diff options
| author | Peter Marko <peter.marko@siemens.com> | 2024-07-12 23:38:53 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2024-07-13 23:28:31 +0100 |
| commit | 700febff616db30152d7728c6f465d88701941de (patch) | |
| tree | f79cd101327bc705673dec2b71662118775de07d /meta | |
| parent | c63b8f28ac52047fad689b78d605aa792baf1ad8 (diff) | |
| download | poky-700febff616db30152d7728c6f465d88701941de.tar.gz | |
busybox: Patch CVE-2021-42380
Backport patch for CVE-2021-42380.
Additionally backport clang regression fix caused by this patch.
(From OE-Core rev: 66543769ff79d81508bb703bd2fc34871a16e2c7)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
3 files changed, 194 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/0001-awk-fix-segfault-when-compiled-by-clang.patch b/meta/recipes-core/busybox/busybox/0001-awk-fix-segfault-when-compiled-by-clang.patch new file mode 100644 index 0000000000..3f6145b250 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/0001-awk-fix-segfault-when-compiled-by-clang.patch | |||
| @@ -0,0 +1,41 @@ | |||
| 1 | From e1a68741067167dc4837e0a26d3d5c318a631fc7 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Ron Yorston <rmy@pobox.com> | ||
| 3 | Date: Fri, 19 Jan 2024 15:41:17 +0000 | ||
| 4 | Subject: [PATCH] awk: fix segfault when compiled by clang | ||
| 5 | |||
| 6 | A 32-bit build of BusyBox using clang segfaulted in the test | ||
| 7 | "awk assign while assign". Specifically, on line 7 of the test | ||
| 8 | input where the adjustment of the L.v pointer when the Fields | ||
| 9 | array was reallocated | ||
| 10 | |||
| 11 | L.v += Fields - old_Fields_ptr; | ||
| 12 | |||
| 13 | was out by 4 bytes. | ||
| 14 | |||
| 15 | Rearrange to code so both gcc and clang generate code that works. | ||
| 16 | |||
| 17 | Signed-off-by: Ron Yorston <rmy@pobox.com> | ||
| 18 | Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com> | ||
| 19 | |||
| 20 | Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=5dcc443dba039b305a510c01883e9f34e42656ae] | ||
| 21 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
| 22 | --- | ||
| 23 | editors/awk.c | 2 +- | ||
| 24 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 25 | |||
| 26 | diff --git a/editors/awk.c b/editors/awk.c | ||
| 27 | index aa485c782..0981c6735 100644 | ||
| 28 | --- a/editors/awk.c | ||
| 29 | +++ b/editors/awk.c | ||
| 30 | @@ -2935,7 +2935,7 @@ static var *evaluate(node *op, var *res) | ||
| 31 | if (old_Fields_ptr) { | ||
| 32 | //if (old_Fields_ptr != Fields) | ||
| 33 | // debug_printf_eval("L.v moved\n"); | ||
| 34 | - L.v += Fields - old_Fields_ptr; | ||
| 35 | + L.v = Fields + (L.v - old_Fields_ptr); | ||
| 36 | } | ||
| 37 | if (opinfo & OF_STR2) { | ||
| 38 | R.s = getvar_s(R.v); | ||
| 39 | -- | ||
| 40 | 2.30.2 | ||
| 41 | |||
diff --git a/meta/recipes-core/busybox/busybox/CVE-2021-42380.patch b/meta/recipes-core/busybox/busybox/CVE-2021-42380.patch new file mode 100644 index 0000000000..3baef86415 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2021-42380.patch | |||
| @@ -0,0 +1,151 @@ | |||
| 1 | From 5dcc443dba039b305a510c01883e9f34e42656ae Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Denys Vlasenko <vda.linux@googlemail.com> | ||
| 3 | Date: Fri, 26 May 2023 19:36:58 +0200 | ||
| 4 | Subject: [PATCH] awk: fix use-after-realloc (CVE-2021-42380), closes 15601 | ||
