From 41ced1d003c6c513daa3d7d953d5cc20a5c2cc4e Mon Sep 17 00:00:00 2001 From: songbuhuang <544824346@qq.com> Date: Thu, 31 Aug 2023 12:12:40 +0800 Subject: [PATCH] re-fixed CVE-2022-48174 Signed-off-by: songbuhuang <544824346@qq.com> --- backport-CVE-2022-48174.patch | 76 +++++++++++++++++++++++++++++------ busybox.spec | 8 +++- 2 files changed, 70 insertions(+), 14 deletions(-) diff --git a/backport-CVE-2022-48174.patch b/backport-CVE-2022-48174.patch index b38c7a4..86bbe57 100644 --- a/backport-CVE-2022-48174.patch +++ b/backport-CVE-2022-48174.patch @@ -1,27 +1,77 @@ -From ba44d48bec1ced7d7706d84da33a5976f1d8c3cb Mon Sep 17 00:00:00 2001 +From 4bfb95d9c2f8f80cc2d1e282823ce49c25f7e784 Mon Sep 17 00:00:00 2001 From: songbuhuang <544824346@qq.com> -Date: Wed, 30 Aug 2023 11:55:40 +0800 +Date: Thu, 31 Aug 2023 12:08:23 +0800 Subject: [PATCH] fix CVE-2022-48174 Signed-off-by: songbuhuang <544824346@qq.com> --- - shell/math.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) + shell/math.c | 39 +++++++++++++++++++++++++++++++++++---- + 1 file changed, 35 insertions(+), 4 deletions(-) diff --git a/shell/math.c b/shell/math.c -index 2942cdd..8835e90 100644 +index 2942cdd..e9bd62b 100644 --- a/shell/math.c +++ b/shell/math.c -@@ -593,7 +593,8 @@ evaluate_string(arith_state_t *math_state, const char *expr) - /* The proof that there can be no more than strlen(startbuf)/2+1 - * integers in any given correct or incorrect expression - * is left as an exercise to the reader. */ -- var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0])); -+ /* Counterexample: 09J results in three integers. */ -+ var_or_num_t *const numstack = alloca((expr_len - 2) * sizeof(numstack[0])); +@@ -582,6 +582,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr) + # endif + #endif + ++//TODO: much better estimation than expr_len/2? Such as: ++//static unsigned estimate_nums_and_names(const char *expr) ++//{ ++// unsigned count = 0; ++// while (*(expr = skip_whitespace(expr)) != '\0') { ++// const char *p; ++// if (isdigit(*expr)) { ++// while (isdigit(*++expr)) ++// continue; ++// count++; ++// continue; ++// } ++// p = endofname(expr); ++// if (p != expr) { ++// expr = p; ++// count++; ++// continue; ++// } ++// } ++// return count; ++//} ++ + static arith_t + evaluate_string(arith_state_t *math_state, const char *expr) + { +@@ -589,10 +611,12 @@ evaluate_string(arith_state_t *math_state, const char *expr) + const char *errmsg; + const char *start_expr = expr = skip_whitespace(expr); + unsigned expr_len = strlen(expr) + 2; +- /* Stack of integers */ +- /* The proof that there can be no more than strlen(startbuf)/2+1 +- * integers in any given correct or incorrect expression +- * is left as an exercise to the reader. */ ++ /* Stack of integers/names */ ++ /* There can be no more than strlen(startbuf)/2+1 ++ * integers/names in any given correct or incorrect expression. ++ * (modulo "09v09v09v09v09v" case, ++ * but we have code to detect that early) ++ */ + var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0])); var_or_num_t *numstackptr = numstack; /* Stack of operator tokens */ - operator *const stack = alloca(expr_len * sizeof(stack[0])); +@@ -661,6 +685,13 @@ evaluate_string(arith_state_t *math_state, const char *expr) + numstackptr->var = NULL; + errno = 0; + numstackptr->val = strto_arith_t(expr, (char**) &expr); ++ /* A number can't be followed by another number, or a variable name. ++ * We'd catch this later anyway, but this would require numstack[] ++ * to be twice as deep to handle strings where _every_ char is ++ * a new number or name. Example: 09v09v09v09v09v09v09v09v09v ++ */ ++ if (isalnum(*expr) || *expr == '_') ++ goto err; + if (errno) + numstackptr->val = 0; /* bash compat */ + goto num; -- 2.26.2 diff --git a/busybox.spec b/busybox.spec index a133dce..be2793c 100644 --- a/busybox.spec +++ b/busybox.spec @@ -4,7 +4,7 @@ %endif %if "%{!?RELEASE:1}" -%define RELEASE 18 +%define RELEASE 19 %endif Epoch: 1 @@ -99,6 +99,12 @@ install -m 644 docs/busybox.dynamic.1 $RPM_BUILD_ROOT/%{_mandir}/man1/busybox.1 %{_mandir}/man1/busybox.petitboot.1.gz %changelog +* Thu Aug 31 2023 huangsong - 1:1.34.1-19 +- Type:CVE +- Id:NA +- SUG:NA +- DESC:re-fixed CVE-2022-48174 + * Wed Aug 30 2023 huangsong - 1:1.34.1-18 - Type:CVE - Id:NA -- Gitee