packages/busybox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:74c13fb34170cf439da8ea4782dd54db8e55a542
Branches Tags
packages:main
...
compare: packages:6c9a9c8e8717fdb5d0d5c9f31530a13b685a5ed5
Branches Tags
packages:main

10 Commits
74c13fb341 ... 6c9a9c8e87

Author SHA1 Message Date
openeuler-ci-bot
6c9a9c8e87
!119 [sync] PR-114: fix CVE-2023-42364 CVE-2023-42365 CVE-2023-42366 CVE-2023-42363 
From: @openeuler-sync-bot 
Reviewed-by: @xuxuepeng 
Signed-off-by: @xuxuepeng
 2024-06-20 09:25:21 +00:00
liuxu
81372e3d47 fix CVE-2023-42364 CVE-2023-42365 CVE-2023-42366 CVE-2023-42363 
Signed-off-by: liuxu <liuxu156@huawei.com>
(cherry picked from commit d635a4264d050b64722ddafcc348cac0a0773b25)
 2024-06-19 17:07:31 +08:00
openeuler-ci-bot
af67badff1
!111 sync CVE-2022-48174 
From: @liuxu180400617 
Reviewed-by: @xuxuepeng 
Signed-off-by: @xuxuepeng
 2024-06-11 09:00:15 +00:00
openeuler-ci-bot
bbad932343
!107 sync CVE-2022-48174 
From: @liuxu180400617 
Reviewed-by: @flyflyflypeng 
Signed-off-by: @flyflyflypeng
 2023-11-29 09:21:41 +00:00
openeuler-ci-bot
e36fcd96ea
!106 [sync] PR-102: re-fixed CVE-2022-48174 
From: @openeuler-sync-bot 
Reviewed-by: @duguhaotian 
Signed-off-by: @duguhaotian
 2023-08-31 06:38:41 +00:00
songbuhuang
24b63f5848 re-fixed CVE-2022-48174 
Signed-off-by: songbuhuang <544824346@qq.com>
(cherry picked from commit 41ced1d003c6c513daa3d7d953d5cc20a5c2cc4e)
 2023-08-31 14:21:10 +08:00
openeuler-ci-bot
5383351ec2
!98 fix CVE-2022-48174 
From: @songbuhuang 
Reviewed-by: @jing-rui, @jxy_git 
Signed-off-by: @jxy_git
 2023-08-30 07:46:52 +00:00
songbuhuang
5ef5f7eb06 fix CVE-2022-48174 
Signed-off-by: songbuhuang <544824346@qq.com>
 2023-08-30 12:51:25 +08:00
openeuler-ci-bot
320245b1d3
!82 [sync] PR-81: fix pointer use after free in bc module 
From: @openeuler-sync-bot 
Reviewed-by: @duguhaotian 
Signed-off-by: @duguhaotian
 2022-12-22 08:18:29 +00:00
jackey_1024
aa8fdbb07a busybox: fix use after free in bc module 
Signed-off-by: jackey_1024 <jikui2@huawei.com>
(cherry picked from commit 8c081544dd36e6ab35852765acea10b6dd9a6c39)
 2022-12-22 16:08:56 +08:00
7 changed files with 593 additions and 1 deletions
Show Stats Expand all files Collapse all files

