summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorPeter Marko <peter.marko@siemens.com>2024-07-18 19:41:21 +0200
committerSteve Sakoman <steve@sakoman.com>2024-07-24 07:51:58 -0700
commit3242d8234d4378ae756771294a742bb405d42ff6 (patch)
tree6e2161c32abf46d10ad6f4af327d8bdf0ec7ab32 /meta
parent6d58d0c4a2f55ff3baca954d330b9f70cea8c7dc (diff)
downloadpoky-3242d8234d4378ae756771294a742bb405d42ff6.tar.gz
busybox: Patch CVE-2021-42380
Backport patch for CVE-2021-42380. Move if before patch for CVE-2023-42363 because they touch the same code and they are in this order in git history so we avoid fuzz modifications. This will remove fuzz modifications from CVE-2023-42363 and both will apply cleanly without modifications (except line number changes and the first one also has little fuzz fix in tests). This will also make it equal to master/scarthgap patch order/content. (From OE-Core rev: af3c8ff64054e131b009545883cb87454ce04b64) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-core/busybox/busybox/CVE-2021-42380.patch151
-rw-r--r--meta/recipes-core/busybox/busybox/CVE-2023-42363.patch11
-rw-r--r--meta/recipes-core/busybox/busybox_1.35.0.bb1
3 files changed, 158 insertions, 5 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2021-42380.patch b/meta/recipes-core/busybox/busybox/CVE-2021-42380.patch
new file mode 100644
index 0000000000..f40fe582c5
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2021-42380.patch
@@ -0,0 +1,151 @@
1From 5dcc443dba039b305a510c01883e9f34e42656ae Mon Sep 17 00:00:00 2001
2From: Denys Vlasenko <vda.linux@googlemail.com>
3Date: Fri, 26 May 2023 19:36:58 +0200
4Subject: [PATCH] awk: fix use-after-realloc (CVE-2021-42380), closes 15601
5
6Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
7
8CVE: CVE-2021-42380
9Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=5dcc443dba039b305a510c01883e9f34e42656ae]
10Signed-off-by: Peter Marko <peter.marko@siemens.com>
11---
12 editors/awk.c | 26 ++++++++++++++++-----
13 testsuite/awk.tests | 55 +++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 75 insertions(+), 6 deletions(-)
15
16diff --git a/editors/awk.c b/editors/awk.c
17index 728ee8685..2af823808 100644
18--- a/editors/awk.c
19+++ b/editors/awk.c
20@@ -555,7 +555,7 @@ struct globals {
21 const char *g_progname;
22 int g_lineno;
23 int nfields;
24- int maxfields; /* used in fsrealloc() only */
25+ unsigned maxfields;
26 var *Fields;
27 char *g_pos;
28 char g_saved_ch;
29@@ -1917,9 +1917,9 @@ static void fsrealloc(int size)
30 {
31 int i, newsize;
32
33- if (size >= maxfields) {
34- /* Sanity cap, easier than catering for overflows */
35- if (size > 0xffffff)
36+ if ((unsigned)size >= maxfields) {
37+ /* Sanity cap, easier than catering for over/underflows */
38+ if ((unsigned)size > 0xffffff)
39 bb_die_memory_exhausted();
40
41 i = maxfields;
42@@ -2877,6 +2877,7 @@ static var *evaluate(node *op, var *res)
43 uint32_t opinfo;
44 int opn;
45 node *op1;
46+ var *old_Fields_ptr;
47
48 opinfo = op->info;
49 opn = (opinfo & OPNMASK);
50@@ -2885,10 +2886,16 @@ static var *evaluate(node *op, var *res)
51 debug_printf_eval("opinfo:%08x opn:%08x\n", opinfo, opn);
52
53 /* execute inevitable things */
54+ old_Fields_ptr = NULL;
55 if (opinfo & OF_RES1) {
56 if ((opinfo & OF_REQUIRED) && !op1)
57 syntax_error(EMSG_TOO_FEW_ARGS);
58 L.v = evaluate(op1, TMPVAR0);
59+ /* Does L.v point to $n variable? */
60+ if ((size_t)(L.v - Fields) < maxfields) {
61+ /* yes, remember where Fields[] is */
62+ old_Fields_ptr = Fields;
63+ }
64 if (opinfo & OF_STR1) {
65 L.s = getvar_s(L.v);
66 debug_printf_eval("L.s:'%s'\n", L.s);
67@@ -2907,8 +2914,15 @@ static var *evaluate(node *op, var *res)
68 */
69 if (opinfo & OF_RES2) {
70 R.v = evaluate(op->r.n, TMPVAR1);
71- //TODO: L.v may be invalid now, set L.v to NULL to catch bugs?
