busybox: fix CVE-2022-48174

shell: avoid segfault on ${0::0/0~09J}. Closes 15216 CVE: CVE-2022-48174 Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/busybox/commit/?id=ca2afcbf42017d998ce3d6726f5ff5072a3fa853] (From OE-Core rev: a81aff7d810800ce3265422cddde26d11366d514) Signed-off-by: Victor Giraud <vgiraud.opensource@witekio.com> Signed-off-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Victor Giraud <vgiraud.opensource@witekio.com> 2025-07-01 09:06:12 +0200
committer: Steve Sakoman <steve@sakoman.com> 2025-07-07 07:42:58 -0700
commit: fee92f72e194f76e69c36f2c0e23fe54fd779251 (patch)
tree: 9831c4e88ca9058e6496939cf4cd2cb7af309de3
parent: b4562b5fca01d40057b2962bca2cc6b1f395e43e (diff)
download: poky-fee92f72e194f76e69c36f2c0e23fe54fd779251.tar.gz
2 files changed, 81 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
new file mode 100644
index 0000000000..8d53f2ef90
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
@@ -0,0 +1,80 @@
+From ca2afcbf42017d998ce3d6726f5ff5072a3fa853 Mon Sep 17 00:00:00 2001
+From: Octavio Galland <octavio.galland@canonical.com>
+Date: Tue, 13 Aug 2024 10:42:58 -0300
+Subject: shell: avoid segfault on ${0::0/0~09J}. Closes 15216
+CVE: CVE-2022-48174
+Upstream-Status: Backport
+Signed-off-by: Victor Giraud <vgiraud.opensource@witekio.com>
+---
+ shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
+ 1 file changed, 35 insertions(+), 4 deletions(-)
+diff --git a/shell/math.c b/shell/math.c
+index 76d22c9b..727c2946 100644
+--- a/shell/math.c
+++ b/shell/math.c
+@@ -577,6 +577,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr)
+ # endif
+ #endif
+ 
+//TODO: much better estimation than expr_len/2? Such as:
+//static unsigned estimate_nums_and_names(const char *expr)
+//{
+//     unsigned count = 0;
+//     while (*(expr = skip_whitespace(expr)) != '\0') {
+//             const char *p;
+//             if (isdigit(*expr)) {
+//                     while (isdigit(*++expr))
+//                             continue;
+//                     count++;
+//                     continue;
+//             }
+//             p = endofname(expr);
+//             if (p != expr) {
+//                     expr = p;
+//                     count++;
+//                     continue;
+//             }
+//     }
+//     return count;
+//}
+
+ static arith_t
+ evaluate_string(arith_state_t *math_state, const char *expr)
+ {
+@@ -584,10 +606,12 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+        const char *errmsg;
+        const char *start_expr = expr = skip_whitespace(expr);
+        unsigned expr_len = strlen(expr) + 2;
+-       /* Stack of integers */
+-       /* The proof that there can be no more than strlen(startbuf)/2+1
+-        * integers in any given correct or incorrect expression
+-        * is left as an exercise to the reader. */
+       /* Stack of integers/names */
+       /* There can be no more than strlen(startbuf)/2+1
+        * integers/names in any given correct or incorrect expression.
+        * (modulo "09v09v09v09v09v" case,
+        * but we have code to detect that early)
+        */
+        var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
+        var_or_num_t *numstackptr = numstack;
+        /* Stack of operator tokens */
+@@ -652,6 +676,13 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+                        numstackptr->var = NULL;
+                        errno = 0;
+                        numstackptr->val = strto_arith_t(expr, (char**) &expr);
+                       /* A number can't be followed by another number, or a variable name.
+                        * We'd catch this later anyway, but this would require numstack[]
+                        * to be twice as deep to handle strings where _every_ char is
+                        * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
+                        */
+                       if (isalnum(*expr) || *expr == '_')
+                               goto err;
+ //bb_error_msg("val:%lld", numstackptr->val);
+                        if (errno)
+                                numstackptr->val = 0; /* bash compat */
+-- 
+cgit v1.2.3
diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb
index 42dd5f71eb..69e9555766 100644
--- a/meta/recipes-core/busybox/busybox_1.36.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.36.1.bb
@@ -57,6 +57,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
           file://0002-awk-fix-ternary-operator-and-precedence-of.patch \
           file://0001-awk.c-fix-CVE-2023-42366-bug-15874.patch \
           file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \
+           file://CVE-2022-48174.patch \
           "
 SRC_URI:append:libc-musl = " file://musl.cfg "
 # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html
author	Victor Giraud <vgiraud.opensource@witekio.com>	2025-07-01 09:06:12 +0200
committer	Steve Sakoman <steve@sakoman.com>	2025-07-07 07:42:58 -0700
commit	fee92f72e194f76e69c36f2c0e23fe54fd779251 (patch)
tree	9831c4e88ca9058e6496939cf4cd2cb7af309de3
parent	b4562b5fca01d40057b2962bca2cc6b1f395e43e (diff)
download	poky-fee92f72e194f76e69c36f2c0e23fe54fd779251.tar.gz

