3 files changed, 204 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2018-20679.patch b/meta/recipes-core/busybox/busybox/CVE-2018-20679.patch
new file mode 100644
index 0000000000..e4693768e0
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2018-20679.patch
@@ -0,0 +1,142 @@
+From 6d3b4bb24da9a07c263f3c1acf8df85382ff562c Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Mon, 17 Dec 2018 18:07:18 +0100
+Subject: [PATCH] udhcpc: check that 4-byte options are indeed 4-byte, closes
+ 11506
+function                                             old     new   delta
+udhcp_get_option32                                     -      27     +27
+udhcp_get_option                                     231     248     +17
+------------------------------------------------------------------------------
+(add/remove: 1/0 grow/shrink: 1/0 up/down: 44/0)               Total: 44 bytes
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Upstream-Status: Backport
+CVE: CVE-2018-20679
+Affects < 1.30.0
+signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ networking/udhcp/common.c | 19 +++++++++++++++++++
+ networking/udhcp/common.h |  4 ++++
+ networking/udhcp/dhcpc.c  |  6 +++---
+ networking/udhcp/dhcpd.c  |  6 +++---
+ 4 files changed, 29 insertions(+), 6 deletions(-)
+Index: busybox-1.29.3/networking/udhcp/common.c
+===================================================================
+--- busybox-1.29.3.orig/networking/udhcp/common.c
+++ busybox-1.29.3/networking/udhcp/common.c
+@@ -270,6 +270,15 @@ uint8_t* FAST_FUNC udhcp_get_option(stru
+                        goto complain; /* complain and return NULL */
+ 
+                if (optionptr[OPT_CODE] == code) {
+                       if (optionptr[OPT_LEN] == 0) {
+                               /* So far no valid option with length 0 known.
+                                * Having this check means that searching
+                                * for DHCP_MESSAGE_TYPE need not worry
+                                * that returned pointer might be unsafe
+                                * to dereference.
+                                */
+                               goto complain; /* complain and return NULL */
+                       }
+                        log_option("option found", optionptr);
+                        return optionptr + OPT_DATA;
+                }
+@@ -287,6 +296,16 @@ uint8_t* FAST_FUNC udhcp_get_option(stru
+        return NULL;
+ }
+ 
+uint8_t* FAST_FUNC udhcp_get_option32(struct dhcp_packet *packet, int code)
+{
+       uint8_t *r = udhcp_get_option(packet, code);
+       if (r) {
+               if (r[-1] != 4)
+                       r = NULL;
+       }
+       return r;
+}
+
+ /* Return the position of the 'end' option (no bounds checking) */
+ int FAST_FUNC udhcp_end_option(uint8_t *optionptr)
+ {
+Index: busybox-1.29.3/networking/udhcp/common.h
+===================================================================
+--- busybox-1.29.3.orig/networking/udhcp/common.h
+++ busybox-1.29.3/networking/udhcp/common.h
+@@ -204,6 +204,10 @@ extern const uint8_t dhcp_option_lengths
+ unsigned FAST_FUNC udhcp_option_idx(const char *name, const char *option_strings);
+ 
+ uint8_t *udhcp_get_option(struct dhcp_packet *packet, int code) FAST_FUNC;
+/* Same as above + ensures that option length is 4 bytes
+ * (returns NULL if size is different)
+ */
+uint8_t *udhcp_get_option32(struct dhcp_packet *packet, int code) FAST_FUNC;
+ int udhcp_end_option(uint8_t *optionptr) FAST_FUNC;
+ void udhcp_add_binary_option(struct dhcp_packet *packet, uint8_t *addopt) FAST_FUNC;
+ #if ENABLE_UDHCPC || ENABLE_UDHCPD
+Index: busybox-1.29.3/networking/udhcp/dhcpc.c
+===================================================================
+--- busybox-1.29.3.orig/networking/udhcp/dhcpc.c
+++ busybox-1.29.3/networking/udhcp/dhcpc.c
+@@ -1694,7 +1694,7 @@ int udhcpc_main(int argc UNUSED_PARAM, c
+  * They say ISC DHCP client supports this case.
