---
21 shell/ash_test/ash-misc/control_char3.right | 1 +
22 shell/ash_test/ash-misc/control_char3.tests | 2 ++
23 shell/ash_test/ash-misc/control_char4.right | 1 +
24 shell/ash_test/ash-misc/control_char4.tests | 2 ++
25 shell/hush.c | 11 +++++++++++
26 shell/hush_test/hush-misc/control_char3.right | 1 +
27 shell/hush_test/hush-misc/control_char3.tests | 2 ++
28 shell/hush_test/hush-misc/control_char4.right | 1 +
29 shell/hush_test/hush-misc/control_char4.tests | 2 ++
30 9 files changed, 23 insertions(+)
31 create mode 100644 shell/ash_test/ash-misc/control_char3.right
32 create mode 100755 shell/ash_test/ash-misc/control_char3.tests
33 create mode 100644 shell/ash_test/ash-misc/control_char4.right
34 create mode 100755 shell/ash_test/ash-misc/control_char4.tests
35 create mode 100644 shell/hush_test/hush-misc/control_char3.right
36 create mode 100755 shell/hush_test/hush-misc/control_char3.tests
37 create mode 100644 shell/hush_test/hush-misc/control_char4.right
38 create mode 100755 shell/hush_test/hush-misc/control_char4.tests
39
40diff --git a/shell/ash_test/ash-misc/control_char3.right b/shell/ash_test/ash-misc/control_char3.right
41new file mode 100644
42index 000000000..283e02cbb
43--- /dev/null
44+++ b/shell/ash_test/ash-misc/control_char3.right
45@@ -0,0 +1 @@
46+SHELL: line 1: : not found
47diff --git a/shell/ash_test/ash-misc/control_char3.tests b/shell/ash_test/ash-misc/control_char3.tests
48new file mode 100755
49index 000000000..4359db3f3
50--- /dev/null
51+++ b/shell/ash_test/ash-misc/control_char3.tests
52@@ -0,0 +1,2 @@
53+# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
54+$THIS_SH -c '\' SHELL
55diff --git a/shell/ash_test/ash-misc/control_char4.right b/shell/ash_test/ash-misc/control_char4.right
56new file mode 100644
57index 000000000..2bf18e684
58--- /dev/null
59+++ b/shell/ash_test/ash-misc/control_char4.right
60@@ -0,0 +1 @@
61+SHELL: line 1: -: not found
62diff --git a/shell/ash_test/ash-misc/control_char4.tests b/shell/ash_test/ash-misc/control_char4.tests
63new file mode 100755
64index 000000000..48010f154
65--- /dev/null
66+++ b/shell/ash_test/ash-misc/control_char4.tests
67@@ -0,0 +1,2 @@
68+# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
69+$THIS_SH -c '"-"' SHELL
70diff --git a/shell/hush.c b/shell/hush.c
71index 9fead37da..249728b9d 100644
72--- a/shell/hush.c
73+++ b/shell/hush.c
74@@ -5235,6 +5235,11 @@ static int encode_string(o_string *as_string,
75 }
76 #endif
77 o_addQchr(dest, ch);
78+ if (ch == SPECIAL_VAR_SYMBOL) {
79+ /* Convert "^C" to corresponding special variable reference */
80+ o_addchr(dest, SPECIAL_VAR_QUOTED_SVS);
81+ o_addchr(dest, SPECIAL_VAR_SYMBOL);
82+ }
83 goto again;
84 #undef as_string
85 }
86@@ -5346,6 +5351,11 @@ static struct pipe *parse_stream(char **pstring,
87 if (ch == '\n')
88 continue; /* drop \<newline>, get next char */
89 nommu_addchr(&ctx.as_string, '\\');
90+ if (ch == SPECIAL_VAR_SYMBOL) {
91+ nommu_addchr(&ctx.as_string, ch);
92+ /* Convert \^C to corresponding special variable reference */
93+ goto case_SPECIAL_VAR_SYMBOL;
94+ }
95 o_addchr(&ctx.word, '\\');
96 if (ch == EOF) {
97 /* Testcase: eval 'echo Ok\' */
98@@ -5670,6 +5680,7 @@ static struct pipe *parse_stream(char **pstring,
99 /* Note: nommu_addchr(&ctx.as_string, ch) is already done */
100
101 switch (ch) {
102+ case_SPECIAL_VAR_SYMBOL:
103 case SPECIAL_VAR_SYMBOL:
104 /* Convert raw ^C to corresponding special variable reference */
105 o_addchr(&ctx.word, SPECIAL_VAR_SYMBOL);
106diff --git a/shell/hush_test/hush-misc/control_char3.right b/shell/hush_test/hush-misc/control_char3.right
107new file mode 100644
108index 000000000..94b4f8699
109--- /dev/null
110+++ b/shell/hush_test/hush-misc/control_char3.right
111@@ -0,0 +1 @@
112+hush: can't execute '': No such file or directory
113diff --git a/shell/hush_test/hush-misc/control_char3.tests b/shell/hush_test/hush-misc/control_char3.tests
