[scarthgap] busybox: fix CVE-2022-48174

Message ID	20250630145027.2540389-1-vgiraud.opensource@witekio.com
State	Changes Requested
Delegated to:	Steve Sakoman
Headers	show Return-Path: <vgiraud.opensource@witekio.com> ip: 40.107.21.131, mailfrom: vgiraud@witekio.com) From: vgiraud.opensource@witekio.com To: openembedded-core@lists.openembedded.org CC: Victor Giraud <vgiraud.opensource@witekio.com>, Bruno Vernay <bruno.vernay@se.com> Subject: [scarthgap][PATCH] busybox: fix CVE-2022-48174 Date: Mon, 30 Jun 2025 16:50:27 +0200 Message-ID: <20250630145027.2540389-1-vgiraud.opensource@witekio.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain MIME-Version: 1.0
Series	[scarthgap] busybox: fix CVE-2022-48174 \| expand [scarthgap] busybox: fix CVE-2022-48174

Message ID

20250630145027.2540389-1-vgiraud.opensource@witekio.com

State

Changes Requested

Delegated to:

Steve Sakoman

Headers

From: vgiraud.opensource@witekio.com
To: openembedded-core@lists.openembedded.org
CC: Victor Giraud <vgiraud.opensource@witekio.com>,
	Bruno Vernay <bruno.vernay@se.com>
Subject: [scarthgap][PATCH] busybox: fix CVE-2022-48174
Date: Mon, 30 Jun 2025 16:50:27 +0200
Message-ID: <20250630145027.2540389-1-vgiraud.opensource@witekio.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 OLUJwZPs4/8Dv7Vi5rqZ4qc3jI7EBBErVpjcO09rbJcR86E/FgOXexQVYfa4RCg7BPoQfnU3shrqyT/mM+HvMXbXrm8r1AqVjZ0joEMfEtETXti0m6PrpFsrSuA4yGuPMsjfFK8TJKFv7frlVLNg1NoiadMOF+K1qztlBu6Z+NtQHmxu+M0/uIrgoLeU+bX3VTvRlqNFIJJW7exJWcDmdex9LxuXJhy6FiNE02Y/vifddoK3W9wG9+WgwzuVqBf74LSu4CqCDFE6K7ThCh3PvADgp7fhjlf5D0krhwhcI+yxp8fXr7j/AsVb8/G7EJv/LyN4oWESeZqqyO5ZSMpgE8TkAA3SOEVcp8VXiSahynfZm9U4GQdndhXAnh2+90wT+wnEBGYl4zeFebf/QvoJcDRv+OIelqxsMfGUj46m6wut4VCr0AbbPEpyDzrvuN8en2H2aXCUsVqo45txCrjLEBEmSvC3NeNrDleLrbGIaInH1A33VjpqifH+BozgQDUfxA2iGscLIFgUhvX8HH3rgtNZuqGqS5plhNSMT/4vcfVEPMID4KW4rzQPJ3HLLZs2w5kzZVizgg5ypJTsObVqs2N5nMaLRJRjfJnAupUVw3zg3A+FGCCQd1Hh9DXXZENqnHzaQg54DfHHfYsS4/G3lgmgVOss2L+pp8owDuPRuRmEncHcALXJErPdYj20hwxJT4pkjxjSvQ+5RAWDMY2R/HnGB9RY2tEibvJDqMD1lGtslwz5CWRTo6+Qii5yFBq9groUDgJ5hcCGGsnVUalPwJOfbb/aIAHli0GrSKaJjHRAMsNq6iN55ngOOix96rtk644nsaxug5SG/pUU1X2ZkEqpeyFfSckJi7YnpndsAs5hnTCP5OTFA/ZyJPlanmFm2drG09UpLaRIj/sWhpIIzvOEp+8rmjGlxShTzM0mpxSZOMbJ5cz2St169LTMFlF9fZBiZVPuelGKnek5fx12ceTEPU3YpAv3YSnEQIw3ZFVAWdK19Pj3XJMYK+rOy0wqIwoydvwyeIthctFf7wmoHuas62eBEEGM9I59PPRFBZAZYV9NcGpaxxrSGIvx1Sk4JfpWgfFGAh8nBvSPeyzQ7OnVbBCnjZpobgaLx37RZrvIRt8EpLkCp6Kk5XqkGJSIsFSC8kI0b0W1BQWcxZ0427O/utNdUqj7abvGA1Mv09Z7xWTGBF1TIYqOnampfN7uFpB9ocxNFV9VfDrYw+1Ac+IUKDYP8vHXYeOUSQOno3xX9MVMxBc6/JHpHLM+P4bcumz0CC426Uc22eLMi6ohNZX/bxOfl+njbrt3IKOxiB1tAb+yULhRG6Aba0DyFX/LH1YBuSqnAYQ9Cgq9DHhJzSajrpQvH93f/F3i8IwmJAtkjReo89hlBlRB3djPJ6qPHQqr9t8Vd6pBbdgv8T7TlF5ZFkKKna2tMcEB4XGgSeR/sbuquQy6mg+31ji1WIQCSAcLXBD+miCb2B1z/yyouFffyF2mVPNt5iZ9BzPWgqUvspEpaCzLKeb5BafEMGcKa/qxEO3LvasJQgQ5qMb2UUd6BOt9WCkiiBGAn+fDinObSdXY58g58A2jijRNx8d9M4dm5jboBCyr7qLqTJbruTjUEcZ2H25Zyzq8SiN0h1jvkHj5iT+1DIMGrKHVyrLg
X-OriginatorOrg: witekio.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 4b7a80cc-2a76-4f1e-92ff-08ddb7e583d3
X-MS-Exchange-CrossTenant-AuthSource: VE1P192MB0765.EURP192.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Jun 2025 14:50:54.5821
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 SF47NY3ckASMz5G3JtXP/jTsusfBvvaeKHwCTafF7sYihzaCH8yWrDRTbhWUYmjeGOzzEbotdwXNNh2TEZ29ig==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0P192MB2019
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 30 Jun 2025 14:51:00 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/219525