+  */
+                                server_addr = 0;
+-                               temp = udhcp_get_option(&packet, DHCP_SERVER_ID);
+                               temp = udhcp_get_option32(&packet, DHCP_SERVER_ID);
+                                if (!temp) {
+                                        bb_error_msg("no server ID, using 0.0.0.0");
+                                } else {
+@@ -1721,7 +1721,7 @@ int udhcpc_main(int argc UNUSED_PARAM, c
+                                struct in_addr temp_addr;
+                                uint8_t *temp;
+ 
+-                               temp = udhcp_get_option(&packet, DHCP_LEASE_TIME);
+                               temp = udhcp_get_option32(&packet, DHCP_LEASE_TIME);
+                                if (!temp) {
+                                        bb_error_msg("no lease time with ACK, using 1 hour lease");
+                                        lease_seconds = 60 * 60;
+@@ -1817,7 +1817,7 @@ int udhcpc_main(int argc UNUSED_PARAM, c
+                                        uint32_t svid;
+                                        uint8_t *temp;
+ 
+-                                       temp = udhcp_get_option(&packet, DHCP_SERVER_ID);
+                                       temp = udhcp_get_option32(&packet, DHCP_SERVER_ID);
+                                        if (!temp) {
+  non_matching_svid:
+                                                log1("received DHCP NAK with wrong"
+Index: busybox-1.29.3/networking/udhcp/dhcpd.c
+===================================================================
+--- busybox-1.29.3.orig/networking/udhcp/dhcpd.c
+++ busybox-1.29.3/networking/udhcp/dhcpd.c
+@@ -640,7 +640,7 @@ static void add_server_options(struct dh
+ static uint32_t select_lease_time(struct dhcp_packet *packet)
+ {
+        uint32_t lease_time_sec = server_config.max_lease_sec;
+-       uint8_t *lease_time_opt = udhcp_get_option(packet, DHCP_LEASE_TIME);
+       uint8_t *lease_time_opt = udhcp_get_option32(packet, DHCP_LEASE_TIME);
+        if (lease_time_opt) {
+                move_from_unaligned32(lease_time_sec, lease_time_opt);
+                lease_time_sec = ntohl(lease_time_sec);
+@@ -987,7 +987,7 @@ int udhcpd_main(int argc UNUSED_PARAM, c
+                }
+ 
+                /* Get SERVER_ID if present */
+-               server_id_opt = udhcp_get_option(&packet, DHCP_SERVER_ID);
+               server_id_opt = udhcp_get_option32(&packet, DHCP_SERVER_ID);
+                if (server_id_opt) {
+                        uint32_t server_id_network_order;
+                        move_from_unaligned32(server_id_network_order, server_id_opt);
+@@ -1011,7 +1011,7 @@ int udhcpd_main(int argc UNUSED_PARAM, c
+                }
+ 
+                /* Get REQUESTED_IP if present */
+-               requested_ip_opt = udhcp_get_option(&packet, DHCP_REQUESTED_IP);
+               requested_ip_opt = udhcp_get_option32(&packet, DHCP_REQUESTED_IP);
+                if (requested_ip_opt) {
+                        move_from_unaligned32(requested_nip, requested_ip_opt);
+                }
diff --git a/meta/recipes-core/busybox/busybox/CVE-2019-5747.patch b/meta/recipes-core/busybox/busybox/CVE-2019-5747.patch
new file mode 100644
index 0000000000..4225b11e56
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2019-5747.patch
@@ -0,0 +1,60 @@
+From 74d9f1ba37010face4bd1449df4d60dd84450b06 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Mon, 7 Jan 2019 15:33:42 +0100
