From: Chen Qi <Qi.Chen@windriver.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][hardknott][PATCH 2/3] busybox: Fix for CVE-2021-42376
Date: Tue, 21 Dec 2021 18:11:24 -0800 [thread overview]
Message-ID: <20211222021125.55893-2-Qi.Chen@windriver.com> (raw)
In-Reply-To: <20211222021125.55893-1-Qi.Chen@windriver.com>
From: Pavel Zhukov <pavel.zhukov@huawei.com>
A NULL pointer dereference in Busybox's hush applet leads to denial of service
when processing a crafted shell command, due to missing validation after
a \x03 delimiter character.
This may be used for DoS under very rare conditions of filtered command input.
Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42376
(From OE-Core rev: 58e49c94d5305875188110aecdefe77c0afdfcb7)
Signed-off-by: Pavel Zhukov <pavel.zhukov@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
.../busybox/busybox/CVE-2021-42376.patch | 138 ++++++++++++++++++
meta/recipes-core/busybox/busybox_1.33.1.bb | 1 +
2 files changed, 139 insertions(+)
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2021-42376.patch
diff --git a/meta/recipes-core/busybox/busybox/CVE-2021-42376.patch b/meta/recipes-core/busybox/busybox/CVE-2021-42376.patch
new file mode 100644
index 0000000000..c913eaee9c
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2021-42376.patch
@@ -0,0 +1,138 @@
+From 56a335378ac100d51c30b21eee499a2effa37fba Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Tue, 15 Jun 2021 16:05:57 +0200
+Subject: hush: fix handling of \^C and "^C"
+
+function old new delta
+parse_stream 2238 2252 +14
+encode_string 243 256 +13
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 2/0 up/down: 27/0) Total: 27 bytes
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+(cherry picked from commit 1b7a9b68d0e9aa19147d7fda16eb9a6b54156985)
+
+Signed-off-by: Pavel Zhukov <pavel.zhukov@huawei.com>
+
+CVE: CVE-2021-42376
+Upstream-Status: Backport [https://git.busybox.net/busybox/patch/?id=56a335378ac100d51c30b21eee499a2effa37fba]
+Comment: No changes in any hunk
+---
+ shell/ash_test/ash-misc/control_char3.right | 1 +
+ shell/ash_test/ash-misc/control_char3.tests | 2 ++
+ shell/ash_test/ash-misc/control_char4.right | 1 +
+ shell/ash_test/ash-misc/control_char4.tests | 2 ++
+ shell/hush.c | 11 +++++++++++
+ shell/hush_test/hush-misc/control_char3.right | 1 +
+ shell/hush_test/hush-misc/control_char3.tests | 2 ++
+ shell/hush_test/hush-misc/control_char4.right | 1 +
+ shell/hush_test/hush-misc/control_char4.tests | 2 ++
+ 9 files changed, 23 insertions(+)
+ create mode 100644 shell/ash_test/ash-misc/control_char3.right
+ create mode 100755 shell/ash_test/ash-misc/control_char3.tests
+ create mode 100644 shell/ash_test/ash-misc/control_char4.right
+ create mode 100755 shell/ash_test/ash-misc/control_char4.tests
+ create mode 100644 shell/hush_test/hush-misc/control_char3.right
+ create mode 100755 shell/hush_test/hush-misc/control_char3.tests
+ create mode 100644 shell/hush_test/hush-misc/control_char4.right
+ create mode 100755 shell/hush_test/hush-misc/control_char4.tests
+
+diff --git a/shell/ash_test/ash-misc/control_char3.right b/shell/ash_test/ash-misc/control_char3.right
+new file mode 100644
+index 000000000..283e02cbb
+--- /dev/null
++++ b/shell/ash_test/ash-misc/control_char3.right
+@@ -0,0 +1 @@
++SHELL: line 1: \x03: not found
+diff --git a/shell/ash_test/ash-misc/control_char3.tests b/shell/ash_test/ash-misc/control_char3.tests
+new file mode 100755
+index 000000000..4359db3f3