77
backport-CVE-2022-48174.patch Normal file
View File

@ -0,0 +1,77 @@
From 4bfb95d9c2f8f80cc2d1e282823ce49c25f7e784 Mon Sep 17 00:00:00 2001
From: songbuhuang <544824346@qq.com>
Date: Thu, 31 Aug 2023 12:08:23 +0800
Subject: [PATCH] fix CVE-2022-48174
Signed-off-by: songbuhuang <544824346@qq.com>
---
shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
1 file changed, 35 insertions(+), 4 deletions(-)
diff --git a/shell/math.c b/shell/math.c
index 2942cdd..e9bd62b 100644
--- a/shell/math.c
+++ b/shell/math.c
@@ -582,6 +582,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr)
# endif
#endif
+//TODO: much better estimation than expr_len/2? Such as:
+//static unsigned estimate_nums_and_names(const char *expr)
+//{
+// unsigned count = 0;
+// while (*(expr = skip_whitespace(expr)) != '\0') {
+// const char *p;
+// if (isdigit(*expr)) {
+// while (isdigit(*++expr))
+// continue;
+// count++;
+// continue;
+// }
+// p = endofname(expr);
+// if (p != expr) {
+// expr = p;
+// count++;
+// continue;
+// }
+// }
+// return count;
+//}
+
static arith_t
evaluate_string(arith_state_t *math_state, const char *expr)
{
@@ -589,10 +611,12 @@ evaluate_string(arith_state_t *math_state, const char *expr)
const char *errmsg;
const char *start_expr = expr = skip_whitespace(expr);
unsigned expr_len = strlen(expr) + 2;
- /* Stack of integers */
- /* The proof that there can be no more than strlen(startbuf)/2+1
- * integers in any given correct or incorrect expression
- * is left as an exercise to the reader. */
+ /* Stack of integers/names */
+ /* There can be no more than strlen(startbuf)/2+1
+ * integers/names in any given correct or incorrect expression.
+ * (modulo "09v09v09v09v09v" case,
+ * but we have code to detect that early)
+ */
var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
var_or_num_t *numstackptr = numstack;
/* Stack of operator tokens */
@@ -661,6 +685,13 @@ evaluate_string(arith_state_t *math_state, const char *expr)
numstackptr->var = NULL;
errno = 0;
numstackptr->val = strto_arith_t(expr, (char**) &expr);
+ /* A number can't be followed by another number, or a variable name.
+ * We'd catch this later anyway, but this would require numstack[]
+ * to be twice as deep to handle strings where _every_ char is
+ * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
+ */
+ if (isalnum(*expr) || *expr == '_')
+ goto err;
if (errno)
numstackptr->val = 0; /* bash compat */
goto num;
--
2.26.2

31
backport-CVE-2023-42363.patch Normal file
View File

@ -0,0 +1,31 @@
From c8f999803ab38f97488091ea20d8d2e4967452d2 Mon Sep 17 00:00:00 2001
From: liuxu <liuxu156@huawei.com>
Date: Wed, 19 Jun 2024 11:44:32 +0800
Subject: [PATCH 4/4] awk: fix use after free (CVE-2023-42363)
backport from upstream:
https://git.alpinelinux.org/aports/plain/main/busybox/0001-awk-fix-use-after-free-CVE-2023-42363.patch
Signed-off-by: liuxu <liuxu156@huawei.com>
---
editors/awk.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/editors/awk.c b/editors/awk.c
index 7a73f04..8f146fc 100644
--- a/editors/awk.c
+++ b/editors/awk.c
@@ -2944,10 +2944,6 @@ static var *evaluate(node *op, var *res)
/* yes, remember where Fields[] is */
old_Fields_ptr = Fields;
}
- if (opinfo & OF_STR1) {
- L.s = getvar_s(L.v);
- debug_printf_eval("L.s:'%s'\n", L.s);
- }
if (opinfo & OF_NUM1) {
L_d = getvar_i(L.v);
debug_printf_eval("L_d:%f\n", L_d);
--
2.43.0

