busybox: fix CVE-2022-48174

shell: avoid segfault on ${0::0/0~09J}. Closes 15216 CVE: CVE-2022-48174 Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/busybox/commit/?id=ca2afcbf42017d998ce3d6726f5ff5072a3fa853] (From OE-Core rev: a81aff7d810800ce3265422cddde26d11366d514) Signed-off-by: Victor Giraud <vgiraud.opensource@witekio.com> Signed-off-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-04-17 00:32:13 +02:00 · 2025-07-01 09:06:12 +02:00
parent b4562b5fca
commit fee92f72e1
2 changed files with 81 additions and 0 deletions
--- a/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
+++ b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
@@ -0,0 +1,80 @@
+From ca2afcbf42017d998ce3d6726f5ff5072a3fa853 Mon Sep 17 00:00:00 2001
+From: Octavio Galland <octavio.galland@canonical.com>
+Date: Tue, 13 Aug 2024 10:42:58 -0300
+Subject: shell: avoid segfault on ${0::0/0~09J}. Closes 15216
+
+CVE: CVE-2022-48174
+Upstream-Status: Backport
+Signed-off-by: Victor Giraud <vgiraud.opensource@witekio.com>
+
+---
+ shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
+ 1 file changed, 35 insertions(+), 4 deletions(-)
+
+diff --git a/shell/math.c b/shell/math.c
+index 76d22c9b..727c2946 100644
+--- a/shell/math.c
+++ b/shell/math.c
+@@ -577,6 +577,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr)
+ # endif
+ #endif
+ 
+//TODO: much better estimation than expr_len/2? Such as:
+//static unsigned estimate_nums_and_names(const char *expr)
+//{
+//	unsigned count = 0;
+//	while (*(expr = skip_whitespace(expr)) != '\0') {
+//		const char *p;
+//		if (isdigit(*expr)) {
+//			while (isdigit(*++expr))
+//				continue;
+//			count++;
+//			continue;
+//		}
+//		p = endofname(expr);
+//		if (p != expr) {
+//			expr = p;
+//			count++;
+//			continue;
+//		}
+//	}
+//	return count;
+//}
+
+ static arith_t
+ evaluate_string(arith_state_t *math_state, const char *expr)
+ {
+@@ -584,10 +606,12 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+ 	const char *errmsg;
+ 	const char *start_expr = expr = skip_whitespace(expr);
+ 	unsigned expr_len = strlen(expr) + 2;
+-	/* Stack of integers */
+-	/* The proof that there can be no more than strlen(startbuf)/2+1
+-	 * integers in any given correct or incorrect expression
+-	 * is left as an exercise to the reader. */
+	/* Stack of integers/names */
+	/* There can be no more than strlen(startbuf)/2+1
+	 * integers/names in any given correct or incorrect expression.
+	 * (modulo "09v09v09v09v09v" case,
+	 * but we have code to detect that early)
+	 */
+ 	var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
+ 	var_or_num_t *numstackptr = numstack;
+ 	/* Stack of operator tokens */
+@@ -652,6 +676,13 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+ 			numstackptr->var = NULL;
+ 			errno = 0;
+ 			numstackptr->val = strto_arith_t(expr, (char**) &expr);
+			/* A number can't be followed by another number, or a variable name.
+			 * We'd catch this later anyway, but this would require numstack[]
+			 * to be twice as deep to handle strings where _every_ char is
+			 * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
+			 */
+			if (isalnum(*expr) || *expr == '_')
+				goto err;
+ //bb_error_msg("val:%lld", numstackptr->val);
+ 			if (errno)
+ 				numstackptr->val = 0; /* bash compat */
+-- 
+cgit v1.2.3
+
--- a/meta/recipes-core/busybox/busybox_1.36.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.36.1.bb
@@ -57,6 +57,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
           file://0002-awk-fix-ternary-operator-and-precedence-of.patch \
           file://0001-awk.c-fix-CVE-2023-42366-bug-15874.patch \
           file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \
+           file://CVE-2022-48174.patch \
           "
 SRC_URI:append:libc-musl = " file://musl.cfg "
 # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html