re-fixed CVE-2022-48174
Signed-off-by: songbuhuang <544824346@qq.com>
This commit is contained in:
songbuhuang
parent
a7e7b3cc92
commit
6e47580707
@ -1,30 +1,77 @@
|
|||||||
From c0b333aa189c65293b680b942086ace3f3bfc8c1 Mon Sep 17 00:00:00 2001
|
From 1c4fc3ab4f6241a05a24b0593ce63bcb54e469eb Mon Sep 17 00:00:00 2001
|
||||||
From: huangsong <huangsong14@huawei.com>
|
From: songbuhuang <544824346@qq.com>
|
||||||
Date: Mon, 28 Aug 2023 16:27:43 +0800
|
Date: Thu, 31 Aug 2023 11:39:36 +0800
|
||||||
Subject: [PATCH] fix CVE-2022-48174
|
Subject: [PATCH] fix CVE-2022-48174
|
||||||
|
|
||||||
backport from upstream:
|
Signed-off-by: songbuhuang <544824346@qq.com>
|
||||||
https://bugs.busybox.net/show_bug.cgi?id=15216
|
|
||||||
|
|
||||||
Signed-off-by: huangsong <huangsong14@huawei.com>
|
|
||||||
---
|
---
|
||||||
shell/math.c | 3 ++-
|
shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
1 file changed, 35 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
diff --git a/shell/math.c b/shell/math.c
|
diff --git a/shell/math.c b/shell/math.c
|
||||||
index 76d22c9..83ef85c 100644
|
index 76d22c9..727c294 100644
|
||||||
--- a/shell/math.c
|
--- a/shell/math.c
|
||||||
+++ b/shell/math.c
|
+++ b/shell/math.c
|
||||||
@@ -588,7 +588,8 @@ evaluate_string(arith_state_t *math_state, const char *expr)
|
@@ -577,6 +577,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr)
|
||||||
/* The proof that there can be no more than strlen(startbuf)/2+1
|
# endif
|
||||||
* integers in any given correct or incorrect expression
|
#endif
|
||||||
* is left as an exercise to the reader. */
|
|
||||||
- var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
|
+//TODO: much better estimation than expr_len/2? Such as:
|
||||||
+ /* Counterexample: 09J results in three integers. */
|
+//static unsigned estimate_nums_and_names(const char *expr)
|
||||||
+ var_or_num_t *const numstack = alloca((expr_len - 2) * sizeof(numstack[0]));
|
+//{
|
||||||
|
+// unsigned count = 0;
|
||||||
|
+// while (*(expr = skip_whitespace(expr)) != '\0') {
|
||||||
|
+// const char *p;
|
||||||
|
+// if (isdigit(*expr)) {
|
||||||
|
+// while (isdigit(*++expr))
|
||||||
|
+// continue;
|
||||||
|
+// count++;
|
||||||
|
+// continue;
|
||||||
|
+// }
|
||||||
|
+// p = endofname(expr);
|
||||||
|
+// if (p != expr) {
|
||||||
|
+// expr = p;
|
||||||
|
+// count++;
|
||||||
|
+// continue;
|
||||||
|
+// }
|
||||||
|
+// }
|
||||||
|
+// return count;
|
||||||
|
+//}
|
||||||
|
+
|
||||||
|
static arith_t
|
||||||
|
evaluate_string(arith_state_t *math_state, const char *expr)
|
||||||
|
{
|
||||||
|
@@ -584,10 +606,12 @@ evaluate_string(arith_state_t *math_state, const char *expr)
|
||||||
|
const char *errmsg;
|
||||||
|
const char *start_expr = expr = skip_whitespace(expr);
|
||||||
|
unsigned expr_len = strlen(expr) + 2;
|
||||||
|
- /* Stack of integers */
|
||||||
|
- /* The proof that there can be no more than strlen(startbuf)/2+1
|
||||||
|
- * integers in any given correct or incorrect expression
|
||||||
|
- * is left as an exercise to the reader. */
|
||||||
|
+ /* Stack of integers/names */
|
||||||
|
+ /* There can be no more than strlen(startbuf)/2+1
|
||||||
|
+ * integers/names in any given correct or incorrect expression.
|
||||||
|
+ * (modulo "09v09v09v09v09v" case,
|
||||||
|
+ * but we have code to detect that early)
|
||||||
|
+ */
|
||||||
|
var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
|
||||||
var_or_num_t *numstackptr = numstack;
|
var_or_num_t *numstackptr = numstack;
|
||||||
/* Stack of operator tokens */
|
/* Stack of operator tokens */
|
||||||
operator *const stack = alloca(expr_len * sizeof(stack[0]));
|
@@ -652,6 +676,13 @@ evaluate_string(arith_state_t *math_state, const char *expr)
|
||||||
|
numstackptr->var = NULL;
|
||||||
|
errno = 0;
|
||||||
|
numstackptr->val = strto_arith_t(expr, (char**) &expr);
|
||||||
|
+ /* A number can't be followed by another number, or a variable name.
|
||||||
|
+ * We'd catch this later anyway, but this would require numstack[]
|
||||||
|
+ * to be twice as deep to handle strings where _every_ char is
|
||||||
|
+ * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
|
||||||
|
+ */
|
||||||
|
+ if (isalnum(*expr) || *expr == '_')
|
||||||
|
+ goto err;
|
||||||
|
//bb_error_msg("val:%lld", numstackptr->val);
|
||||||
|
if (errno)
|
||||||
|
numstackptr->val = 0; /* bash compat */
|
||||||
--
|
--
|
||||||
2.26.2
|
2.26.2
|
||||||
|
|
||||||
|
|||||||
@ -4,7 +4,7 @@
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if "%{!?RELEASE:1}"
|
%if "%{!?RELEASE:1}"
|
||||||
%define RELEASE 2
|
%define RELEASE 3
|
||||||
%endif
|
%endif
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
|
|
||||||
@ -97,6 +97,12 @@ install -m 644 docs/busybox.dynamic.1 $RPM_BUILD_ROOT/%{_mandir}/man1/busybox.1
|
|||||||
%{_mandir}/man1/busybox.petitboot.1.gz
|
%{_mandir}/man1/busybox.petitboot.1.gz
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Aug 31 2023 huangsong <huangsong14@huawei.com> - 1:1.36.1-3
|
||||||
|
- Type:CVE
|
||||||
|
- Id:NA
|
||||||
|
- SUG:NA
|
||||||
|
- DESC:re-fixed CVE-2022-48174
|
||||||
|
|
||||||
* Mon Aug 28 2023 huangsong <huangsong14@huawei.com> - 1:1.36.1-2
|
* Mon Aug 28 2023 huangsong <huangsong14@huawei.com> - 1:1.36.1-2
|
||||||
- Type:CVE
|
- Type:CVE
|
||||||
- Id:NA
|
- Id:NA
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user