Series

[scarthgap] busybox: fix CVE-2022-48174 | expand

Commit Message

vgiraud.opensource@witekio.com June 30, 2025, 2:50 p.m. UTC

From: Victor Giraud <vgiraud.opensource@witekio.com>

shell: avoid segfault on ${0::0/0~09J}. Closes 15216
CVE: CVE-2022-48174

Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/busybox/commit/?id=ca2afcbf42017d998ce3d6726f5ff5072a3fa853]

Signed-off-by: Victor Giraud <vgiraud.opensource@witekio.com>
Signed-off-by: Bruno Vernay <bruno.vernay@se.com>
---
 .../busybox/busybox/CVE-2022-48174.patch      | 80 +++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.36.1.bb   |  1 +
 2 files changed, 81 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2022-48174.patch

Comments

Marko, Peter June 30, 2025, 3:17 p.m. UTC | #1

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-
> core@lists.openembedded.org> On Behalf Of Victor Giraud via
> lists.openembedded.org
> Sent: Monday, June 30, 2025 16:50
> To: openembedded-core@lists.openembedded.org
> Cc: Victor Giraud <vgiraud.opensource@witekio.com>; Bruno Vernay
> <bruno.vernay@se.com>
> Subject: [OE-core] [scarthgap][PATCH] busybox: fix CVE-2022-48174
> 
> From: Victor Giraud <vgiraud.opensource@witekio.com>
> 
> shell: avoid segfault on ${0::0/0~09J}. Closes 15216
> CVE: CVE-2022-48174
> 
> Upstream-Status: Backport
> [https://git.launchpad.net/ubuntu/+source/busybox/commit/?id=ca2afcbf42017d998
> ce3d6726f5ff5072a3fa853]
> 
> Signed-off-by: Victor Giraud <vgiraud.opensource@witekio.com>
> Signed-off-by: Bruno Vernay <bruno.vernay@se.com>
> ---
>  .../busybox/busybox/CVE-2022-48174.patch      | 80 +++++++++++++++++++
>  meta/recipes-core/busybox/busybox_1.36.1.bb   |  1 +
>  2 files changed, 81 insertions(+)
>  create mode 100644 meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
> 
> diff --git a/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
> b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
> new file mode 100644
> index 0000000000..01d3213281
> --- /dev/null
> +++ b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
> @@ -0,0 +1,80 @@
> +From ca2afcbf42017d998ce3d6726f5ff5072a3fa853 Mon Sep 17 00:00:00 2001
> +From: Octavio Galland <octavio.galland@canonical.com>
> +Date: Tue, 13 Aug 2024 10:42:58 -0300
> +Subject: shell: avoid segfault on ${0::0/0~09J}. Closes 15216
> +
> +CVE: CVE-2022-48174
> +Upstream-Status: Pending