292
backport-CVE-2023-42364-CVE-2023-42365.patch Normal file
View File

@ -0,0 +1,292 @@
From 6eabe2d43d464d34df1670192aef6c4966ab1a94 Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Tue, 30 May 2023 16:42:18 +0200
Subject: [PATCH 1/2] awk: fix precedence of = relative to ==
backport from upstream:
https://git.alpinelinux.org/aports/plain/main/busybox/CVE-2023-42364-CVE-2023-42365.patch
Discovered while adding code to disallow assignments to non-lvalues
function old new delta
parse_expr 936 991 +55
.rodata 105243 105247 +4
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 2/0 up/down: 59/0) Total: 59 bytes
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
(cherry picked from commit 0256e00a9d077588bd3a39f5a1ef7e2eaa2911e4)
---
editors/awk.c | 66 ++++++++++++++++++++++++++++++---------------
testsuite/awk.tests | 5 ++++
2 files changed, 50 insertions(+), 21 deletions(-)
diff --git a/editors/awk.c b/editors/awk.c
index 728ee8685..3f4e0600d 100644
--- a/editors/awk.c
+++ b/editors/awk.c
@@ -337,7 +337,9 @@ static void debug_parse_print_tc(uint32_t n)
#undef P
#undef PRIMASK
#undef PRIMASK2
-#define P(x) (x << 24)
+/* Smaller 'x' means _higher_ operator precedence */
+#define PRECEDENCE(x) (x << 24)
+#define P(x) PRECEDENCE(x)
#define PRIMASK 0x7F000000
#define PRIMASK2 0x7E000000
@@ -360,7 +362,7 @@ enum {
OC_MOVE = 0x1f00, OC_PGETLINE = 0x2000, OC_REGEXP = 0x2100,
OC_REPLACE = 0x2200, OC_RETURN = 0x2300, OC_SPRINTF = 0x2400,
OC_TERNARY = 0x2500, OC_UNARY = 0x2600, OC_VAR = 0x2700,
- OC_DONE = 0x2800,
+ OC_CONST = 0x2800, OC_DONE = 0x2900,
ST_IF = 0x3000, ST_DO = 0x3100, ST_FOR = 0x3200,
ST_WHILE = 0x3300
@@ -440,9 +442,9 @@ static const uint32_t tokeninfo[] ALIGN4 = {
#define TI_PREINC (OC_UNARY|xV|P(9)|'P')
#define TI_PREDEC (OC_UNARY|xV|P(9)|'M')
TI_PREINC, TI_PREDEC, OC_FIELD|xV|P(5),
- OC_COMPARE|VV|P(39)|5, OC_MOVE|VV|P(74), OC_REPLACE|NV|P(74)|'+', OC_REPLACE|NV|P(74)|'-',
- OC_REPLACE|NV|P(74)|'*', OC_REPLACE|NV|P(74)|'/', OC_REPLACE|NV|P(74)|'%', OC_REPLACE|NV|P(74)|'&',
- OC_BINARY|NV|P(29)|'+', OC_BINARY|NV|P(29)|'-', OC_REPLACE|NV|P(74)|'&', OC_BINARY|NV|P(15)|'&',
+ OC_COMPARE|VV|P(39)|5, OC_MOVE|VV|P(38), OC_REPLACE|NV|P(38)|'+', OC_REPLACE|NV|P(38)|'-',
+ OC_REPLACE|NV|P(38)|'*', OC_REPLACE|NV|P(38)|'/', OC_REPLACE|NV|P(38)|'%', OC_REPLACE|NV|P(38)|'&',
+ OC_BINARY|NV|P(29)|'+', OC_BINARY|NV|P(29)|'-', OC_REPLACE|NV|P(38)|'&', OC_BINARY|NV|P(15)|'&',
OC_BINARY|NV|P(25)|'/', OC_BINARY|NV|P(25)|'%', OC_BINARY|NV|P(15)|'&', OC_BINARY|NV|P(25)|'*',
OC_COMPARE|VV|P(39)|4, OC_COMPARE|VV|P(39)|3, OC_COMPARE|VV|P(39)|0, OC_COMPARE|VV|P(39)|1,
#define TI_LESS (OC_COMPARE|VV|P(39)|2)
@@ -1290,7 +1292,7 @@ static uint32_t next_token(uint32_t expected)
save_tclass = tc;
save_info = t_info;
tc = TC_BINOPX;
- t_info = OC_CONCAT | SS | P(35);
+ t_info = OC_CONCAT | SS | PRECEDENCE(35);
}
t_tclass = tc;
@@ -1350,9 +1352,8 @@ static node *parse_expr(uint32_t term_tc)
{
node sn;
node *cn = &sn;
- node *vn, *glptr;
+ node *glptr;
uint32_t tc, expected_tc;
- var *v;
debug_printf_parse("%s() term_tc(%x):", __func__, term_tc);
debug_parse_print_tc(term_tc);
@@ -1363,11 +1364,12 @@ static node *parse_expr(uint32_t term_tc)
expected_tc = TS_OPERAND | TS_UOPPRE | TC_REGEXP | term_tc;
while (!((tc = next_token(expected_tc)) & term_tc)) {
+ node *vn;
if (glptr && (t_info == TI_LESS)) {
/* input redirection (<) attached to glptr node */