72- //L.v = NULL;
73+ /* Seen in $5=$$5=$0:
74+ * Evaluation of R.v ($$5=$0 expression)
75+ * made L.v ($5) invalid. It's detected here.
76+ */
77+ if (old_Fields_ptr) {
78+ //if (old_Fields_ptr != Fields)
79+ // debug_printf_eval("L.v moved\n");
80+ L.v += Fields - old_Fields_ptr;
81+ }
82 if (opinfo & OF_STR2) {
83 R.s = getvar_s(R.v);
84 debug_printf_eval("R.s:'%s'\n", R.s);
85diff --git a/testsuite/awk.tests b/testsuite/awk.tests
86index bcaafe8..08afdb2 100755
87--- a/testsuite/awk.tests
88+++ b/testsuite/awk.tests
89@@ -469,4 +469,59 @@ testing 'awk printf %% prints one %' \
90 "%\n" \
91 '' ''
92
93+# User-supplied bug (SEGV) example, was causing use-after-realloc
94+testing 'awk assign while assign' \
95+ "awk '\$5=\$\$5=\$0'; echo \$?" \
96+ "\
97+─ process timing ────────────────────────────────────┬─ ─ process timing ────────────────────────────────────┬─ overall results ────┐ results ────┐
98+│ run time : │ run time : 0 days, 0 hrs, 0 min, 56 sec │ cycles done : 0 │ days, 0 hrs, 0 min, 56 sec │ cycles done : 0 │
99+│ last new find │ last new find : 0 days, 0 hrs, 0 min, 1 sec │ corpus count : 208 │ 0 days, 0 hrs, 0 min, 1 sec │ corpus count : 208 │
100+│last saved crash : │last saved crash : none seen yet │saved crashes : 0 │ seen yet │saved crashes : 0 │
101+│ last saved hang │ last saved hang : none seen yet │ saved hangs : 0 │ none seen yet │ saved hangs : 0 │
102+├─ cycle progress ─────────────────────┬─ ├─ cycle progress ─────────────────────┬─ map coverage┴──────────────────────┤ coverage┴──────────────────────┤
103+│ now processing : │ now processing : 184.1 (88.5%) │ map density : 0.30% / 0.52% │ (88.5%) │ map density : 0.30% / 0.52% │ │ now processing : 184.1 (88.5%) │ map density : 0.30% / 0.52% │
104+│ runs timed out │ runs timed out : 0 (0.00%) │ count coverage : 2.18 bits/tuple │ 0 (0.00%) │ count coverage : 2.18 bits/tuple │
105+├─ stage progress ─────────────────────┼─ ├─ stage progress ─────────────────────┼─ findings in depth ─────────────────┤ in depth ─────────────────┤
106+│ now trying : │ now trying : havoc │ favored items : 43 (20.67%) │ │ favored items : 43 (20.67%) │
107+│ stage execs : │ stage execs : 11.2k/131k (8.51%) │ new edges on : 52 (25.00%) │ (8.51%) │ new edges on │ stage execs : 11.2k/131k (8.51%) │ new edges on : 52 (25.00%) │ 52 (25.00%) │
108+│ total execs : │ total execs : 179k │ total crashes : 0 (0 saved) │ │ total crashes : 0 (0 saved) │ │ total execs : 179k │ total crashes : 0 (0 saved) │
109+│ exec speed : │ exec speed : 3143/sec │ total tmouts : 0 (0 saved) │ │ total tmouts : 0 (0 saved) │ │ exec speed : 3143/sec │ total tmouts : 0 (0 saved) │
110+├─ fuzzing strategy yields ├─ fuzzing strategy yields ────────────┴─────────────┬─ item geometry ───────┤ item geometry ───────┤