| 5 | |||
| 6 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> | ||
| 7 | |||
| 8 | CVE: CVE-2021-42380 | ||
| 9 | Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=5dcc443dba039b305a510c01883e9f34e42656ae] | ||
| 10 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
| 11 | --- | ||
| 12 | editors/awk.c | 26 ++++++++++++++++----- | ||
| 13 | testsuite/awk.tests | 55 +++++++++++++++++++++++++++++++++++++++++++++ | ||
| 14 | 2 files changed, 75 insertions(+), 6 deletions(-) | ||
| 15 | |||
| 16 | diff --git a/editors/awk.c b/editors/awk.c | ||
| 17 | index 728ee8685..2af823808 100644 | ||
| 18 | --- a/editors/awk.c | ||
| 19 | +++ b/editors/awk.c | ||
| 20 | @@ -555,7 +555,7 @@ struct globals { | ||
| 21 | const char *g_progname; | ||
| 22 | int g_lineno; | ||
| 23 | int nfields; | ||
| 24 | - int maxfields; /* used in fsrealloc() only */ | ||
| 25 | + unsigned maxfields; | ||
| 26 | var *Fields; | ||
| 27 | char *g_pos; | ||
| 28 | char g_saved_ch; | ||
| 29 | @@ -1931,9 +1931,9 @@ static void fsrealloc(int size) | ||
| 30 | { | ||
| 31 | int i, newsize; | ||
| 32 | |||
| 33 | - if (size >= maxfields) { | ||
| 34 | - /* Sanity cap, easier than catering for overflows */ | ||
| 35 | - if (size > 0xffffff) | ||
| 36 | + if ((unsigned)size >= maxfields) { | ||
| 37 | + /* Sanity cap, easier than catering for over/underflows */ | ||
| 38 | + if ((unsigned)size > 0xffffff) | ||
| 39 | bb_die_memory_exhausted(); | ||
| 40 | |||
| 41 | i = maxfields; | ||
| 42 | @@ -2891,6 +2891,7 @@ static var *evaluate(node *op, var *res) | ||
| 43 | uint32_t opinfo; | ||
| 44 | int opn; | ||
| 45 | node *op1; | ||
| 46 | + var *old_Fields_ptr; | ||
| 47 | |||
| 48 | opinfo = op->info; | ||
| 49 | opn = (opinfo & OPNMASK); | ||
| 50 | @@ -2899,10 +2900,16 @@ static var *evaluate(node *op, var *res) | ||
| 51 | debug_printf_eval("opinfo:%08x opn:%08x\n", opinfo, opn); | ||
| 52 | |||
| 53 | /* execute inevitable things */ | ||
| 54 | + old_Fields_ptr = NULL; | ||
| 55 | if (opinfo & OF_RES1) { | ||
| 56 | if ((opinfo & OF_REQUIRED) && !op1) | ||
| 57 | syntax_error(EMSG_TOO_FEW_ARGS); | ||
| 58 | L.v = evaluate(op1, TMPVAR0); | ||
| 59 | + /* Does L.v point to $n variable? */ | ||
| 60 | + if ((size_t)(L.v - Fields) < maxfields) { | ||
| 61 | + /* yes, remember where Fields[] is */ | ||
| 62 | + old_Fields_ptr = Fields; | ||
| 63 | + } | ||
| 64 | if (opinfo & OF_STR1) { | ||
| 65 | L.s = getvar_s(L.v); | ||
| 66 | debug_printf_eval("L.s:'%s'\n", L.s); | ||
| 67 | @@ -2921,8 +2928,15 @@ static var *evaluate(node *op, var *res) | ||
| 68 | */ | ||
| 69 | if (opinfo & OF_RES2) { | ||
| 70 | R.v = evaluate(op->r.n, TMPVAR1); | ||
| 71 | - //TODO: L.v may be invalid now, set L.v to NULL to catch bugs? | ||
| 72 | - //L.v = NULL; | ||
| 73 | + /* Seen in $5=$$5=$0: | ||
| 74 | + * Evaluation of R.v ($$5=$0 expression) | ||
| 75 | + * made L.v ($5) invalid. It's detected here. | ||
| 76 | + */ | ||
| 77 | + if (old_Fields_ptr) { | ||
| 78 | + //if (old_Fields_ptr != Fields) | ||
| 79 | + // debug_printf_eval("L.v moved\n"); | ||
| 80 | + L.v += Fields - old_Fields_ptr; | ||
| 81 | + } | ||
| 82 | if (opinfo & OF_STR2) { | ||
| 83 | R.s = getvar_s(R.v); | ||
| 84 | debug_printf_eval("R.s:'%s'\n", R.s); | ||
| 85 | diff --git a/testsuite/awk.tests b/testsuite/awk.tests | ||