debug_printf_parse("%s: input redir\n", __func__);
- cn = glptr->l.n = new_node(OC_CONCAT | SS | P(37));
+ cn = glptr->l.n = new_node(OC_CONCAT | SS | PRECEDENCE(37));
cn->a.n = glptr;
expected_tc = TS_OPERAND | TS_UOPPRE;
glptr = NULL;
@@ -1379,24 +1381,42 @@ static node *parse_expr(uint32_t term_tc)
* previous operators with higher priority */
vn = cn;
while (((t_info & PRIMASK) > (vn->a.n->info & PRIMASK2))
- || ((t_info == vn->info) && t_info == TI_COLON)
+ || (t_info == vn->info && t_info == TI_COLON)
) {
vn = vn->a.n;
if (!vn->a.n) syntax_error(EMSG_UNEXP_TOKEN);
}
if (t_info == TI_TERNARY)
//TODO: why?
- t_info += P(6);
+ t_info += PRECEDENCE(6);
cn = vn->a.n->r.n = new_node(t_info);
cn->a.n = vn->a.n;
if (tc & TS_BINOP) {
cn->l.n = vn;
-//FIXME: this is the place to detect and reject assignments to non-lvalues.
-//Currently we allow "assignments" to consts and temporaries, nonsense like this:
-// awk 'BEGIN { "qwe" = 1 }'
-// awk 'BEGIN { 7 *= 7 }'
-// awk 'BEGIN { length("qwe") = 1 }'
-// awk 'BEGIN { (1+1) += 3 }'
+
+ /* Prevent:
+ * awk 'BEGIN { "qwe" = 1 }'
+ * awk 'BEGIN { 7 *= 7 }'
+ * awk 'BEGIN { length("qwe") = 1 }'
+ * awk 'BEGIN { (1+1) += 3 }'
+ */
+ /* Assignment? (including *= and friends) */
+ if (((t_info & OPCLSMASK) == OC_MOVE)
+ || ((t_info & OPCLSMASK) == OC_REPLACE)
+ ) {
+ debug_printf_parse("%s: MOVE/REPLACE vn->info:%08x\n", __func__, vn->info);
+ /* Left side is a (variable or array element)
+ * or function argument
+ * or $FIELD ?
+ */
+ if ((vn->info & OPCLSMASK) != OC_VAR
+ && (vn->info & OPCLSMASK) != OC_FNARG
+ && (vn->info & OPCLSMASK) != OC_FIELD
+ ) {
+ syntax_error(EMSG_UNEXP_TOKEN); /* no. bad */
+ }
+ }
+
expected_tc = TS_OPERAND | TS_UOPPRE | TC_REGEXP;
if (t_info == TI_PGETLINE) {
/* it's a pipe */
@@ -1432,6 +1452,8 @@ static node *parse_expr(uint32_t term_tc)
/* one should be very careful with switch on tclass -
* only simple tclasses should be used (TC_xyz, not TS_xyz) */
switch (tc) {
+ var *v;
+
case TC_VARIABLE:
case TC_ARRAY:
debug_printf_parse("%s: TC_VARIABLE | TC_ARRAY\n", __func__);
@@ -1452,14 +1474,14 @@ static node *parse_expr(uint32_t term_tc)
case TC_NUMBER:
case TC_STRING:
debug_printf_parse("%s: TC_NUMBER | TC_STRING\n", __func__);
- cn->info = OC_VAR;
+ cn->info = OC_CONST;
v = cn->l.v = xzalloc(sizeof(var));
- if (tc & TC_NUMBER)
+ if (tc & TC_NUMBER) {
setvar_i(v, t_double);
- else {
+ } else {
setvar_s(v, t_string);
- expected_tc &= ~TC_UOPPOST; /* "str"++ is not allowed */
}
+ expected_tc &= ~TC_UOPPOST; /* NUM++, "str"++ not allowed */
break;
case TC_REGEXP:
@@ -3088,6 +3110,8 @@ static var *evaluate(node *op, var *res)
/* -- recursive node type -- */
+ case XC( OC_CONST ):
+ debug_printf_eval("CONST ");
case XC( OC_VAR ):
debug_printf_eval("VAR\n");
L.v = op->l.v;
diff --git a/testsuite/awk.tests b/testsuite/awk.tests
index bbf0fbff1..a71ef3b26 100755
--- a/testsuite/awk.tests
+++ b/testsuite/awk.tests
@@ -485,4 +485,9 @@ testing 'awk assign while test' \
"" \
"foo"
+testing "awk = has higher precedence than == (despite what gawk manpage claims)" \
+ "awk 'BEGIN { v=1; print 2==v; print 2==v=2; print v; print v=3==3; print v}'" \
+ '0\n1\n2\n1\n3\n' \
+ '' ''
+
exit $FAILCOUNT
--
2.45.2
From 947f3d2d2739afe248bf5343eaf9e35f3fd95dc2 Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Tue, 21 May 2024 14:46:08 +0200
Subject: [PATCH 2/2] awk: fix ternary operator and precedence of =