+Subject: [PATCH] udhcpc: when decoding DHCP_SUBNET, ensure it is 4 bytes long
+function                                             old     new   delta
+udhcp_run_script                                     795     801      +6
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Upstream-Status: Backport
+CVE: CVE-2019-5747
+Affects < 1.30.0
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ networking/udhcp/common.c | 2 +-
+ networking/udhcp/common.h | 2 +-
+ networking/udhcp/dhcpc.c  | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+Index: busybox-1.29.3/networking/udhcp/common.c
+===================================================================
+--- busybox-1.29.3.orig/networking/udhcp/common.c
+++ busybox-1.29.3/networking/udhcp/common.c
+@@ -300,7 +300,7 @@ uint8_t* FAST_FUNC udhcp_get_option32(st
+ {
+        uint8_t *r = udhcp_get_option(packet, code);
+        if (r) {
+-               if (r[-1] != 4)
+               if (r[-OPT_DATA + OPT_LEN] != 4)
+                        r = NULL;
+        }
+        return r;
+Index: busybox-1.29.3/networking/udhcp/common.h
+===================================================================
+--- busybox-1.29.3.orig/networking/udhcp/common.h
+++ busybox-1.29.3/networking/udhcp/common.h
+@@ -119,7 +119,7 @@ enum {
+ //#define DHCP_TIME_SERVER      0x04 /* RFC 868 time server (32-bit, 0 = 1.1.1900) */
+ //#define DHCP_NAME_SERVER      0x05 /* IEN 116 _really_ ancient kind of NS */
+ //#define DHCP_DNS_SERVER       0x06
+-//#define DHCP_LOG_SERVER       0x07 /* port 704 UDP log (not syslog)
+//#define DHCP_LOG_SERVER       0x07 /* port 704 UDP log (not syslog) */
+ //#define DHCP_COOKIE_SERVER    0x08 /* "quote of the day" server */
+ //#define DHCP_LPR_SERVER       0x09
+ #define DHCP_HOST_NAME          0x0c /* either client informs server or server gives name to client */
+Index: busybox-1.29.3/networking/udhcp/dhcpc.c
+===================================================================
+--- busybox-1.29.3.orig/networking/udhcp/dhcpc.c
+++ busybox-1.29.3/networking/udhcp/dhcpc.c
+@@ -526,7 +526,7 @@ static char **fill_envp(struct dhcp_pack
+                temp = udhcp_get_option(packet, code);
+                *curr = xmalloc_optname_optval(temp, &dhcp_optflags[i], opt_name);
+                putenv(*curr++);
+-               if (code == DHCP_SUBNET) {
+               if (code == DHCP_SUBNET && temp[-OPT_DATA + OPT_LEN] == 4) {
+                        /* Subnet option: make things like "$ip/$mask" possible */
+                        uint32_t subnet;
+                        move_from_unaligned32(subnet, temp);
diff --git a/meta/recipes-core/busybox/busybox_1.29.3.bb b/meta/recipes-core/busybox/busybox_1.29.3.bb
index 6064e9fdc6..5714d70768 100644
--- a/meta/recipes-core/busybox/busybox_1.29.3.bb
+++ b/meta/recipes-core/busybox/busybox_1.29.3.bb
@@ -41,6 +41,8 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
           file://rcS \
           file://rcK \
           file://makefile-libbb-race.patch \
+           file://CVE-2018-20679.patch \
+           file://CVE-2019-5747.patch \
 "
 SRC_URI_append_libc-musl = " file://musl.cfg "

diff --git a/meta/recipes-core/busybox/busybox/CVE-2018-20679.patch b/meta/recipes-core/busybox/busybox/CVE-2018-20679.patch new file mode 100644 index 0000000000..e4693768e0 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2018-20679.patch
@@ -0,0 +1,142 @@