111+│ bit flips : │ bit flips : 11/648, 4/638, 5/618 │ levels : 4 │ 4/638, 5/618 │ levels : │ bit flips : 11/648, 4/638, 5/618 │ levels : 4 │ │
112+│ byte flips : │ byte flips : 0/81, 0/71, 0/52 │ pending : 199 │ 0/71, 0/52 │ pending : 199 │
113+│ arithmetics : 11/4494, │ arithmetics : 11/4494, 0/1153, 0/0 │ pend fav : 35 │ 0/0 │ pend fav : 35 │
114+│ known ints : 1/448, 0/1986, 0/2288 │ own finds : 207 │ known ints : │ known ints : 1/448, 0/1986, 0/2288 │ own finds : 207 │ 0/1986, 0/2288 │ own finds : 207 │
115+│ dictionary : 0/0, │ dictionary : 0/0, 0/0, 0/0, 0/0 │ imported : 0 │ 0/0, 0/0 │ imported : 0 │
116+│havoc/splice : 142/146k, 23/7616 │havoc/splice : 142/146k, 23/7616 │ stability : 100.00% │ stability : 100.00% │
117+│py/custom/rq : unused, unused, │py/custom/rq : unused, unused, unused, unused ├───────────────────────┘ unused ├───────────────────────┘
118+│ trim/eff : 57.02%/26, │ trim/eff : 57.02%/26, 0.00% │ [cpu000:100%] │ [cpu000:100%]
119+└────────────────────────────────────────────────────┘^C └────────────────────────────────────────────────────┘^C
120+0
121+" \
122+ "" \
123+ "\
124+─ process timing ────────────────────────────────────┬─ overall results ────┐
125+│ run time : 0 days, 0 hrs, 0 min, 56 sec │ cycles done : 0 │
126+│ last new find : 0 days, 0 hrs, 0 min, 1 sec │ corpus count : 208 │
127+│last saved crash : none seen yet │saved crashes : 0 │
128+│ last saved hang : none seen yet │ saved hangs : 0 │
129+├─ cycle progress ─────────────────────┬─ map coverage┴──────────────────────┤
130+│ now processing : 184.1 (88.5%) │ map density : 0.30% / 0.52% │
131+│ runs timed out : 0 (0.00%) │ count coverage : 2.18 bits/tuple │
132+├─ stage progress ─────────────────────┼─ findings in depth ─────────────────┤
133+│ now trying : havoc │ favored items : 43 (20.67%) │
134+│ stage execs : 11.2k/131k (8.51%) │ new edges on : 52 (25.00%) │
135+│ total execs : 179k │ total crashes : 0 (0 saved) │
136+│ exec speed : 3143/sec │ total tmouts : 0 (0 saved) │
137+├─ fuzzing strategy yields ────────────┴─────────────┬─ item geometry ───────┤
138+│ bit flips : 11/648, 4/638, 5/618 │ levels : 4 │
139+│ byte flips : 0/81, 0/71, 0/52 │ pending : 199 │
140+│ arithmetics : 11/4494, 0/1153, 0/0 │ pend fav : 35 │
141+│ known ints : 1/448, 0/1986, 0/2288 │ own finds : 207 │
142+│ dictionary : 0/0, 0/0, 0/0, 0/0 │ imported : 0 │
143+│havoc/splice : 142/146k, 23/7616 │ stability : 100.00% │
144+│py/custom/rq : unused, unused, unused, unused ├───────────────────────┘
145+│ trim/eff : 57.02%/26, 0.00% │ [cpu000:100%]
146+└────────────────────────────────────────────────────┘^C"
147+
148 exit $FAILCOUNT
149--
1502.30.2
151
diff --git a/meta/recipes-core/busybox/busybox/CVE-2023-42363.patch b/meta/recipes-core/busybox/busybox/CVE-2023-42363.patch