Adjust the = precedence test to match behavior of gawk, mawk and
FreeBSD. awk 'BEGIN {print v=3==3; print v}' should print two '1'.
To fix this, and to unbreak the ternary conditional operator, we restore
the precedence of = in the token list, but override this with a lower
priority when the assignment is on the right side of a compare.
This fixes commit 0256e00a9d07 (awk: fix precedence of = relative to ==)
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
(cherry picked from commit 1714301c405ef03b39605c85c23f22a190cddd95)
---
editors/awk.c | 18 ++++++++++++++----
testsuite/awk.tests | 9 +++++++--
2 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/editors/awk.c b/editors/awk.c
index 3f4e0600d..85e0f50cd 100644
--- a/editors/awk.c
+++ b/editors/awk.c
@@ -442,9 +442,10 @@ static const uint32_t tokeninfo[] ALIGN4 = {
#define TI_PREINC (OC_UNARY|xV|P(9)|'P')
#define TI_PREDEC (OC_UNARY|xV|P(9)|'M')
TI_PREINC, TI_PREDEC, OC_FIELD|xV|P(5),
- OC_COMPARE|VV|P(39)|5, OC_MOVE|VV|P(38), OC_REPLACE|NV|P(38)|'+', OC_REPLACE|NV|P(38)|'-',
- OC_REPLACE|NV|P(38)|'*', OC_REPLACE|NV|P(38)|'/', OC_REPLACE|NV|P(38)|'%', OC_REPLACE|NV|P(38)|'&',
- OC_BINARY|NV|P(29)|'+', OC_BINARY|NV|P(29)|'-', OC_REPLACE|NV|P(38)|'&', OC_BINARY|NV|P(15)|'&',
+#define TI_ASSIGN (OC_MOVE|VV|P(74))
+ OC_COMPARE|VV|P(39)|5, TI_ASSIGN, OC_REPLACE|NV|P(74)|'+', OC_REPLACE|NV|P(74)|'-',
+ OC_REPLACE|NV|P(74)|'*', OC_REPLACE|NV|P(74)|'/', OC_REPLACE|NV|P(74)|'%', OC_REPLACE|NV|P(74)|'&',
+ OC_BINARY|NV|P(29)|'+', OC_BINARY|NV|P(29)|'-', OC_REPLACE|NV|P(74)|'&', OC_BINARY|NV|P(15)|'&',
OC_BINARY|NV|P(25)|'/', OC_BINARY|NV|P(25)|'%', OC_BINARY|NV|P(15)|'&', OC_BINARY|NV|P(25)|'*',
OC_COMPARE|VV|P(39)|4, OC_COMPARE|VV|P(39)|3, OC_COMPARE|VV|P(39)|0, OC_COMPARE|VV|P(39)|1,
#define TI_LESS (OC_COMPARE|VV|P(39)|2)
@@ -1376,11 +1377,19 @@ static node *parse_expr(uint32_t term_tc)
continue;
}
if (tc & (TS_BINOP | TC_UOPPOST)) {
+ int prio;
debug_printf_parse("%s: TS_BINOP | TC_UOPPOST tc:%x\n", __func__, tc);
/* for binary and postfix-unary operators, jump back over
* previous operators with higher priority */
vn = cn;
- while (((t_info & PRIMASK) > (vn->a.n->info & PRIMASK2))
+ /* Let assignment get higher priority when used on right
+ * side in compare. i.e: 2==v=3 */
+ if (t_info == TI_ASSIGN && (vn->a.n->info & OPCLSMASK) == OC_COMPARE) {
+ prio = PRECEDENCE(38);
+ } else {
+ prio = (t_info & PRIMASK);
+ }
+ while ((prio > (vn->a.n->info & PRIMASK2))
|| (t_info == vn->info && t_info == TI_COLON)
) {
vn = vn->a.n;
@@ -1412,6 +1421,7 @@ static node *parse_expr(uint32_t term_tc)
if ((vn->info & OPCLSMASK) != OC_VAR
&& (vn->info & OPCLSMASK) != OC_FNARG
&& (vn->info & OPCLSMASK) != OC_FIELD
+ && (vn->info & OPCLSMASK) != OC_COMPARE
) {
syntax_error(EMSG_UNEXP_TOKEN); /* no. bad */
}
diff --git a/testsuite/awk.tests b/testsuite/awk.tests
index a71ef3b26..c2f57605b 100755
--- a/testsuite/awk.tests
+++ b/testsuite/awk.tests
@@ -485,9 +485,14 @@ testing 'awk assign while test' \
"" \
"foo"
-testing "awk = has higher precedence than == (despite what gawk manpage claims)" \
+testing "awk = has higher precedence than == on right side" \
"awk 'BEGIN { v=1; print 2==v; print 2==v=2; print v; print v=3==3; print v}'" \
- '0\n1\n2\n1\n3\n' \
+ '0\n1\n2\n1\n1\n' \
+ '' ''
+
+testing 'awk ternary precedence' \
+ "awk 'BEGIN { a = 0 ? \"yes\": \"no\"; print a }'" \
+ 'no\n' \
'' ''
exit $FAILCOUNT
--
2.45.2