		1	From 6d3b4bb24da9a07c263f3c1acf8df85382ff562c Mon Sep 17 00:00:00 2001
		2	From: Denys Vlasenko <vda.linux@googlemail.com>
		3	Date: Mon, 17 Dec 2018 18:07:18 +0100
		4	Subject: [PATCH] udhcpc: check that 4-byte options are indeed 4-byte, closes
		5	11506
		6
		7	function old new delta
		8	udhcp_get_option32 - 27 +27
		9	udhcp_get_option 231 248 +17
		10	------------------------------------------------------------------------------
		11	(add/remove: 1/0 grow/shrink: 1/0 up/down: 44/0) Total: 44 bytes
		12
		13	Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
		14
		15	Upstream-Status: Backport
		16	CVE: CVE-2018-20679
		17
		18	Affects < 1.30.0
		19
		20	signed-off-by: Armin Kuster <akuster@mvista.com>
		21
		22	---
		23	networking/udhcp/common.c \| 19 +++++++++++++++++++
		24	networking/udhcp/common.h \| 4 ++++
		25	networking/udhcp/dhcpc.c \| 6 +++---
		26	networking/udhcp/dhcpd.c \| 6 +++---
		27	4 files changed, 29 insertions(+), 6 deletions(-)
		28
		29	Index: busybox-1.29.3/networking/udhcp/common.c
		30	===================================================================
		31	--- busybox-1.29.3.orig/networking/udhcp/common.c
		32	+++ busybox-1.29.3/networking/udhcp/common.c
		33	@@ -270,6 +270,15 @@ uint8_t* FAST_FUNC udhcp_get_option(stru
		34	goto complain; /* complain and return NULL */
		35
		36	if (optionptr[OPT_CODE] == code) {
		37	+ if (optionptr[OPT_LEN] == 0) {
		38	+ /* So far no valid option with length 0 known.
		39	+ * Having this check means that searching
		40	+ * for DHCP_MESSAGE_TYPE need not worry
		41	+ * that returned pointer might be unsafe
		42	+ * to dereference.
		43	+ */
		44	+ goto complain; /* complain and return NULL */
		45	+ }
		46	log_option("option found", optionptr);
		47	return optionptr + OPT_DATA;
		48	}
		49	@@ -287,6 +296,16 @@ uint8_t* FAST_FUNC udhcp_get_option(stru
		50	return NULL;
		51	}
		52
		53	+uint8_t* FAST_FUNC udhcp_get_option32(struct dhcp_packet *packet, int code)
		54	+{
		55	+ uint8_t *r = udhcp_get_option(packet, code);
		56	+ if (r) {
		57	+ if (r[-1] != 4)
		58	+ r = NULL;
		59	+ }
		60	+ return r;
		61	+}
		62	+
		63	/* Return the position of the 'end' option (no bounds checking) */
		64	int FAST_FUNC udhcp_end_option(uint8_t *optionptr)
		65	{
		66	Index: busybox-1.29.3/networking/udhcp/common.h
		67	===================================================================
		68	--- busybox-1.29.3.orig/networking/udhcp/common.h
		69	+++ busybox-1.29.3/networking/udhcp/common.h
		70	@@ -204,6 +204,10 @@ extern const uint8_t dhcp_option_lengths
		71	unsigned FAST_FUNC udhcp_option_idx(const char name, const char option_strings);
		72
		73	uint8_t udhcp_get_option(struct dhcp_packet packet, int code) FAST_FUNC;
		74	+/* Same as above + ensures that option length is 4 bytes
		75	+ * (returns NULL if size is different)
		76	+ */
		77	+uint8_t udhcp_get_option32(struct dhcp_packet packet, int code) FAST_FUNC;
		78	int udhcp_end_option(uint8_t *optionptr) FAST_FUNC;
		79	void udhcp_add_binary_option(struct dhcp_packet packet, uint8_t addopt) FAST_FUNC;
		80	#if ENABLE_UDHCPC \|\| ENABLE_UDHCPD
		81	Index: busybox-1.29.3/networking/udhcp/dhcpc.c
		82	===================================================================
		83	--- busybox-1.29.3.orig/networking/udhcp/dhcpc.c
		84	+++ busybox-1.29.3/networking/udhcp/dhcpc.c
		85	@@ -1694,7 +1694,7 @@ int udhcpc_main(int argc UNUSED_PARAM, c
		86	* They say ISC DHCP client supports this case.
