busybox: Backport CVE-2022-48174 fix

There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. https://nvd.nist.gov/vuln/detail/CVE-2022-48174 CVE: CVE-2022-48174 (From OE-Core rev: 634daf953e4bd8c6df3ee341b5e93cc81e1a620d) Signed-off-by: Marek Vasut <marex@denx.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-06-04 02:00:04 +00:00 · 2023-10-09 18:26:22 +02:00
parent eebb034b21
commit 3ee56c9b97
2 changed files with 83 additions and 0 deletions
@@ -0,0 +1,82 @@
 From c18ebf861528ef24958dd99a146482d2a40014c7 Mon Sep 17 00:00:00 2001
 From: Denys Vlasenko <vda.linux@googlemail.com>
 Date: Mon, 12 Jun 2023 17:48:47 +0200
 Subject: [PATCH] shell: avoid segfault on ${0::0/0~09J}. Closes 15216
 function                                             old     new   delta
 evaluate_string                                     1011    1053     +42
 CVE: CVE-2022-48174
 Upstream-Status: Backport [d417193cf37ca1005830d7e16f5fa7e1d8a44209]
 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 ---
 shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
 1 file changed, 35 insertions(+), 4 deletions(-)
 diff --git a/shell/math.c b/shell/math.c
 index af1ab55c0..79824e81f 100644
 --- a/shell/math.c
 +++ b/shell/math.c
@@ -578,6 +578,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr)
 # endif
 #endif
 +//TODO: much better estimation than expr_len/2? Such as:
 +//static unsigned estimate_nums_and_names(const char *expr)
 +//{
 +//	unsigned count = 0;
 +//	while (*(expr = skip_whitespace(expr)) != '\0') {
 +//		const char *p;
 +//		if (isdigit(*expr)) {
 +//			while (isdigit(*++expr))
 +//				continue;
 +//			count++;
 +//			continue;
 +//		}
 +//		p = endofname(expr);
 +//		if (p != expr) {
 +//			expr = p;
 +//			count++;
 +//			continue;
 +//		}
 +//	}
 +//	return count;
 +//}
 +
 static arith_t FAST_FUNC
 evaluate_string(arith_state_t *math_state, const char *expr)
 {
@@ -585,10 +607,12 @@ evaluate_string(arith_state_t *math_state, const char *expr)
 	const char *errmsg;
 	const char *start_expr = expr = skip_whitespace(expr);
 	unsigned expr_len = strlen(expr) + 2;
 -	/* Stack of integers */
 -	/* The proof that there can be no more than strlen(startbuf)/2+1
 -	 * integers in any given correct or incorrect expression
 -	 * is left as an exercise to the reader. */
 +	/* Stack of integers/names */
 +	/* There can be no more than strlen(startbuf)/2+1
 +	 * integers/names in any given correct or incorrect expression.
 +	 * (modulo "09v09v09v09v09v" case,
 +	 * but we have code to detect that early)
 +	 */
 	var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
 	var_or_num_t *numstackptr = numstack;
 	/* Stack of operator tokens */
@@ -657,6 +681,13 @@ evaluate_string(arith_state_t *math_state, const char *expr)
 			numstackptr->var = NULL;
 			errno = 0;
 			numstackptr->val = strto_arith_t(expr, (char**) &expr);
 +			/* A number can't be followed by another number, or a variable name.
 +			 * We'd catch this later anyway, but this would require numstack[]
 +			 * to be twice as deep to handle strings where _every_ char is
 +			 * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
 +			 */
 +			if (isalnum(*expr) || *expr == '_')
 +				goto err;
 			if (errno)
 				numstackptr->val = 0; /* bash compat */
 			goto num;
 -- 
 2.40.1
@@ -55,6 +55,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
           file://CVE-2021-42374.patch \
           file://CVE-2021-42376.patch \
           file://CVE-2021-423xx-awk.patch \
           file://CVE-2022-48174.patch \
           file://0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch \
           file://0002-nslookup-sanitize-all-printed-strings-with-printable.patch \
           "