37
backport-CVE-2023-42366.patch Normal file
View File

@ -0,0 +1,37 @@
From 5cf8b332429a1dd9afef3337bae92aeddaeff993 Mon Sep 17 00:00:00 2001
From: Valery Ushakov <uwe@stderr.spb.ru>
Date: Wed, 24 Jan 2024 22:24:41 +0300
Subject: [PATCH] awk.c: fix CVE-2023-42366 (bug #15874)
backport from upstream:
https://git.alpinelinux.org/aports/plain/main/busybox/0037-awk.c-fix-CVE-2023-42366-bug-15874.patch
Make sure we don't read past the end of the string in next_token()
when backslash is the last character in an (invalid) regexp.
https://bugs.busybox.net/show_bug.cgi?id=15874
---
editors/awk.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/editors/awk.c b/editors/awk.c
index 728ee8685..be48df7c7 100644
--- a/editors/awk.c
+++ b/editors/awk.c
@@ -1165,9 +1165,11 @@ static uint32_t next_token(uint32_t expected)
s[-1] = bb_process_escape_sequence((const char **)&pp);
if (*p == '\\')
*s++ = '\\';
- if (pp == p)
+ if (pp == p) {
+ if (*p == '\0')
+ syntax_error(EMSG_UNEXP_EOS);
*s++ = *p++;
- else
+ } else
p = pp;
}
}
--
2.34.1

