re-fixed CVE-2022-48174

Signed-off-by: songbuhuang <544824346@qq.com>

backport-CVE-2022-48174.patch

@@ -1,30 +1,77 @@
-From c0b333aa189c65293b680b942086ace3f3bfc8c1 Mon Sep 17 00:00:00 2001
-From: huangsong <huangsong14@huawei.com>
-Date: Mon, 28 Aug 2023 16:27:43 +0800
+From 1c4fc3ab4f6241a05a24b0593ce63bcb54e469eb Mon Sep 17 00:00:00 2001
+From: songbuhuang <544824346@qq.com>
+Date: Thu, 31 Aug 2023 11:39:36 +0800
 Subject: [PATCH] fix CVE-2022-48174
 
-backport from upstream:
-https://bugs.busybox.net/show_bug.cgi?id=15216
-
-Signed-off-by: huangsong <huangsong14@huawei.com>
+Signed-off-by: songbuhuang <544824346@qq.com>
 ---
- shell/math.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
+ shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
+ 1 file changed, 35 insertions(+), 4 deletions(-)
 
 diff --git a/shell/math.c b/shell/math.c
-index 76d22c9..83ef85c 100644
+index 76d22c9..727c294 100644
 --- a/shell/math.c
 +++ b/shell/math.c
-@@ -588,7 +588,8 @@ evaluate_string(arith_state_t *math_state, const char *expr)
- 	/* The proof that there can be no more than strlen(startbuf)/2+1
- 	 * integers in any given correct or incorrect expression
- 	 * is left as an exercise to the reader. */
--	var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
-+	/* Counterexample: 09J results in three integers. */
-+	var_or_num_t *const numstack = alloca((expr_len - 2) * sizeof(numstack[0]));
+@@ -577,6 +577,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr)
+ # endif
+ #endif
+ 
++//TODO: much better estimation than expr_len/2? Such as:
++//static unsigned estimate_nums_and_names(const char *expr)
++//{
++//	unsigned count = 0;
++//	while (*(expr = skip_whitespace(expr)) != '\0') {
++//		const char *p;
++//		if (isdigit(*expr)) {
++//			while (isdigit(*++expr))
++//				continue;
++//			count++;
++//			continue;
++//		}
++//		p = endofname(expr);
++//		if (p != expr) {
++//			expr = p;
++//			count++;
++//			continue;
++//		}
++//	}
++//	return count;
++//}
++
+ static arith_t
+ evaluate_string(arith_state_t *math_state, const char *expr)
+ {
+@@ -584,10 +606,12 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+ 	const char *errmsg;
+ 	const char *start_expr = expr = skip_whitespace(expr);
+ 	unsigned expr_len = strlen(expr) + 2;
+-	/* Stack of integers */
+-	/* The proof that there can be no more than strlen(startbuf)/2+1
+-	 * integers in any given correct or incorrect expression
+-	 * is left as an exercise to the reader. */
++	/* Stack of integers/names */
++	/* There can be no more than strlen(startbuf)/2+1
++	 * integers/names in any given correct or incorrect expression.
++	 * (modulo "09v09v09v09v09v" case,
++	 * but we have code to detect that early)
++	 */
+ 	var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
  	var_or_num_t *numstackptr = numstack;
  	/* Stack of operator tokens */
- 	operator *const stack = alloca(expr_len * sizeof(stack[0]));
+@@ -652,6 +676,13 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+ 			numstackptr->var = NULL;
+ 			errno = 0;
+ 			numstackptr->val = strto_arith_t(expr, (char**) &expr);
++			/* A number can't be followed by another number, or a variable name.
++			 * We'd catch this later anyway, but this would require numstack[]
++			 * to be twice as deep to handle strings where _every_ char is
++			 * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
++			 */
++			if (isalnum(*expr) || *expr == '_')
++				goto err;
+ //bb_error_msg("val:%lld", numstackptr->val);
+ 			if (errno)
+ 				numstackptr->val = 0; /* bash compat */
 -- 
 2.26.2
 

busybox.spec

@@ -4,7 +4,7 @@
 %endif
 
 %if "%{!?RELEASE:1}"
-%define RELEASE 2
+%define RELEASE 3
 %endif
 Epoch: 1
 
@@ -97,6 +97,12 @@ install -m 644 docs/busybox.dynamic.1 $RPM_BUILD_ROOT/%{_mandir}/man1/busybox.1
 %{_mandir}/man1/busybox.petitboot.1.gz
 
 %changelog
+* Thu Aug 31 2023 huangsong <huangsong14@huawei.com> - 1:1.36.1-3
+- Type:CVE
+- Id:NA
+- SUG:NA
+- DESC:re-fixed CVE-2022-48174
+
 * Mon Aug 28 2023 huangsong <huangsong14@huawei.com> - 1:1.36.1-2
 - Type:CVE
 - Id:NA