new file mode 100644
@@ -0,0 +1,82 @@
+From c18ebf861528ef24958dd99a146482d2a40014c7 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Mon, 12 Jun 2023 17:48:47 +0200
+Subject: [PATCH] shell: avoid segfault on ${0::0/0~09J}. Closes 15216
+
+function old new delta
+evaluate_string 1011 1053 +42
+
+CVE: CVE-2022-48174
+Upstream-Status: Backport [d417193cf37ca1005830d7e16f5fa7e1d8a44209]
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
+ 1 file changed, 35 insertions(+), 4 deletions(-)
+
+diff --git a/shell/math.c b/shell/math.c
+index af1ab55c0..79824e81f 100644
+--- a/shell/math.c
++++ b/shell/math.c
+@@ -578,6 +578,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr)
+ # endif
+ #endif
+
++//TODO: much better estimation than expr_len/2? Such as:
++//static unsigned estimate_nums_and_names(const char *expr)
++//{
++// unsigned count = 0;
++// while (*(expr = skip_whitespace(expr)) != '\0') {
++// const char *p;
++// if (isdigit(*expr)) {
++// while (isdigit(*++expr))
++// continue;
++// count++;
++// continue;
++// }
++// p = endofname(expr);
++// if (p != expr) {
++// expr = p;
++// count++;
++// continue;
++// }
++// }
++// return count;
++//}
++
+ static arith_t FAST_FUNC
+ evaluate_string(arith_state_t *math_state, const char *expr)
+ {
+@@ -585,10 +607,12 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+ const char *errmsg;
+ const char *start_expr = expr = skip_whitespace(expr);
+ unsigned expr_len = strlen(expr) + 2;
+- /* Stack of integers */
+- /* The proof that there can be no more than strlen(startbuf)/2+1
+- * integers in any given correct or incorrect expression
+- * is left as an exercise to the reader. */
++ /* Stack of integers/names */
++ /* There can be no more than strlen(startbuf)/2+1
++ * integers/names in any given correct or incorrect expression.
++ * (modulo "09v09v09v09v09v" case,
++ * but we have code to detect that early)
++ */
+ var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
+ var_or_num_t *numstackptr = numstack;
+ /* Stack of operator tokens */
+@@ -657,6 +681,13 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+ numstackptr->var = NULL;
+ errno = 0;
+ numstackptr->val = strto_arith_t(expr, (char**) &expr);
++ /* A number can't be followed by another number, or a variable name.
++ * We'd catch this later anyway, but this would require numstack[]
++ * to be twice as deep to handle strings where _every_ char is
++ * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
++ */
++ if (isalnum(*expr) || *expr == '_')
++ goto err;
+ if (errno)
+ numstackptr->val = 0; /* bash compat */
+ goto num;
+--
+2.40.1
+
@@ -55,6 +55,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://CVE-2021-42374.patch \
file://CVE-2021-42376.patch \
file://CVE-2021-423xx-awk.patch \
+ file://CVE-2022-48174.patch \
file://0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch \
file://0002-nslookup-sanitize-all-printed-strings-with-printable.patch \
"
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. https://nvd.nist.gov/vuln/detail/CVE-2022-48174 CVE: CVE-2022-48174 Signed-off-by: Marek Vasut <marex@denx.de> --- Cc: Martin Jansa <Martin.Jansa@gmail.com> Cc: Richard Purdie <richard.purdie@linuxfoundation.org> Cc: Steve Sakoman <steve@sakoman.com> --- .../busybox/busybox/CVE-2022-48174.patch | 82 +++++++++++++++++++ meta/recipes-core/busybox/busybox_1.31.1.bb | 1 + 2 files changed, 83 insertions(+) create mode 100644 meta/recipes-core/busybox/busybox/CVE-2022-48174.patch