99
backport-awk-fix-use-after-realloc-CVE-2021-42380-closes-1560.patch Normal file
View File

@ -0,0 +1,99 @@
From 09656b9beb583eee73b58f64e0e43c0df262c99c Mon Sep 17 00:00:00 2001
From: liuxu <liuxu156@huawei.com>
Date: Wed, 19 Jun 2024 11:32:49 +0800
Subject: [PATCH 3/4] awk: fix use-after-realloc (CVE-2021-42380), closes 15601
backport from upstream:
https://git.alpinelinux.org/aports/plain/main/busybox/0029-awk-fix-use-after-realloc-CVE-2021-42380-closes-1560.patch
Signed-off-by: liuxu <liuxu156@huawei.com>
---
editors/awk.c | 34 ++++++++++++++++++++++++++++------
1 file changed, 28 insertions(+), 6 deletions(-)
diff --git a/editors/awk.c b/editors/awk.c
index e1d510c..7a73f04 100644
--- a/editors/awk.c
+++ b/editors/awk.c
@@ -558,7 +558,7 @@ struct globals {
const char *g_progname;
int g_lineno;
int nfields;
- int maxfields; /* used in fsrealloc() only */
+ unsigned maxfields;
var *Fields;
char *g_pos;
char g_saved_ch;
@@ -1965,9 +1965,9 @@ static void fsrealloc(int size)
{
int i, newsize;
- if (size >= maxfields) {
- /* Sanity cap, easier than catering for overflows */
- if (size > 0xffffff)
+ if ((unsigned)size >= maxfields) {
+ /* Sanity cap, easier than catering for over/underflows */
+ if ((unsigned)size > 0xffffff)
bb_die_memory_exhausted();
i = maxfields;
@@ -2925,6 +2925,7 @@ static var *evaluate(node *op, var *res)
uint32_t opinfo;
int opn;
node *op1;
+ var *old_Fields_ptr;
opinfo = op->info;
opn = (opinfo & OPNMASK);
@@ -2933,10 +2934,16 @@ static var *evaluate(node *op, var *res)
debug_printf_eval("opinfo:%08x opn:%08x\n", opinfo, opn);
/* execute inevitable things */
+ old_Fields_ptr = NULL;
if (opinfo & OF_RES1) {
if ((opinfo & OF_REQUIRED) && !op1)
syntax_error(EMSG_TOO_FEW_ARGS);
L.v = evaluate(op1, TMPVAR0);
+ /* Does L.v point to $n variable? */
+ if ((size_t)(L.v - Fields) < maxfields) {
+ /* yes, remember where Fields[] is */
+ old_Fields_ptr = Fields;
+ }
if (opinfo & OF_STR1) {
L.s = getvar_s(L.v);
debug_printf_eval("L.s:'%s'\n", L.s);
@@ -2955,14 +2962,29 @@ static var *evaluate(node *op, var *res)
*/
if (opinfo & OF_RES2) {
R.v = evaluate(op->r.n, TMPVAR1);
- //TODO: L.v may be invalid now, set L.v to NULL to catch bugs?
- //L.v = NULL;
+ /* Seen in $5=$$5=$0:
+ * Evaluation of R.v ($$5=$0 expression)
+ * made L.v ($5) invalid. It's detected here.
+ */
+ if (old_Fields_ptr) {
+ //if (old_Fields_ptr != Fields)
+ // debug_printf_eval("L.v moved\n");
+ L.v += Fields - old_Fields_ptr;
+ }
if (opinfo & OF_STR2) {
R.s = getvar_s(R.v);
debug_printf_eval("R.s:'%s'\n", R.s);
}
}
+ /* Must get L.s after R.v is evaluated in case it realloc's L.v.
+ * eg: x = (v = "abc", gsub("b", "X", v));
+ */
+ if ((opinfo & OF_RES1) && (opinfo & OF_STR1)) {
+ L.s = getvar_s(L.v);
+ debug_printf_eval("L.s:'%s'\n", L.s);
+ }
+
debug_printf_eval("switch(0x%x)\n", XC(opinfo & OPCLSMASK));
switch (XC(opinfo & OPCLSMASK)) {
--
2.43.0