		87	*/
		88	server_addr = 0;
		89	- temp = udhcp_get_option(&packet, DHCP_SERVER_ID);
		90	+ temp = udhcp_get_option32(&packet, DHCP_SERVER_ID);
		91	if (!temp) {
		92	bb_error_msg("no server ID, using 0.0.0.0");
		93	} else {
		94	@@ -1721,7 +1721,7 @@ int udhcpc_main(int argc UNUSED_PARAM, c
		95	struct in_addr temp_addr;
		96	uint8_t *temp;
		97
		98	- temp = udhcp_get_option(&packet, DHCP_LEASE_TIME);
		99	+ temp = udhcp_get_option32(&packet, DHCP_LEASE_TIME);
		100	if (!temp) {
		101	bb_error_msg("no lease time with ACK, using 1 hour lease");
		102	lease_seconds = 60 * 60;
		103	@@ -1817,7 +1817,7 @@ int udhcpc_main(int argc UNUSED_PARAM, c
		104	uint32_t svid;
		105	uint8_t *temp;
		106
		107	- temp = udhcp_get_option(&packet, DHCP_SERVER_ID);
		108	+ temp = udhcp_get_option32(&packet, DHCP_SERVER_ID);
		109	if (!temp) {
		110	non_matching_svid:
		111	log1("received DHCP NAK with wrong"
		112	Index: busybox-1.29.3/networking/udhcp/dhcpd.c
		113	===================================================================
		114	--- busybox-1.29.3.orig/networking/udhcp/dhcpd.c
		115	+++ busybox-1.29.3/networking/udhcp/dhcpd.c
		116	@@ -640,7 +640,7 @@ static void add_server_options(struct dh
		117	static uint32_t select_lease_time(struct dhcp_packet *packet)
		118	{
		119	uint32_t lease_time_sec = server_config.max_lease_sec;
		120	- uint8_t *lease_time_opt = udhcp_get_option(packet, DHCP_LEASE_TIME);
		121	+ uint8_t *lease_time_opt = udhcp_get_option32(packet, DHCP_LEASE_TIME);
		122	if (lease_time_opt) {
		123	move_from_unaligned32(lease_time_sec, lease_time_opt);
		124	lease_time_sec = ntohl(lease_time_sec);
		125	@@ -987,7 +987,7 @@ int udhcpd_main(int argc UNUSED_PARAM, c
		126	}
		127
		128	/* Get SERVER_ID if present */
		129	- server_id_opt = udhcp_get_option(&packet, DHCP_SERVER_ID);
		130	+ server_id_opt = udhcp_get_option32(&packet, DHCP_SERVER_ID);
		131	if (server_id_opt) {
		132	uint32_t server_id_network_order;
		133	move_from_unaligned32(server_id_network_order, server_id_opt);
		134	@@ -1011,7 +1011,7 @@ int udhcpd_main(int argc UNUSED_PARAM, c
		135	}
		136
		137	/* Get REQUESTED_IP if present */
		138	- requested_ip_opt = udhcp_get_option(&packet, DHCP_REQUESTED_IP);
		139	+ requested_ip_opt = udhcp_get_option32(&packet, DHCP_REQUESTED_IP);
		140	if (requested_ip_opt) {
		141	move_from_unaligned32(requested_nip, requested_ip_opt);
		142	}


diff --git a/meta/recipes-core/busybox/busybox/CVE-2019-5747.patch b/meta/recipes-core/busybox/busybox/CVE-2019-5747.patch new file mode 100644 index 0000000000..4225b11e56 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2019-5747.patch
@@ -0,0 +1,60 @@
		1	From 74d9f1ba37010face4bd1449df4d60dd84450b06 Mon Sep 17 00:00:00 2001
		2	From: Denys Vlasenko <vda.linux@googlemail.com>
		3	Date: Mon, 7 Jan 2019 15:33:42 +0100
		4	Subject: [PATCH] udhcpc: when decoding DHCP_SUBNET, ensure it is 4 bytes long
		5
		6	function old new delta
		7	udhcp_run_script 795 801 +6