diff --git a/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch new file mode 100644 index 0000000000..8d53f2ef90 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
@@ -0,0 +1,80 @@
		1	From ca2afcbf42017d998ce3d6726f5ff5072a3fa853 Mon Sep 17 00:00:00 2001
		2	From: Octavio Galland <octavio.galland@canonical.com>
		3	Date: Tue, 13 Aug 2024 10:42:58 -0300
		4	Subject: shell: avoid segfault on ${0::0/0~09J}. Closes 15216
		5
		6	CVE: CVE-2022-48174
		7	Upstream-Status: Backport
		8	Signed-off-by: Victor Giraud <vgiraud.opensource@witekio.com>
		9
		10	---
		11	shell/math.c \| 39 +++++++++++++++++++++++++++++++++++----
		12	1 file changed, 35 insertions(+), 4 deletions(-)
		13
		14	diff --git a/shell/math.c b/shell/math.c
		15	index 76d22c9b..727c2946 100644
		16	--- a/shell/math.c
		17	+++ b/shell/math.c
		18	@@ -577,6 +577,28 @@ static arith_t strto_arith_t(const char nptr, char *endptr)
		19	# endif
		20	#endif
		21
		22	+//TODO: much better estimation than expr_len/2? Such as:
		23	+//static unsigned estimate_nums_and_names(const char *expr)
		24	+//{
		25	+// unsigned count = 0;
		26	+// while (*(expr = skip_whitespace(expr)) != '\0') {
		27	+// const char *p;
		28	+// if (isdigit(*expr)) {
		29	+// while (isdigit(*++expr))
		30	+// continue;
		31	+// count++;
		32	+// continue;
		33	+// }
		34	+// p = endofname(expr);
		35	+// if (p != expr) {
		36	+// expr = p;
		37	+// count++;
		38	+// continue;
		39	+// }
		40	+// }
		41	+// return count;
		42	+//}
		43	+
		44	static arith_t
		45	evaluate_string(arith_state_t math_state, const char expr)
		46	{
		47	@@ -584,10 +606,12 @@ evaluate_string(arith_state_t math_state, const char expr)
		48	const char *errmsg;
		49	const char *start_expr = expr = skip_whitespace(expr);
		50	unsigned expr_len = strlen(expr) + 2;
		51	- /* Stack of integers */
		52	- /* The proof that there can be no more than strlen(startbuf)/2+1
		53	- * integers in any given correct or incorrect expression
		54	- * is left as an exercise to the reader. */
		55	+ /* Stack of integers/names */
		56	+ /* There can be no more than strlen(startbuf)/2+1
		57	+ * integers/names in any given correct or incorrect expression.
		58	+ * (modulo "09v09v09v09v09v" case,
		59	+ * but we have code to detect that early)
		60	+ */
		61	var_or_num_t const numstack = alloca((expr_len / 2) sizeof(numstack[0]));
		62	var_or_num_t *numstackptr = numstack;
		63	/* Stack of operator tokens */
		64	@@ -652,6 +676,13 @@ evaluate_string(arith_state_t math_state, const char expr)
		65	numstackptr->var = NULL;
		66	errno = 0;
		67	numstackptr->val = strto_arith_t(expr, (char**) &expr);
		68	+ /* A number can't be followed by another number, or a variable name.
		69	+ * We'd catch this later anyway, but this would require numstack[]
		70	+ * to be twice as deep to handle strings where _every_ char is
		71	+ * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
		72	+ */
		73	+ if (isalnum(expr) \|\| expr == '_')
		74	+ goto err;
		75	//bb_error_msg("val:%lld", numstackptr->val);
		76	if (errno)
		77	numstackptr->val = 0; /* bash compat */
		78	--
		79	cgit v1.2.3
		80


diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb index 42dd5f71eb..69e9555766 100644 --- a/meta/recipes-core/busybox/busybox_1.36.1.bb +++ b/meta/recipes-core/busybox/busybox_1.36.1.bb
@@ -57,6 +57,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
57	file://0002-awk-fix-ternary-operator-and-precedence-of.patch \	57	file://0002-awk-fix-ternary-operator-and-precedence-of.patch \
58	file://0001-awk.c-fix-CVE-2023-42366-bug-15874.patch \	58	file://0001-awk.c-fix-CVE-2023-42366-bug-15874.patch \
59	file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \	59	file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \
		60	file://CVE-2022-48174.patch \
60	"	61	"
61	SRC_URI:append:libc-musl = " file://musl.cfg "	62	SRC_URI:append:libc-musl = " file://musl.cfg "
62	# TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html	63	# TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html