| 86 | index bbf0fbff1..ddc51047b 100755 | ||
| 87 | --- a/testsuite/awk.tests | ||
| 88 | +++ b/testsuite/awk.tests | ||
| 89 | @@ -485,4 +485,59 @@ testing 'awk assign while test' \ | ||
| 90 | "" \ | ||
| 91 | "foo" | ||
| 92 | |||
| 93 | +# User-supplied bug (SEGV) example, was causing use-after-realloc | ||
| 94 | +testing 'awk assign while assign' \ | ||
| 95 | + "awk '\$5=\$\$5=\$0'; echo \$?" \ | ||
| 96 | + "\ | ||
| 97 | +─ process timing ────────────────────────────────────┬─ ─ process timing ────────────────────────────────────┬─ overall results ────┐ results ────┐ | ||
| 98 | +│ run time : │ run time : 0 days, 0 hrs, 0 min, 56 sec │ cycles done : 0 │ days, 0 hrs, 0 min, 56 sec │ cycles done : 0 │ | ||
| 99 | +│ last new find │ last new find : 0 days, 0 hrs, 0 min, 1 sec │ corpus count : 208 │ 0 days, 0 hrs, 0 min, 1 sec │ corpus count : 208 │ | ||
| 100 | +│last saved crash : │last saved crash : none seen yet │saved crashes : 0 │ seen yet │saved crashes : 0 │ | ||
| 101 | +│ last saved hang │ last saved hang : none seen yet │ saved hangs : 0 │ none seen yet │ saved hangs : 0 │ | ||
| 102 | +├─ cycle progress ─────────────────────┬─ ├─ cycle progress ─────────────────────┬─ map coverage┴──────────────────────┤ coverage┴──────────────────────┤ | ||
| 103 | +│ now processing : │ now processing : 184.1 (88.5%) │ map density : 0.30% / 0.52% │ (88.5%) │ map density : 0.30% / 0.52% │ │ now processing : 184.1 (88.5%) │ map density : 0.30% / 0.52% │ | ||
| 104 | +│ runs timed out │ runs timed out : 0 (0.00%) │ count coverage : 2.18 bits/tuple │ 0 (0.00%) │ count coverage : 2.18 bits/tuple │ | ||
| 105 | +├─ stage progress ─────────────────────┼─ ├─ stage progress ─────────────────────┼─ findings in depth ─────────────────┤ in depth ─────────────────┤ | ||
| 106 | +│ now trying : │ now trying : havoc │ favored items : 43 (20.67%) │ │ favored items : 43 (20.67%) │ | ||
| 107 | +│ stage execs : │ stage execs : 11.2k/131k (8.51%) │ new edges on : 52 (25.00%) │ (8.51%) │ new edges on │ stage execs : 11.2k/131k (8.51%) │ new edges on : 52 (25.00%) │ 52 (25.00%) │ | ||
| 108 | +│ total execs : │ total execs : 179k │ total crashes : 0 (0 saved) │ │ total crashes : 0 (0 saved) │ │ total execs : 179k │ total crashes : 0 (0 saved) │ | ||
| 109 | +│ exec speed : │ exec speed : 3143/sec │ total tmouts : 0 (0 saved) │ │ total tmouts : 0 (0 saved) │ │ exec speed : 3143/sec │ total tmouts : 0 (0 saved) │ | ||
| 110 | +├─ fuzzing strategy yields ├─ fuzzing strategy yields ────────────┴─────────────┬─ item geometry ───────┤ item geometry ───────┤ | ||
| 111 | +│ bit flips : │ bit flips : 11/648, 4/638, 5/618 │ levels : 4 │ 4/638, 5/618 │ levels : │ bit flips : 11/648, 4/638, 5/618 │ levels : 4 │ │ | ||
| 112 | +│ byte flips : │ byte flips : 0/81, 0/71, 0/52 │ pending : 199 │ 0/71, 0/52 │ pending : 199 │ | ||
| 113 | +│ arithmetics : 11/4494, │ arithmetics : 11/4494, 0/1153, 0/0 │ pend fav : 35 │ 0/0 │ pend fav : 35 │ | ||
| 114 | +│ known ints : 1/448, 0/1986, 0/2288 │ own finds : 207 │ known ints : │ known ints : 1/448, 0/1986, 0/2288 │ own finds : 207 │ 0/1986, 0/2288 │ own finds : 207 │ | ||
| 115 | +│ dictionary : 0/0, │ dictionary : 0/0, 0/0, 0/0, 0/0 │ imported : 0 │ 0/0, 0/0 │ imported : 0 │ | ||
| 116 | +│havoc/splice : 142/146k, 23/7616 │havoc/splice : 142/146k, 23/7616 │ stability : 100.00% │ stability : 100.00% │ | ||
