[kirkstone,06/14] busybox: fix CVE-2022-48174

Message ID	56b90b5f2da661bfac3f2d751fc09e918429ec87.1694004064.git.steve@sakoman.com
State	Accepted, archived
Commit	56b90b5f2da661bfac3f2d751fc09e918429ec87
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.215.171, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 06/14] busybox: fix CVE-2022-48174 Date: Wed, 6 Sep 2023 02:48:13 -1000 Message-Id: <56b90b5f2da661bfac3f2d751fc09e918429ec87.1694004064.git.steve@sakoman.com> In-Reply-To: <cover.1694004064.git.steve@sakoman.com> References: <cover.1694004064.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/14] tiff: fix CVE-2023-2908,CVE-2023-3316,CVE-2023-3618 \| expand [kirkstone,01/14] tiff: fix CVE-2023-2908,CVE-2023-3316,CVE-2023-3618 [kirkstone,02/14] inetutils: Backport fix for CVE-2023-40303 [kirkstone,03/14] libtiff: fix CVE-2023-26966 Buffer Overflow [kirkstone,04/14] json-c: fix CVE-2021-32292 [kirkstone,05/14] ncurses: fix CVE-2023-29491 [kirkstone,06/14] busybox: fix CVE-2022-48174 [kirkstone,07/14] webkitgtk: fix CVE-2023-23529 [kirkstone,08/14] libssh2: fix CVE-2020-22218 [kirkstone,09/14] file: fix CVE-2022-48554 [kirkstone,10/14] nasm: fix CVE-2020-21528 [kirkstone,11/14] python3: upgrade to 3.10.13 [kirkstone,12/14] efivar: backport 5 patches to fix build with gold [kirkstone,13/14] libdnf: resolve cstdint inclusion for newer gcc versions [kirkstone,14/14] sysklogd: fix integration with systemd-journald

Message ID

56b90b5f2da661bfac3f2d751fc09e918429ec87.1694004064.git.steve@sakoman.com

State

Accepted, archived

Commit

56b90b5f2da661bfac3f2d751fc09e918429ec87

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 06/14] busybox: fix CVE-2022-48174
Date: Wed,  6 Sep 2023 02:48:13 -1000
Message-Id: 
 <56b90b5f2da661bfac3f2d751fc09e918429ec87.1694004064.git.steve@sakoman.com>
In-Reply-To: <cover.1694004064.git.steve@sakoman.com>
References: <cover.1694004064.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,01/14] tiff: fix CVE-2023-2908,CVE-2023-3316,CVE-2023-3618 | expand

Commit Message

Steve Sakoman Sept. 6, 2023, 12:48 p.m. UTC

From: Meenali Gupta <meenali.gupta@windriver.com>

There is a stack overflow vulnerability in ash.c:6030 in busybox
vbefore 1.35. In the environment of Internet of Vehicles, this
vulnerability can be executed from command to arbitrary code execution.

Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../busybox/busybox/CVE-2022-48174.patch      | 80 +++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.35.0.bb   |  1 +
 2 files changed, 81 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2022-48174.patch

diff --git a/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
new file mode 100644
index 0000000000..dd0ea19f02
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
@@ -0,0 +1,80 @@ 
+From cf5d0889262e1b04ec2aa4caff2f5da2d602c665 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Mon, 12 Jun 2023 17:48:47 +0200
+Subject: [PATCH] busybox: shell: avoid segfault on ${0::0/0~09J}. Closes 15216
+function old new delta evaluate_string 1011 1053 +42
+
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=d417193cf37ca1005830d7e16f5fa7e1d8a44209]
+CVE: CVE-2022-48174
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
+ 1 file changed, 35 insertions(+), 4 deletions(-)
+
+diff --git a/shell/math.c b/shell/math.c
+index 76d22c9..727c294 100644
+--- a/shell/math.c
++++ b/shell/math.c
+@@ -577,6 +577,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr)
+ # endif
+ #endif
+
++//TODO: much better estimation than expr_len/2? Such as:
++//static unsigned estimate_nums_and_names(const char *expr)
++//{
++//	unsigned count = 0;
++//	while (*(expr = skip_whitespace(expr)) != '\0') {
++//		const char *p;
++//		if (isdigit(*expr)) {
++//			while (isdigit(*++expr))
++//				continue;
++//			count++;
++//			continue;
++//		}
++//		p = endofname(expr);
++//		if (p != expr) {
++//			expr = p;
++//			count++;
++//			continue;
++//		}
++//	}
++//	return count;
++//}
++
+ static arith_t
+ evaluate_string(arith_state_t *math_state, const char *expr)
+ {
+@@ -584,10 +606,12 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+	const char *errmsg;
+	const char *start_expr = expr = skip_whitespace(expr);
+	unsigned expr_len = strlen(expr) + 2;
+-	/* Stack of integers */
+-	/* The proof that there can be no more than strlen(startbuf)/2+1
+-	 * integers in any given correct or incorrect expression
+-	 * is left as an exercise to the reader. */
++	/* Stack of integers/names */
++	/* There can be no more than strlen(startbuf)/2+1
++	 * integers/names in any given correct or incorrect expression.
++	 * (modulo "09v09v09v09v09v" case,
++	 * but we have code to detect that early)
++	 */
+	var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
+	var_or_num_t *numstackptr = numstack;
+	/* Stack of operator tokens */
+@@ -652,6 +676,13 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+			numstackptr->var = NULL;
+			errno = 0;
+			numstackptr->val = strto_arith_t(expr, (char**) &expr);
++			/* A number can't be followed by another number, or a variable name.
++			 * We'd catch this later anyway, but this would require numstack[]
++			 * to be twice as deep to handle strings where _every_ char is
++			 * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
++			 */
++			if (isalnum(*expr) || *expr == '_')
++				goto err;
+ //bb_error_msg("val:%lld", numstackptr->val);
+			if (errno)
+				numstackptr->val = 0; /* bash compat */
+--
+2.40.0
diff --git a/meta/recipes-core/busybox/busybox_1.35.0.bb b/meta/recipes-core/busybox/busybox_1.35.0.bb
index e9ca6fdb1a..07a5137d2a 100644
--- a/meta/recipes-core/busybox/busybox_1.35.0.bb
+++ b/meta/recipes-core/busybox/busybox_1.35.0.bb
@@ -51,6 +51,7 @@  SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://0002-nslookup-sanitize-all-printed-strings-with-printable.patch \
            file://CVE-2022-30065.patch \
            file://0001-devmem-add-128-bit-width.patch \
+	   file://CVE-2022-48174.patch \
            "
 SRC_URI:append:libc-musl = " file://musl.cfg "

[kirkstone,06/14] busybox: fix CVE-2022-48174

Commit Message

Patch