29
backport-fix-use-after-free-in-bc-module.patch Normal file
View File

@ -0,0 +1,29 @@
From 907e1b3a22a8092461176af45468c5b1b9bf6cc0 Mon Sep 17 00:00:00 2001
From: jackey_1024 <jikui2@huawei.com>
Date: Fri, 28 Oct 2022 09:45:08 +0800
Subject: [PATCH] busybox: fix use after free in bc module
backport from upstream:
https://git.busybox.net/busybox/commit/?id=41d5f800a14769704082f7faeabb8435285499be
Signed-off-by: jackey_1024 <jikui2@huawei.com>
---
miscutils/bc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/miscutils/bc.c b/miscutils/bc.c
index f9b08b0..4363585 100644
--- a/miscutils/bc.c
+++ b/miscutils/bc.c
@@ -2892,6 +2892,8 @@ static char peek_inbuf(void)
) {
xc_read_line(&G.input_buffer, G.prs.lex_input_fp);
G.prs.lex_inbuf = G.input_buffer.v;
+ // lex_next_at may point to now-freed data, update it:
+ G.prs.lex_next_at = G.prs.lex_inbuf;
if (G.input_buffer.len <= 1) // on EOF, len is 1 (NUL byte)
G.prs.lex_input_fp = NULL;
}
--
2.25.1

29
busybox.spec
View File

@ -4,7 +4,7 @@
%endif
%if "%{!?RELEASE:1}"
%define RELEASE 16
%define RELEASE 20
%endif
Epoch: 1
@ -22,6 +22,12 @@ Source3: busybox-dynamic.config
Patch6000: backport-CVE-2022-28391.patch
Patch6001: backport-CVE-2022-30065.patch
Patch6002: backport-fix-use-after-free-in-bc-module.patch
Patch6003: backport-CVE-2022-48174.patch
Patch6004: backport-CVE-2023-42364-CVE-2023-42365.patch
Patch6005: backport-CVE-2023-42366.patch
Patch6006: backport-awk-fix-use-after-realloc-CVE-2021-42380-closes-1560.patch
Patch6007: backport-CVE-2023-42363.patch
BuildRoot: %_topdir/BUILDROOT
#Dependency
@ -97,6 +103,27 @@ install -m 644 docs/busybox.dynamic.1 $RPM_BUILD_ROOT/%{_mandir}/man1/busybox.1
%{_mandir}/man1/busybox.petitboot.1.gz
%changelog
* Wed Jun 19 2024 liuxu <liuxu156@huawei.com> - 1:1.34.1-20
- Type:CVE
- Id:NA
- SUG:NA
- DESC:fix CVE-2023-42364 CVE-2023-42365 CVE-2023-42366 CVE-2023-42363
* Thu Aug 31 2023 huangsong <huangsong14@huawei.com> - 1:1.34.1-19
- Type:CVE
- Id:NA
- SUG:NA
- DESC:re-fixed CVE-2022-48174
* Wed Aug 30 2023 huangsong <huangsong14@huawei.com> - 1:1.34.1-18
- Type:CVE
- Id:NA
- SUG:NA
- DESC:fix CVE-2022-48174
* Fri Oct 28 2022 jikui <jikui2@huawei.com> - 1:1.34.1-17
- fix use after free in bc module
* Fri Aug 19 2022 jikui <jikui2@huawei.com> - 1:1.34.1-16
- Type:CVE
- Id:NA