		8
		9	Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
		10
		11	Upstream-Status: Backport
		12	CVE: CVE-2019-5747
		13	Affects < 1.30.0
		14	Signed-off-by: Armin Kuster <akuster@mvista.com>
		15
		16	---
		17	networking/udhcp/common.c \| 2 +-
		18	networking/udhcp/common.h \| 2 +-
		19	networking/udhcp/dhcpc.c \| 2 +-
		20	3 files changed, 3 insertions(+), 3 deletions(-)
		21
		22	Index: busybox-1.29.3/networking/udhcp/common.c
		23	===================================================================
		24	--- busybox-1.29.3.orig/networking/udhcp/common.c
		25	+++ busybox-1.29.3/networking/udhcp/common.c
		26	@@ -300,7 +300,7 @@ uint8_t* FAST_FUNC udhcp_get_option32(st
		27	{
		28	uint8_t *r = udhcp_get_option(packet, code);
		29	if (r) {
		30	- if (r[-1] != 4)
		31	+ if (r[-OPT_DATA + OPT_LEN] != 4)
		32	r = NULL;
		33	}
		34	return r;
		35	Index: busybox-1.29.3/networking/udhcp/common.h
		36	===================================================================
		37	--- busybox-1.29.3.orig/networking/udhcp/common.h
		38	+++ busybox-1.29.3/networking/udhcp/common.h
		39	@@ -119,7 +119,7 @@ enum {
		40	//#define DHCP_TIME_SERVER 0x04 /* RFC 868 time server (32-bit, 0 = 1.1.1900) */
		41	//#define DHCP_NAME_SERVER 0x05 /* IEN 116 _really_ ancient kind of NS */
		42	//#define DHCP_DNS_SERVER 0x06
		43	-//#define DHCP_LOG_SERVER 0x07 /* port 704 UDP log (not syslog)
		44	+//#define DHCP_LOG_SERVER 0x07 /* port 704 UDP log (not syslog) */
		45	//#define DHCP_COOKIE_SERVER 0x08 /* "quote of the day" server */
		46	//#define DHCP_LPR_SERVER 0x09
		47	#define DHCP_HOST_NAME 0x0c /* either client informs server or server gives name to client */
		48	Index: busybox-1.29.3/networking/udhcp/dhcpc.c
		49	===================================================================
		50	--- busybox-1.29.3.orig/networking/udhcp/dhcpc.c
		51	+++ busybox-1.29.3/networking/udhcp/dhcpc.c
		52	@@ -526,7 +526,7 @@ static char **fill_envp(struct dhcp_pack
		53	temp = udhcp_get_option(packet, code);
		54	*curr = xmalloc_optname_optval(temp, &dhcp_optflags[i], opt_name);
		55	putenv(*curr++);
		56	- if (code == DHCP_SUBNET) {
		57	+ if (code == DHCP_SUBNET && temp[-OPT_DATA + OPT_LEN] == 4) {
		58	/* Subnet option: make things like "$ip/$mask" possible */
		59	uint32_t subnet;
		60	move_from_unaligned32(subnet, temp);


diff --git a/meta/recipes-core/busybox/busybox_1.29.3.bb b/meta/recipes-core/busybox/busybox_1.29.3.bb index 6064e9fdc6..5714d70768 100644 --- a/meta/recipes-core/busybox/busybox_1.29.3.bb +++ b/meta/recipes-core/busybox/busybox_1.29.3.bb
@@ -41,6 +41,8 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
41	file://rcS \	41	file://rcS \
42	file://rcK \	42	file://rcK \
43	file://makefile-libbb-race.patch \	43	file://makefile-libbb-race.patch \
		44	file://CVE-2018-20679.patch \
		45	file://CVE-2019-5747.patch \
44	"	46	"
45	SRC_URI_append_libc-musl = " file://musl.cfg "	47	SRC_URI_append_libc-musl = " file://musl.cfg "
46		48