[kirkstone,3/6] busybox: Patch CVE-2021-42380

Message ID	af3c8ff64054e131b009545883cb87454ce04b64.1721479252.git.steve@sakoman.com
State	Accepted, archived
Commit	af3c8ff64054e131b009545883cb87454ce04b64
Delegated to:	Steve Sakoman
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.166.172, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 3/6] busybox: Patch CVE-2021-42380 Date: Sat, 20 Jul 2024 05:42:44 -0700 Message-Id: <af3c8ff64054e131b009545883cb87454ce04b64.1721479252.git.steve@sakoman.com> In-Reply-To: <cover.1721479252.git.steve@sakoman.com> References: <cover.1721479252.git.steve@sakoman.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Series	[kirkstone,1/6] busybox: Fix CVE-2023-42363 \| expand [kirkstone,1/6] busybox: Fix CVE-2023-42363 [kirkstone,2/6] ruby: backport fix for CVE-2024-27282 [kirkstone,3/6] busybox: Patch CVE-2021-42380 [kirkstone,4/6] libarchive: ignore CVE-2024-37407 [kirkstone,5/6] python3-jinja2: Upgrade 3.1.3 -> 3.1.4 [kirkstone,6/6] uboot-sign: Fix index error in concat_dtb_helper() with multiple configs