| 117 | +│py/custom/rq : unused, unused, │py/custom/rq : unused, unused, unused, unused ├───────────────────────┘ unused ├───────────────────────┘ | ||
| 118 | +│ trim/eff : 57.02%/26, │ trim/eff : 57.02%/26, 0.00% │ [cpu000:100%] │ [cpu000:100%] | ||
| 119 | +└────────────────────────────────────────────────────┘^C └────────────────────────────────────────────────────┘^C | ||
| 120 | +0 | ||
| 121 | +" \ | ||
| 122 | + "" \ | ||
| 123 | + "\ | ||
| 124 | +─ process timing ────────────────────────────────────┬─ overall results ────┐ | ||
| 125 | +│ run time : 0 days, 0 hrs, 0 min, 56 sec │ cycles done : 0 │ | ||
| 126 | +│ last new find : 0 days, 0 hrs, 0 min, 1 sec │ corpus count : 208 │ | ||
| 127 | +│last saved crash : none seen yet │saved crashes : 0 │ | ||
| 128 | +│ last saved hang : none seen yet │ saved hangs : 0 │ | ||
| 129 | +├─ cycle progress ─────────────────────┬─ map coverage┴──────────────────────┤ | ||
| 130 | +│ now processing : 184.1 (88.5%) │ map density : 0.30% / 0.52% │ | ||
| 131 | +│ runs timed out : 0 (0.00%) │ count coverage : 2.18 bits/tuple │ | ||
| 132 | +├─ stage progress ─────────────────────┼─ findings in depth ─────────────────┤ | ||
| 133 | +│ now trying : havoc │ favored items : 43 (20.67%) │ | ||
| 134 | +│ stage execs : 11.2k/131k (8.51%) │ new edges on : 52 (25.00%) │ | ||
| 135 | +│ total execs : 179k │ total crashes : 0 (0 saved) │ | ||
| 136 | +│ exec speed : 3143/sec │ total tmouts : 0 (0 saved) │ | ||
| 137 | +├─ fuzzing strategy yields ────────────┴─────────────┬─ item geometry ───────┤ | ||
| 138 | +│ bit flips : 11/648, 4/638, 5/618 │ levels : 4 │ | ||
| 139 | +│ byte flips : 0/81, 0/71, 0/52 │ pending : 199 │ | ||
| 140 | +│ arithmetics : 11/4494, 0/1153, 0/0 │ pend fav : 35 │ | ||
| 141 | +│ known ints : 1/448, 0/1986, 0/2288 │ own finds : 207 │ | ||
| 142 | +│ dictionary : 0/0, 0/0, 0/0, 0/0 │ imported : 0 │ | ||
| 143 | +│havoc/splice : 142/146k, 23/7616 │ stability : 100.00% │ | ||
| 144 | +│py/custom/rq : unused, unused, unused, unused ├───────────────────────┘ | ||
| 145 | +│ trim/eff : 57.02%/26, 0.00% │ [cpu000:100%] | ||
| 146 | +└────────────────────────────────────────────────────┘^C" | ||
| 147 | + | ||
| 148 | exit $FAILCOUNT | ||
| 149 | -- | ||
| 150 | 2.30.2 | ||
| 151 | |||
diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb index 373a6b7781..46e719845a 100644 --- a/meta/recipes-core/busybox/busybox_1.36.1.bb +++ b/meta/recipes-core/busybox/busybox_1.36.1.bb | |||
| @@ -49,6 +49,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ | |||
| 49 | file://0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch \ | 49 | file://0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch \ |
| 50 | file://0002-nslookup-sanitize-all-printed-strings-with-printable.patch \ | 50 | file://0002-nslookup-sanitize-all-printed-strings-with-printable.patch \ |
| 51 | file://start-stop-false.patch \ | 51 | file://start-stop-false.patch \ |
| 52 | file://CVE-2021-42380.patch \ | ||
| 53 | file://0001-awk-fix-segfault-when-compiled-by-clang.patch \ | ||
| 52 | " | 54 | " |
| 53 | SRC_URI:append:libc-musl = " file://musl.cfg " | 55 | SRC_URI:append:libc-musl = " file://musl.cfg " |
| 54 | # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html | 56 | # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html |