114new file mode 100755
115index 000000000..4359db3f3
116--- /dev/null
117+++ b/shell/hush_test/hush-misc/control_char3.tests
118@@ -0,0 +1,2 @@
119+# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
120+$THIS_SH -c '\' SHELL
121diff --git a/shell/hush_test/hush-misc/control_char4.right b/shell/hush_test/hush-misc/control_char4.right
122new file mode 100644
123index 000000000..698e21427
124--- /dev/null
125+++ b/shell/hush_test/hush-misc/control_char4.right
126@@ -0,0 +1 @@
127+hush: can't execute '-': No such file or directory
128diff --git a/shell/hush_test/hush-misc/control_char4.tests b/shell/hush_test/hush-misc/control_char4.tests
129new file mode 100755
130index 000000000..48010f154
131--- /dev/null
132+++ b/shell/hush_test/hush-misc/control_char4.tests
133@@ -0,0 +1,2 @@
134+# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
135+$THIS_SH -c '"-"' SHELL
136--
137cgit v1.2.3
138
diff --git a/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
new file mode 100644
index 0000000000..dfba2a7e0f
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
@@ -0,0 +1,82 @@
1From c18ebf861528ef24958dd99a146482d2a40014c7 Mon Sep 17 00:00:00 2001
2From: Denys Vlasenko <vda.linux@googlemail.com>
3Date: Mon, 12 Jun 2023 17:48:47 +0200
4Subject: [PATCH] shell: avoid segfault on ${0::0/0~09J}. Closes 15216
5
6function old new delta
7evaluate_string 1011 1053 +42
8
9CVE: CVE-2022-48174
10Upstream-Status: Backport [d417193cf37ca1005830d7e16f5fa7e1d8a44209]
11Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
12---
13 shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
14 1 file changed, 35 insertions(+), 4 deletions(-)
15
16diff --git a/shell/math.c b/shell/math.c
17index af1ab55c0..79824e81f 100644
18--- a/shell/math.c
19+++ b/shell/math.c
20@@ -578,6 +578,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr)
21 # endif
22 #endif
23
24+//TODO: much better estimation than expr_len/2? Such as:
25+//static unsigned estimate_nums_and_names(const char *expr)
26+//{
27+// unsigned count = 0;
28+// while (*(expr = skip_whitespace(expr)) != '\0') {
29+// const char *p;
30+// if (isdigit(*expr)) {
31+// while (isdigit(*++expr))
32+// continue;
33+// count++;
34+// continue;
35+// }
36+// p = endofname(expr);
37+// if (p != expr) {
38+// expr = p;
39+// count++;
40+// continue;
41+// }
42+// }
43+// return count;
44+//}
45+
46 static arith_t FAST_FUNC
47 evaluate_string(arith_state_t *math_state, const char *expr)
48 {
49@@ -585,10 +607,12 @@ evaluate_string(arith_state_t *math_state, const char *expr)
50 const char *errmsg;
51 const char *start_expr = expr = skip_whitespace(expr);
52 unsigned expr_len = strlen(expr) + 2;
53- /* Stack of integers */
54- /* The proof that there can be no more than strlen(startbuf)/2+1
55- * integers in any given correct or incorrect expression
56- * is left as an exercise to the reader. */
57+ /* Stack of integers/names */
58+ /* There can be no more than strlen(startbuf)/2+1
59+ * integers/names in any given correct or incorrect expression.
60+ * (modulo "09v09v09v09v09v" case,
61+ * but we have code to detect that early)
62+ */
63 var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
64 var_or_num_t *numstackptr = numstack;
65 /* Stack of operator tokens */
66@@ -657,6 +681,13 @@ evaluate_string(arith_state_t *math_state, const char *expr)
67 numstackptr->var = NULL;
68 errno = 0;
69 numstackptr->val = strto_arith_t(expr, (char**) &expr);
70+ /* A number can't be followed by another number, or a variable name.
71+ * We'd catch this later anyway, but this would require numstack[]
72+ * to be twice as deep to handle strings where _every_ char is
73+ * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
74+ */
75+ if (isalnum(*expr) || *expr == '_')
76+ goto err;
77 if (errno)
78 numstackptr->val = 0; /* bash compat */
79 goto num;
80--
812.40.1
82
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-26 19:45:15 +0000