This should be "Backport" as stated in the commit message.

Peter

> +Signed-off-by: Victor Giraud <vgiraud.opensource@witekio.com>
> +
> +---
> + shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
> + 1 file changed, 35 insertions(+), 4 deletions(-)
> +
> +diff --git a/shell/math.c b/shell/math.c
> +index 76d22c9b..727c2946 100644
> +--- a/shell/math.c
> ++++ b/shell/math.c
> +@@ -577,6 +577,28 @@ static arith_t strto_arith_t(const char *nptr, char
> **endptr)
> + # endif
> + #endif
> +
> ++//TODO: much better estimation than expr_len/2? Such as:
> ++//static unsigned estimate_nums_and_names(const char *expr)
> ++//{
> ++//	unsigned count = 0;
> ++//	while (*(expr = skip_whitespace(expr)) != '\0') {
> ++//		const char *p;
> ++//		if (isdigit(*expr)) {
> ++//			while (isdigit(*++expr))
> ++//				continue;
> ++//			count++;
> ++//			continue;
> ++//		}
> ++//		p = endofname(expr);
> ++//		if (p != expr) {
> ++//			expr = p;
> ++//			count++;
> ++//			continue;
> ++//		}
> ++//	}
> ++//	return count;
> ++//}
> ++
> + static arith_t
> + evaluate_string(arith_state_t *math_state, const char *expr)
> + {
> +@@ -584,10 +606,12 @@ evaluate_string(arith_state_t *math_state, const char
> *expr)
> + 	const char *errmsg;
> + 	const char *start_expr = expr = skip_whitespace(expr);
> + 	unsigned expr_len = strlen(expr) + 2;
> +-	/* Stack of integers */
> +-	/* The proof that there can be no more than strlen(startbuf)/2+1
> +-	 * integers in any given correct or incorrect expression
> +-	 * is left as an exercise to the reader. */
> ++	/* Stack of integers/names */
> ++	/* There can be no more than strlen(startbuf)/2+1
> ++	 * integers/names in any given correct or incorrect expression.
> ++	 * (modulo "09v09v09v09v09v" case,
> ++	 * but we have code to detect that early)
> ++	 */
> + 	var_or_num_t *const numstack = alloca((expr_len / 2) *
> sizeof(numstack[0]));
> + 	var_or_num_t *numstackptr = numstack;
> + 	/* Stack of operator tokens */
> +@@ -652,6 +676,13 @@ evaluate_string(arith_state_t *math_state, const char
> *expr)
> + 			numstackptr->var = NULL;
> + 			errno = 0;
> + 			numstackptr->val = strto_arith_t(expr, (char**) &expr);
> ++			/* A number can't be followed by another number, or a
> variable name.
> ++			 * We'd catch this later anyway, but this would require
> numstack[]
> ++			 * to be twice as deep to handle strings where _every_
> char is
> ++			 * a new number or name. Example:
> 09v09v09v09v09v09v09v09v09v
> ++			 */
> ++			if (isalnum(*expr) || *expr == '_')
> ++				goto err;
> + //bb_error_msg("val:%lld", numstackptr->val);
> + 			if (errno)
> + 				numstackptr->val = 0; /* bash compat */
> +--
> +cgit v1.2.3
> +
> diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-
> core/busybox/busybox_1.36.1.bb
> index 42dd5f71eb..69e9555766 100644
> --- a/meta/recipes-core/busybox/busybox_1.36.1.bb
> +++ b/meta/recipes-core/busybox/busybox_1.36.1.bb
> @@ -57,6 +57,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-
> ${PV}.tar.bz2;name=tarball \
>             file://0002-awk-fix-ternary-operator-and-precedence-of.patch \
>             file://0001-awk.c-fix-CVE-2023-42366-bug-15874.patch \
>             file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \
> +           file://CVE-2022-48174.patch \
>             "
>  SRC_URI:append:libc-musl = " file://musl.cfg "
>  # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html
> --
> 2.34.1

