busybox/backport-CVE-2021-28831.patch

From 26d06cef6684055a30cce5922095d22e8a9a91e3 Mon Sep 17 00:00:00 2001
From: leizhongkai <leizhongkai@huawei.com>
Date: Sat, 17 Apr 2021 14:27:23 +0800
Subject: [PATCH] busybox: fix CVE-2021-28831

backoprt from upstream:
https://git.busybox.net/busybox/patch/?id=dbd3b883a891f076911d752f56f7a906d5650a17

Signed-off-by: leizhongkai <leizhongkai@huawei.com>
---
 archival/libarchive/decompress_gunzip.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
index 7f9046b..3eeae76 100644
--- a/archival/libarchive/decompress_gunzip.c
+++ b/archival/libarchive/decompress_gunzip.c
@@ -222,10 +222,21 @@ static const uint8_t border[] ALIGN1 = {
  * each table.
  * t: table to free
  */
+#define BAD_HUFT(p) ((uintptr_t)(p) & 1)
+#define ERR_RET     ((huft_t*)(uintptr_t)1)
 static void huft_free(huft_t *p)
 {
 	huft_t *q;
 
+    /*
+     * If 'p' has the error bit set we have to clear it, otherwise we might run
+     * into a segmentation fault or an invalid pointer to free(p)
+     */
+    if (BAD_HUFT(p)) {
+        p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET));
+    }
+
+
 	/* Go through linked list, freeing from the malloced (t[-1]) address. */
 	while (p) {
 		q = (--p)->v.t;
-- 
2.23.0
fix CVE-2021-28831 Signed-off-by: caihaomin <caihaomin@huawei.com> 2021-04-17 17:42:08 +08:00			`From 26d06cef6684055a30cce5922095d22e8a9a91e3 Mon Sep 17 00:00:00 2001`
			`From: leizhongkai <leizhongkai@huawei.com>`
			`Date: Sat, 17 Apr 2021 14:27:23 +0800`
			`Subject: [PATCH] busybox: fix CVE-2021-28831`

			`backoprt from upstream:`
			`https://git.busybox.net/busybox/patch/?id=dbd3b883a891f076911d752f56f7a906d5650a17`

			`Signed-off-by: leizhongkai <leizhongkai@huawei.com>`
			`---`
			`archival/libarchive/decompress_gunzip.c \| 11 +++++++++++`
			`1 file changed, 11 insertions(+)`

			`diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c`
			`index 7f9046b..3eeae76 100644`
			`--- a/archival/libarchive/decompress_gunzip.c`
			`+++ b/archival/libarchive/decompress_gunzip.c`
			`@@ -222,10 +222,21 @@ static const uint8_t border[] ALIGN1 = {`
			`* each table.`
			`* t: table to free`
			`*/`
			`+#define BAD_HUFT(p) ((uintptr_t)(p) & 1)`
			`+#define ERR_RET ((huft_t*)(uintptr_t)1)`
			`static void huft_free(huft_t *p)`
			`{`
			`huft_t *q;`

			`+ /*`
			`+ * If 'p' has the error bit set we have to clear it, otherwise we might run`
			`+ * into a segmentation fault or an invalid pointer to free(p)`
			`+ */`
			`+ if (BAD_HUFT(p)) {`
			`+ p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET));`
			`+ }`
			`+`
			`+`
			`/* Go through linked list, freeing from the malloced (t[-1]) address. */`
			`while (p) {`
			`q = (--p)->v.t;`
			`--`
			`2.23.0`