index b401a6e3e5..08e41415df 100644
--- a/meta/recipes-core/busybox/busybox/CVE-2023-42363.patch
+++ b/meta/recipes-core/busybox/busybox/CVE-2023-42363.patch
@@ -14,6 +14,7 @@ Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
14Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa] 14Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa]
15CVE: CVE-2023-42363 15CVE: CVE-2023-42363
16Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> 16Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
17Signed-off-by: Peter Marko <peter.marko@siemens.com>
17--- 18---
18 editors/awk.c | 21 +++++++++++++-------- 19 editors/awk.c | 21 +++++++++++++--------
19 1 file changed, 13 insertions(+), 8 deletions(-) 20 1 file changed, 13 insertions(+), 8 deletions(-)
@@ -22,10 +23,10 @@ diff --git a/editors/awk.c b/editors/awk.c
22index 654cbac..4fbc11d 100644 23index 654cbac..4fbc11d 100644
23--- a/editors/awk.c 24--- a/editors/awk.c
24+++ b/editors/awk.c 25+++ b/editors/awk.c
25@@ -2889,19 +2889,14 @@ static var *evaluate(node *op, var *res) 26@@ -2896,19 +2896,14 @@ static var *evaluate(node *op, var *res)
26 if ((opinfo & OF_REQUIRED) && !op1) 27 /* yes, remember where Fields[] is */
27 syntax_error(EMSG_TOO_FEW_ARGS); 28 old_Fields_ptr = Fields;
28 L.v = evaluate(op1, TMPVAR0); 29 }
29- if (opinfo & OF_STR1) { 30- if (opinfo & OF_STR1) {
30- L.s = getvar_s(L.v); 31- L.s = getvar_s(L.v);
31- debug_printf_eval("L.s:'%s'\n", L.s); 32- debug_printf_eval("L.s:'%s'\n", L.s);
@@ -45,7 +46,7 @@ index 654cbac..4fbc11d 100644
45 * R.v points to Fields[NNN2] but L.v now points to freed mem! 46 * R.v points to Fields[NNN2] but L.v now points to freed mem!
46 * (Seen trying to evaluate "$444 $44444") 47 * (Seen trying to evaluate "$444 $44444")
47 */ 48 */
48@@ -2914,6 +2909,16 @@ static var *evaluate(node *op, var *res) 49@@ -2928,6 +2923,16 @@ static var *evaluate(node *op, var *res)
49 debug_printf_eval("R.s:'%s'\n", R.s); 50 debug_printf_eval("R.s:'%s'\n", R.s);
50 } 51 }
51 } 52 }
diff --git a/meta/recipes-core/busybox/busybox_1.35.0.bb b/meta/recipes-core/busybox/busybox_1.35.0.bb
index 842562c4c4..1c7fe2f43e 100644
--- a/meta/recipes-core/busybox/busybox_1.35.0.bb
+++ b/meta/recipes-core/busybox/busybox_1.35.0.bb
@@ -52,6 +52,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
52 file://CVE-2022-30065.patch \ 52 file://CVE-2022-30065.patch \
53 file://0001-devmem-add-128-bit-width.patch \ 53 file://0001-devmem-add-128-bit-width.patch \
54 file://CVE-2022-48174.patch \ 54 file://CVE-2022-48174.patch \
55 file://CVE-2021-42380.patch \
55 file://CVE-2023-42363.patch \ 56 file://CVE-2023-42363.patch \
56 " 57 "
57SRC_URI:append:libc-musl = " file://musl.cfg " 58SRC_URI:append:libc-musl = " file://musl.cfg "