diff --git a/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
new file mode 100644
index 0000000000..01d3213281
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
@@ -0,0 +1,80 @@ 
+From ca2afcbf42017d998ce3d6726f5ff5072a3fa853 Mon Sep 17 00:00:00 2001
+From: Octavio Galland <octavio.galland@canonical.com>
+Date: Tue, 13 Aug 2024 10:42:58 -0300
+Subject: shell: avoid segfault on ${0::0/0~09J}. Closes 15216
+
+CVE: CVE-2022-48174
+Upstream-Status: Pending
+Signed-off-by: Victor Giraud <vgiraud.opensource@witekio.com>
+
+---
+ shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
+ 1 file changed, 35 insertions(+), 4 deletions(-)
+
+diff --git a/shell/math.c b/shell/math.c
+index 76d22c9b..727c2946 100644
+--- a/shell/math.c
++++ b/shell/math.c
+@@ -577,6 +577,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr)
+ # endif
+ #endif
+ 
++//TODO: much better estimation than expr_len/2? Such as:
++//static unsigned estimate_nums_and_names(const char *expr)
++//{
++//	unsigned count = 0;
++//	while (*(expr = skip_whitespace(expr)) != '\0') {
++//		const char *p;
++//		if (isdigit(*expr)) {
++//			while (isdigit(*++expr))
++//				continue;
++//			count++;
++//			continue;
++//		}
++//		p = endofname(expr);
++//		if (p != expr) {
++//			expr = p;
++//			count++;
++//			continue;
++//		}
++//	}
++//	return count;
++//}
++
+ static arith_t
+ evaluate_string(arith_state_t *math_state, const char *expr)
+ {
+@@ -584,10 +606,12 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+ 	const char *errmsg;
+ 	const char *start_expr = expr = skip_whitespace(expr);
+ 	unsigned expr_len = strlen(expr) + 2;
+-	/* Stack of integers */
+-	/* The proof that there can be no more than strlen(startbuf)/2+1
+-	 * integers in any given correct or incorrect expression
+-	 * is left as an exercise to the reader. */
++	/* Stack of integers/names */
++	/* There can be no more than strlen(startbuf)/2+1
++	 * integers/names in any given correct or incorrect expression.
++	 * (modulo "09v09v09v09v09v" case,
++	 * but we have code to detect that early)
++	 */
+ 	var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
+ 	var_or_num_t *numstackptr = numstack;
+ 	/* Stack of operator tokens */
+@@ -652,6 +676,13 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+ 			numstackptr->var = NULL;
+ 			errno = 0;
+ 			numstackptr->val = strto_arith_t(expr, (char**) &expr);
++			/* A number can't be followed by another number, or a variable name.
++			 * We'd catch this later anyway, but this would require numstack[]
++			 * to be twice as deep to handle strings where _every_ char is
++			 * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
++			 */
++			if (isalnum(*expr) || *expr == '_')
++				goto err;
+ //bb_error_msg("val:%lld", numstackptr->val);
+ 			if (errno)
+ 				numstackptr->val = 0; /* bash compat */
+-- 
+cgit v1.2.3
+
diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb
index 42dd5f71eb..69e9555766 100644
--- a/meta/recipes-core/busybox/busybox_1.36.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.36.1.bb
@@ -57,6 +57,7 @@  SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://0002-awk-fix-ternary-operator-and-precedence-of.patch \
            file://0001-awk.c-fix-CVE-2023-42366-bug-15874.patch \
            file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \
+           file://CVE-2022-48174.patch \
            "
 SRC_URI:append:libc-musl = " file://musl.cfg "
 # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html

[scarthgap] busybox: fix CVE-2022-48174

Commit Message

Comments

Patch