diff --git a/meta/recipes-core/busybox/busybox/CVE-2021-42380.patch b/meta/recipes-core/busybox/busybox/CVE-2021-42380.patch new file mode 100644 index 0000000000..f40fe582c5 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2021-42380.patch @@ -0,0 +1,151 @@ +From 5dcc443dba039b305a510c01883e9f34e42656ae Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko <vda.linux@googlemail.com> +Date: Fri, 26 May 2023 19:36:58 +0200 +Subject: [PATCH] awk: fix use-after-realloc (CVE-2021-42380), closes 15601 + +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> + +CVE: CVE-2021-42380 +Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=5dcc443dba039b305a510c01883e9f34e42656ae] +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + editors/awk.c | 26 ++++++++++++++++----- + testsuite/awk.tests | 55 +++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 75 insertions(+), 6 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 728ee8685..2af823808 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -555,7 +555,7 @@ struct globals { + const char *g_progname; + int g_lineno; + int nfields; +- int maxfields; /* used in fsrealloc() only */ ++ unsigned maxfields; + var *Fields; + char *g_pos; + char g_saved_ch; +@@ -1917,9 +1917,9 @@ static void fsrealloc(int size) + { + int i, newsize; + +- if (size >= maxfields) { +- /* Sanity cap, easier than catering for overflows */ +- if (size > 0xffffff) ++ if ((unsigned)size >= maxfields) { ++ /* Sanity cap, easier than catering for over/underflows */ ++ if ((unsigned)size > 0xffffff) + bb_die_memory_exhausted(); + + i = maxfields; +@@ -2877,6 +2877,7 @@ static var *evaluate(node *op, var *res) + uint32_t opinfo; + int opn; + node *op1; ++ var *old_Fields_ptr; + + opinfo = op->info; + opn = (opinfo & OPNMASK); +@@ -2885,10 +2886,16 @@ static var *evaluate(node *op, var *res) + debug_printf_eval("opinfo:%08x opn:%08x\n", opinfo, opn); + + /* execute inevitable things */ ++ old_Fields_ptr = NULL; + if (opinfo & OF_RES1) { + if ((opinfo & OF_REQUIRED) && !op1) + syntax_error(EMSG_TOO_FEW_ARGS); + L.v = evaluate(op1, TMPVAR0); ++ /* Does L.v point to $n variable? */ ++ if ((size_t)(L.v - Fields) < maxfields) { ++ /* yes, remember where Fields[] is */ ++ old_Fields_ptr = Fields; ++ } + if (opinfo & OF_STR1) { + L.s = getvar_s(L.v); + debug_printf_eval("L.s:'%s'\n", L.s); +@@ -2907,8 +2914,15 @@ static var *evaluate(node *op, var *res) + */ + if (opinfo & OF_RES2) { + R.v = evaluate(op->r.n, TMPVAR1); +- //TODO: L.v may be invalid now, set L.v to NULL to catch bugs? +- //L.v = NULL; ++ /* Seen in $5=$$5=$0: ++ * Evaluation of R.v ($$5=$0 expression) ++ * made L.v ($5) invalid. It's detected here. ++ */ ++ if (old_Fields_ptr) { ++ //if (old_Fields_ptr != Fields) ++ // debug_printf_eval("L.v moved\n"); ++ L.v += Fields - old_Fields_ptr; ++ } + if (opinfo & OF_STR2) { + R.s = getvar_s(R.v); + debug_printf_eval("R.s:'%s'\n", R.s); +diff --git a/testsuite/awk.tests b/testsuite/awk.tests +index bcaafe8..08afdb2 100755 +--- a/testsuite/awk.tests ++++ b/testsuite/awk.tests +@@ -469,4 +469,59 @@ testing 'awk printf %% prints one %' \ + "%\n" \ + '' '' + ++# User-supplied bug (SEGV) example, was causing use-after-realloc ++testing 'awk assign while assign' \ ++ "awk '\$5=\$\$5=\$0'; echo \$?" \ ++ "\ ++─ process timing ────────────────────────────────────┬─ ─ process timing ────────────────────────────────────┬─ overall results ────┐ results ────┐ ++│ run time : │ run time : 0 days, 0 hrs, 0 min, 56 sec │ cycles done : 0 │ days, 0 hrs, 0 min, 56 sec │ cycles done : 0 │ ++│ last new find │ last new find : 0 days, 0 hrs, 0 min, 1 sec │ corpus count : 208 │ 0 days, 0 hrs, 0 min, 1 sec │ corpus count : 208 │ ++│last saved crash : │last saved crash : none seen yet │saved crashes : 0 │ seen yet │saved crashes : 0 │ ++│ last saved hang │ last saved hang : none seen yet │ saved hangs : 0 │ none seen yet │ saved hangs : 0 │ ++├─ cycle progress ─────────────────────┬─ ├─ cycle progress ─────────────────────┬─ map coverage┴──────────────────────┤ coverage┴──────────────────────┤ ++│ now processing : │ now processing : 184.1 (88.5%) │ map density : 0.30% / 0.52% │ (88.5%) │ map density : 0.30% / 0.52% │ │ now processing : 184.1 (88.5%) │ map density : 0.30% / 0.52% │ ++│ runs timed out │ runs timed out : 0 (0.00%) │ count coverage : 2.18 bits/tuple │ 0 (0.00%) │ count coverage : 2.18 bits/tuple │ ++├─ stage progress ─────────────────────┼─ ├─ stage progress ─────────────────────┼─ findings in depth ─────────────────┤ in depth ─────────────────┤ ++│ now trying : │ now trying : havoc │ favored items : 43 (20.67%) │ │ favored items : 43 (20.67%) │ ++│ stage execs : │ stage execs : 11.2k/131k (8.51%) │ new edges on : 52 (25.00%) │ (8.51%) │ new edges on │ stage execs : 11.2k/131k (8.51%) │ new edges on : 52 (25.00%) │ 52 (25.00%) │ ++│ total execs : │ total execs : 179k │ total crashes : 0 (0 saved) │ │ total crashes : 0 (0 