!106 [sync] PR-102: re-fixed CVE-2022-48174

From: @openeuler-sync-bot 
Reviewed-by: @duguhaotian 
Signed-off-by: @duguhaotian

backport-CVE-2022-48174.patch

@@ -1,27 +1,77 @@
-From ba44d48bec1ced7d7706d84da33a5976f1d8c3cb Mon Sep 17 00:00:00 2001
+From 4bfb95d9c2f8f80cc2d1e282823ce49c25f7e784 Mon Sep 17 00:00:00 2001
 From: songbuhuang <544824346@qq.com>
-Date: Wed, 30 Aug 2023 11:55:40 +0800
+Date: Thu, 31 Aug 2023 12:08:23 +0800
 Subject: [PATCH] fix CVE-2022-48174
 
 Signed-off-by: songbuhuang <544824346@qq.com>
 ---
- shell/math.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
+ shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
+ 1 file changed, 35 insertions(+), 4 deletions(-)
 
 diff --git a/shell/math.c b/shell/math.c
-index 2942cdd..8835e90 100644
+index 2942cdd..e9bd62b 100644
 --- a/shell/math.c
 +++ b/shell/math.c
-@@ -593,7 +593,8 @@ evaluate_string(arith_state_t *math_state, const char *expr)
- 	/* The proof that there can be no more than strlen(startbuf)/2+1
- 	 * integers in any given correct or incorrect expression
- 	 * is left as an exercise to the reader. */
--	var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
-+	/* Counterexample: 09J results in three integers. */
-+	var_or_num_t *const numstack = alloca((expr_len - 2) * sizeof(numstack[0]));
+@@ -582,6 +582,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr)
+ # endif
+ #endif
+ 
++//TODO: much better estimation than expr_len/2? Such as:
++//static unsigned estimate_nums_and_names(const char *expr)
++//{
++//	unsigned count = 0;
++//	while (*(expr = skip_whitespace(expr)) != '\0') {
++//		const char *p;
++//		if (isdigit(*expr)) {
++//			while (isdigit(*++expr))
++//				continue;
++//			count++;
++//			continue;
++//		}
++//		p = endofname(expr);
++//		if (p != expr) {
++//			expr = p;
++//			count++;
++//			continue;
++//		}
++//	}
++//	return count;
++//}
++
+ static arith_t
+ evaluate_string(arith_state_t *math_state, const char *expr)
+ {
+@@ -589,10 +611,12 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+ 	const char *errmsg;
+ 	const char *start_expr = expr = skip_whitespace(expr);
+ 	unsigned expr_len = strlen(expr) + 2;
+-	/* Stack of integers */
+-	/* The proof that there can be no more than strlen(startbuf)/2+1
+-	 * integers in any given correct or incorrect expression
+-	 * is left as an exercise to the reader. */
++	/* Stack of integers/names */
++	/* There can be no more than strlen(startbuf)/2+1
++	 * integers/names in any given correct or incorrect expression.
++	 * (modulo "09v09v09v09v09v" case,
++	 * but we have code to detect that early)
++	 */
+ 	var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
  	var_or_num_t *numstackptr = numstack;
  	/* Stack of operator tokens */
- 	operator *const stack = alloca(expr_len * sizeof(stack[0]));
+@@ -661,6 +685,13 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+ 			numstackptr->var = NULL;
+ 			errno = 0;
+ 			numstackptr->val = strto_arith_t(expr, (char**) &expr);
++			/* A number can't be followed by another number, or a variable name.
++			 * We'd catch this later anyway, but this would require numstack[]
++			 * to be twice as deep to handle strings where _every_ char is
++			 * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
++			 */
++			if (isalnum(*expr) || *expr == '_')
++				goto err;
+ 			if (errno)
+ 				numstackptr->val = 0; /* bash compat */
+ 			goto num;
 -- 
 2.26.2
 

busybox.spec

@@ -4,7 +4,7 @@
 %endif
 
 %if "%{!?RELEASE:1}"
-%define RELEASE 18
+%define RELEASE 19
 %endif
 Epoch: 1
 
@@ -99,6 +99,12 @@ install -m 644 docs/busybox.dynamic.1 $RPM_BUILD_ROOT/%{_mandir}/man1/busybox.1
 %{_mandir}/man1/busybox.petitboot.1.gz
 
 %changelog
+* Thu Aug 31 2023 huangsong <huangsong14@huawei.com> - 1:1.34.1-19
+- Type:CVE
+- Id:NA
+- SUG:NA
+- DESC:re-fixed CVE-2022-48174
+
 * Wed Aug 30 2023 huangsong <huangsong14@huawei.com> - 1:1.34.1-18
 - Type:CVE
 - Id:NA