!107 sync CVE-2022-48174

From: @liuxu180400617 
Reviewed-by: @flyflyflypeng 
Signed-off-by: @flyflyflypeng

backport-CVE-2022-48174.patch

@@ -0,0 +1,77 @@
+From 4bfb95d9c2f8f80cc2d1e282823ce49c25f7e784 Mon Sep 17 00:00:00 2001
+From: songbuhuang <544824346@qq.com>
+Date: Thu, 31 Aug 2023 12:08:23 +0800
+Subject: [PATCH] fix CVE-2022-48174
+
+Signed-off-by: songbuhuang <544824346@qq.com>
+---
+ shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
+ 1 file changed, 35 insertions(+), 4 deletions(-)
+
+diff --git a/shell/math.c b/shell/math.c
+index 2942cdd..e9bd62b 100644
+--- a/shell/math.c
++++ b/shell/math.c
+@@ -582,6 +582,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr)
+ # endif
+ #endif
+ 
++//TODO: much better estimation than expr_len/2? Such as:
++//static unsigned estimate_nums_and_names(const char *expr)
++//{
++//	unsigned count = 0;
++//	while (*(expr = skip_whitespace(expr)) != '\0') {
++//		const char *p;
++//		if (isdigit(*expr)) {
++//			while (isdigit(*++expr))
++//				continue;
++//			count++;
++//			continue;
++//		}
++//		p = endofname(expr);
++//		if (p != expr) {
++//			expr = p;
++//			count++;
++//			continue;
++//		}
++//	}
++//	return count;
++//}
++
+ static arith_t
+ evaluate_string(arith_state_t *math_state, const char *expr)
+ {
+@@ -589,10 +611,12 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+ 	const char *errmsg;
+ 	const char *start_expr = expr = skip_whitespace(expr);
+ 	unsigned expr_len = strlen(expr) + 2;
+-	/* Stack of integers */
+-	/* The proof that there can be no more than strlen(startbuf)/2+1
+-	 * integers in any given correct or incorrect expression
+-	 * is left as an exercise to the reader. */
++	/* Stack of integers/names */
++	/* There can be no more than strlen(startbuf)/2+1
++	 * integers/names in any given correct or incorrect expression.
++	 * (modulo "09v09v09v09v09v" case,
++	 * but we have code to detect that early)
++	 */
+ 	var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
+ 	var_or_num_t *numstackptr = numstack;
+ 	/* Stack of operator tokens */
+@@ -661,6 +685,13 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+ 			numstackptr->var = NULL;
+ 			errno = 0;
+ 			numstackptr->val = strto_arith_t(expr, (char**) &expr);
++			/* A number can't be followed by another number, or a variable name.
++			 * We'd catch this later anyway, but this would require numstack[]
++			 * to be twice as deep to handle strings where _every_ char is
++			 * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
++			 */
++			if (isalnum(*expr) || *expr == '_')
++				goto err;
+ 			if (errno)
+ 				numstackptr->val = 0; /* bash compat */
+ 			goto num;
+-- 
+2.26.2
+

busybox.spec

@@ -4,7 +4,7 @@
 %endif
 
 %if "%{!?RELEASE:1}"
-%define RELEASE 17
+%define RELEASE 19
 %endif
 Epoch: 1
 
@@ -23,6 +23,7 @@ Source3: busybox-dynamic.config
 Patch6000: backport-CVE-2022-28391.patch
 Patch6001: backport-CVE-2022-30065.patch
 Patch6002: backport-fix-use-after-free-in-bc-module.patch
+Patch6003: backport-CVE-2022-48174.patch
 
 BuildRoot:      %_topdir/BUILDROOT
 #Dependency
@@ -98,7 +99,19 @@ install -m 644 docs/busybox.dynamic.1 $RPM_BUILD_ROOT/%{_mandir}/man1/busybox.1
 %{_mandir}/man1/busybox.petitboot.1.gz
 
 %changelog
-* Wed Dec 14 2022 jikui <jikui2@huawei.com> - 1:1.34.1-17
+* Thu Aug 31 2023 huangsong <huangsong14@huawei.com> - 1:1.34.1-19
+- Type:CVE
+- Id:NA
+- SUG:NA
+- DESC:re-fixed CVE-2022-48174
+
+* Wed Aug 30 2023 huangsong <huangsong14@huawei.com> - 1:1.34.1-18
+- Type:CVE
+- Id:NA
+- SUG:NA
+- DESC:fix CVE-2022-48174
+
+* Fri Oct 28 2022 jikui <jikui2@huawei.com> - 1:1.34.1-17
 - fix use after free in bc module
 
 * Fri Aug 19 2022 jikui <jikui2@huawei.com> - 1:1.34.1-16