saved) │ │ total execs : 179k │ total crashes : 0 (0 saved) │ ++│ exec speed : │ exec speed : 3143/sec │ total tmouts : 0 (0 saved) │ │ total tmouts : 0 (0 saved) │ │ exec speed : 3143/sec │ total tmouts : 0 (0 saved) │ ++├─ fuzzing strategy yields ├─ fuzzing strategy yields ────────────┴─────────────┬─ item geometry ───────┤ item geometry ───────┤ ++│ bit flips : │ bit flips : 11/648, 4/638, 5/618 │ levels : 4 │ 4/638, 5/618 │ levels : │ bit flips : 11/648, 4/638, 5/618 │ levels : 4 │ │ ++│ byte flips : │ byte flips : 0/81, 0/71, 0/52 │ pending : 199 │ 0/71, 0/52 │ pending : 199 │ ++│ arithmetics : 11/4494, │ arithmetics : 11/4494, 0/1153, 0/0 │ pend fav : 35 │ 0/0 │ pend fav : 35 │ ++│ known ints : 1/448, 0/1986, 0/2288 │ own finds : 207 │ known ints : │ known ints : 1/448, 0/1986, 0/2288 │ own finds : 207 │ 0/1986, 0/2288 │ own finds : 207 │ ++│ dictionary : 0/0, │ dictionary : 0/0, 0/0, 0/0, 0/0 │ imported : 0 │ 0/0, 0/0 │ imported : 0 │ ++│havoc/splice : 142/146k, 23/7616 │havoc/splice : 142/146k, 23/7616 │ stability : 100.00% │ stability : 100.00% │ ++│py/custom/rq : unused, unused, │py/custom/rq : unused, unused, unused, unused ├───────────────────────┘ unused ├───────────────────────┘ ++│ trim/eff : 57.02%/26, │ trim/eff : 57.02%/26, 0.00% │ [cpu000:100%] │ [cpu000:100%] ++└────────────────────────────────────────────────────┘^C └────────────────────────────────────────────────────┘^C ++0 ++" \ ++ "" \ ++ "\ ++─ process timing ────────────────────────────────────┬─ overall results ────┐ ++│ run time : 0 days, 0 hrs, 0 min, 56 sec │ cycles done : 0 │ ++│ last new find : 0 days, 0 hrs, 0 min, 1 sec │ corpus count : 208 │ ++│last saved crash : none seen yet │saved crashes : 0 │ ++│ last saved hang : none seen yet │ saved hangs : 0 │ ++├─ cycle progress ─────────────────────┬─ map coverage┴──────────────────────┤ ++│ now processing : 184.1 (88.5%) │ map density : 0.30% / 0.52% │ ++│ runs timed out : 0 (0.00%) │ count coverage : 2.18 bits/tuple │ ++├─ stage progress ─────────────────────┼─ findings in depth ─────────────────┤ ++│ now trying : havoc │ favored items : 43 (20.67%) │ ++│ stage execs : 11.2k/131k (8.51%) │ new edges on : 52 (25.00%) │ ++│ total execs : 179k │ total crashes : 0 (0 saved) │ ++│ exec speed : 3143/sec │ total tmouts : 0 (0 saved) │ ++├─ fuzzing strategy yields ────────────┴─────────────┬─ item geometry ───────┤ ++│ bit flips : 11/648, 4/638, 5/618 │ levels : 4 │ ++│ byte flips : 0/81, 0/71, 0/52 │ pending : 199 │ ++│ arithmetics : 11/4494, 0/1153, 0/0 │ pend fav : 35 │ ++│ known ints : 1/448, 0/1986, 0/2288 │ own finds : 207 │ ++│ dictionary : 0/0, 0/0, 0/0, 0/0 │ imported : 0 │ ++│havoc/splice : 142/146k, 23/7616 │ stability : 100.00% │ ++│py/custom/rq : unused, unused, unused, unused ├───────────────────────┘ ++│ trim/eff : 57.02%/26, 0.00% │ [cpu000:100%] ++└────────────────────────────────────────────────────┘^C" ++ + exit $FAILCOUNT +-- +2.30.2 + diff --git a/meta/recipes-core/busybox/busybox/CVE-2023-42363.patch b/meta/recipes-core/busybox/busybox/CVE-2023-42363.patch index b401a6e3e5..08e41415df 100644 --- a/meta/recipes-core/busybox/busybox/CVE-2023-42363.patch +++ b/meta/recipes-core/busybox/busybox/CVE-2023-42363.patch @@ -14,6 +14,7 @@ Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa] CVE: CVE-2023-42363 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +Signed-off-by: Peter Marko <peter.marko@siemens.com> --- editors/awk.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) @@ -22,10 +23,10 @@ diff --git a/editors/awk.c b/editors/awk.c index 654cbac..4fbc11d 100644 --- a/editors/awk.c +++ b/editors/awk.c -@@ -2889,19 +2889,14 @@ static var *evaluate(node *op, var *res) - if ((opinfo & OF_REQUIRED) && !op1) - syntax_error(EMSG_TOO_FEW_ARGS); - L.v = evaluate(op1, TMPVAR0); +@@ -2896,19 +2896,14 @@ static var *evaluate(node *op, var *res) + /* yes, remember where Fields[] is */ + old_Fields_ptr = Fields; + } - if (opinfo & OF_STR1) { - L.s = getvar_s(L.v); - debug_printf_eval("L.s:'%s'\n", L.s); @@ -45,7 +46,7 @@ index 654cbac..4fbc11d 100644 * R.v points to Fields[NNN2] but L.v now points to freed mem! * (Seen trying to evaluate "$444 $44444") */ -@@ -2914,6 +2909,16 @@ static var *evaluate(node *op, var *res) +@@ -2928,6 +2923,16 @@ static var *evaluate(node *op, var *res) debug_printf_eval("R.s:'%s'\n", R.s); } } diff --git a/meta/recipes-core/busybox/busybox_1.35.0.bb b/meta/recipes-core/busybox/busybox_1.35.0.bb index 842562c4c4..1c7fe2f43e 100644 --- a/meta/recipes-core/busybox/busybox_1.35.0.bb +++ b/meta/recipes-core/busybox/busybox_1.35.0.bb @@ -52,6 +52,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://CVE-2022-30065.patch \ file://0001-devmem-add-128-bit-width.patch \ file://CVE-2022-48174.patch \ + file://CVE-2021-42380.patch \ file://CVE-2023-42363.patch \ " SRC_URI:append:libc-musl = " file://musl.cfg "

[kirkstone,3/6] busybox: Patch CVE-2021-42380

Commit Message

Patch