[OE-core] [dunfell][PATCH] busybox: Backport CVE-2022-48174 fix

Mon, 09 Oct 2023 09:26:39 -0700 

There is a stack overflow vulnerability in ash.c:6030 in busybox before
1.35. In the environment of Internet of Vehicles, this vulnerability can
be executed from command to arbitrary code execution.

https://nvd.nist.gov/vuln/detail/CVE-2022-48174

CVE: CVE-2022-48174
Signed-off-by: Marek Vasut <[email protected]>
---
Cc: Martin Jansa <[email protected]>
Cc: Richard Purdie <[email protected]>
Cc: Steve Sakoman <[email protected]>
---
 .../busybox/busybox/CVE-2022-48174.patch      | 82 +++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.31.1.bb   |  1 +
 2 files changed, 83 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2022-48174.patch

diff --git a/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch 
b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
new file mode 100644
index 0000000000..dfba2a7e0f
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
@@ -0,0 +1,82 @@
+From c18ebf861528ef24958dd99a146482d2a40014c7 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <[email protected]>
+Date: Mon, 12 Jun 2023 17:48:47 +0200
+Subject: [PATCH] shell: avoid segfault on ${0::0/0~09J}. Closes 15216
+
+function                                             old     new   delta
+evaluate_string                                     1011    1053     +42
+
+CVE: CVE-2022-48174
+Upstream-Status: Backport [d417193cf37ca1005830d7e16f5fa7e1d8a44209]
+Signed-off-by: Denys Vlasenko <[email protected]>
+---
+ shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
+ 1 file changed, 35 insertions(+), 4 deletions(-)
+
+diff --git a/shell/math.c b/shell/math.c
+index af1ab55c0..79824e81f 100644
+--- a/shell/math.c
++++ b/shell/math.c
+@@ -578,6 +578,28 @@ static arith_t strto_arith_t(const char *nptr, char 
**endptr)
+ # endif
+ #endif
+ 
++//TODO: much better estimation than expr_len/2? Such as:
++//static unsigned estimate_nums_and_names(const char *expr)
++//{
++//    unsigned count = 0;
++//    while (*(expr = skip_whitespace(expr)) != '\0') {
++//            const char *p;
++//            if (isdigit(*expr)) {
++//                    while (isdigit(*++expr))
++//                            continue;
++//                    count++;
++//                    continue;
++//            }
++//            p = endofname(expr);
++//            if (p != expr) {
++//                    expr = p;
++//                    count++;
++//                    continue;
++//            }
++//    }
++//    return count;
++//}
++
+ static arith_t FAST_FUNC
+ evaluate_string(arith_state_t *math_state, const char *expr)
+ {
+@@ -585,10 +607,12 @@ evaluate_string(arith_state_t *math_state, const char 
*expr)
+       const char *errmsg;
+       const char *start_expr = expr = skip_whitespace(expr);
+       unsigned expr_len = strlen(expr) + 2;
+-      /* Stack of integers */
+-      /* The proof that there can be no more than strlen(startbuf)/2+1
+-       * integers in any given correct or incorrect expression
+-       * is left as an exercise to the reader. */
++      /* Stack of integers/names */
++      /* There can be no more than strlen(startbuf)/2+1
++       * integers/names in any given correct or incorrect expression.
++       * (modulo "09v09v09v09v09v" case,
++       * but we have code to detect that early)
++       */
+       var_or_num_t *const numstack = alloca((expr_len / 2) * 
sizeof(numstack[0]));
+       var_or_num_t *numstackptr = numstack;
+       /* Stack of operator tokens */
+@@ -657,6 +681,13 @@ evaluate_string(arith_state_t *math_state, const char 
*expr)
+                       numstackptr->var = NULL;
+                       errno = 0;
+                       numstackptr->val = strto_arith_t(expr, (char**) &expr);
++                      /* A number can't be followed by another number, or a 
variable name.
++                       * We'd catch this later anyway, but this would require 
numstack[]
++                       * to be twice as deep to handle strings where _every_ 
char is
++                       * a new number or name. Example: 
09v09v09v09v09v09v09v09v09v
++                       */
++                      if (isalnum(*expr) || *expr == '_')
++                              goto err;
+                       if (errno)
+                               numstackptr->val = 0; /* bash compat */
+                       goto num;
+-- 
+2.40.1
+
diff --git a/meta/recipes-core/busybox/busybox_1.31.1.bb 
b/meta/recipes-core/busybox/busybox_1.31.1.bb
index d062f0f7dd..94aa1467df 100644
--- a/meta/recipes-core/busybox/busybox_1.31.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.31.1.bb
@@ -55,6 +55,7 @@ SRC_URI = 
"https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://CVE-2021-42374.patch \
            file://CVE-2021-42376.patch \
            file://CVE-2021-423xx-awk.patch \
+           file://CVE-2022-48174.patch \
            
file://0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch \
            
file://0002-nslookup-sanitize-all-printed-strings-with-printable.patch \
            "
-- 
2.40.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188844): 
https://lists.openembedded.org/g/openembedded-core/message/188844
Mute This Topic: https://lists.openembedded.org/mt/101856213/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to