busybox: fix use after free in bc module

Signed-off-by: jackey_1024 <jikui2@huawei.com>
2022-10-28 09:54:50 +08:00 · 2022-10-28 09:54:50 +08:00 · 61a5130356
commit 61a5130356
parent a4f5931e8a
2 changed files with 34 additions and 1 deletions
--- a/backport-fix-use-after-free-in-bc-module.patch
+++ b/backport-fix-use-after-free-in-bc-module.patch
@ -0,0 +1,29 @@
+From 907e1b3a22a8092461176af45468c5b1b9bf6cc0 Mon Sep 17 00:00:00 2001
+From: jackey_1024 <jikui2@huawei.com>
+Date: Fri, 28 Oct 2022 09:45:08 +0800
+Subject: [PATCH] busybox: fix use after free in bc module
+
+backport from upstream:
+https://git.busybox.net/busybox/commit/?id=41d5f800a14769704082f7faeabb8435285499be
+
+Signed-off-by: jackey_1024 <jikui2@huawei.com>
+---
+ miscutils/bc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/miscutils/bc.c b/miscutils/bc.c
+index f9b08b0..4363585 100644
+--- a/miscutils/bc.c
+++ b/miscutils/bc.c
+@@ -2892,6 +2892,8 @@ static char peek_inbuf(void)
+ 	) {
+ 		xc_read_line(&G.input_buffer, G.prs.lex_input_fp);
+ 		G.prs.lex_inbuf = G.input_buffer.v;
+		// lex_next_at may point to now-freed data, update it:
+		G.prs.lex_next_at = G.prs.lex_inbuf;
+ 		if (G.input_buffer.len <= 1) // on EOF, len is 1 (NUL byte)
+ 			G.prs.lex_input_fp = NULL;
+ 	}
+-- 
+2.25.1
+
--- a/busybox.spec
+++ b/busybox.spec
@ -4,7 +4,7 @@
 %endif

 %if "%{!?RELEASE:1}"
-%define RELEASE 17
+%define RELEASE 18
 %endif
 Epoch: 1

@ -22,6 +22,7 @@ Source3: busybox-dynamic.config

 Patch6000: backport-CVE-2022-28391.patch
 Patch6001: backport-CVE-2022-30065.patch
+Patch6002: backport-fix-use-after-free-in-bc-module.patch

 BuildRoot:      %_topdir/BUILDROOT
 #Dependency
@ -97,6 +98,9 @@ install -m 644 docs/busybox.dynamic.1 $RPM_BUILD_ROOT/%{_mandir}/man1/busybox.1
 %{_mandir}/man1/busybox.petitboot.1.gz

 %changelog
+* Fri Oct 28 2022 jikui <jikui2@huawei.com> - 1:1.34.1-18
+- fix use after free in bc module
+
 * Fri Aug 19 2022 jikui <jikui2@huawei.com> - 1:1.34.1-17
 - Type:CVE
 - Id:NA