+--- /dev/null
++++ b/shell/ash_test/ash-misc/control_char3.tests
+@@ -0,0 +1,2 @@
++# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
++$THIS_SH -c '\\x03' SHELL
+diff --git a/shell/ash_test/ash-misc/control_char4.right b/shell/ash_test/ash-misc/control_char4.right
+new file mode 100644
+index 000000000..2bf18e684
+--- /dev/null
++++ b/shell/ash_test/ash-misc/control_char4.right
+@@ -0,0 +1 @@
++SHELL: line 1: \x03\x03\x03\x02-\x03: not found
+diff --git a/shell/ash_test/ash-misc/control_char4.tests b/shell/ash_test/ash-misc/control_char4.tests
+new file mode 100755
+index 000000000..48010f154
+--- /dev/null
++++ b/shell/ash_test/ash-misc/control_char4.tests
+@@ -0,0 +1,2 @@
++# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
++$THIS_SH -c '"\x03\x03\x03\x02-\x03"' SHELL
+diff --git a/shell/hush.c b/shell/hush.c
+index 9fead37da..249728b9d 100644
+--- a/shell/hush.c
++++ b/shell/hush.c
+@@ -5235,6 +5235,11 @@ static int encode_string(o_string *as_string,
+ }
+ #endif
+ o_addQchr(dest, ch);
++ if (ch == SPECIAL_VAR_SYMBOL) {
++ /* Convert "^C" to corresponding special variable reference */
++ o_addchr(dest, SPECIAL_VAR_QUOTED_SVS);
++ o_addchr(dest, SPECIAL_VAR_SYMBOL);
++ }
+ goto again;
+ #undef as_string
+ }
+@@ -5346,6 +5351,11 @@ static struct pipe *parse_stream(char **pstring,
+ if (ch == '\n')
+ continue; /* drop \<newline>, get next char */
+ nommu_addchr(&ctx.as_string, '\\');
++ if (ch == SPECIAL_VAR_SYMBOL) {
++ nommu_addchr(&ctx.as_string, ch);
++ /* Convert \^C to corresponding special variable reference */
++ goto case_SPECIAL_VAR_SYMBOL;
++ }
+ o_addchr(&ctx.word, '\\');
+ if (ch == EOF) {
+ /* Testcase: eval 'echo Ok\' */
+@@ -5670,6 +5680,7 @@ static struct pipe *parse_stream(char **pstring,
+ /* Note: nommu_addchr(&ctx.as_string, ch) is already done */
+
+ switch (ch) {
++ case_SPECIAL_VAR_SYMBOL:
+ case SPECIAL_VAR_SYMBOL:
+ /* Convert raw ^C to corresponding special variable reference */
+ o_addchr(&ctx.word, SPECIAL_VAR_SYMBOL);
+diff --git a/shell/hush_test/hush-misc/control_char3.right b/shell/hush_test/hush-misc/control_char3.right
+new file mode 100644
+index 000000000..94b4f8699
+--- /dev/null
++++ b/shell/hush_test/hush-misc/control_char3.right
+@@ -0,0 +1 @@
++hush: can't execute '\x03': No such file or directory
+diff --git a/shell/hush_test/hush-misc/control_char3.tests b/shell/hush_test/hush-misc/control_char3.tests
+new file mode 100755
+index 000000000..4359db3f3
+--- /dev/null
++++ b/shell/hush_test/hush-misc/control_char3.tests
+@@ -0,0 +1,2 @@
++# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
++$THIS_SH -c '\\x03' SHELL
+diff --git a/shell/hush_test/hush-misc/control_char4.right b/shell/hush_test/hush-misc/control_char4.right
+new file mode 100644
+index 000000000..698e21427
+--- /dev/null
++++ b/shell/hush_test/hush-misc/control_char4.right
+@@ -0,0 +1 @@
++hush: can't execute '\x03\x03\x03\x02-\x03': No such file or directory
+diff --git a/shell/hush_test/hush-misc/control_char4.tests b/shell/hush_test/hush-misc/control_char4.tests
+new file mode 100755
+index 000000000..48010f154
+--- /dev/null
++++ b/shell/hush_test/hush-misc/control_char4.tests
+@@ -0,0 +1,2 @@
++# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
++$THIS_SH -c '"\x03\x03\x03\x02-\x03"' SHELL
+--
+cgit v1.2.3
+
diff --git a/meta/recipes-core/busybox/busybox_1.33.1.bb b/meta/recipes-core/busybox/busybox_1.33.1.bb
index 5f574e7f49..e01d4df946 100644
--- a/meta/recipes-core/busybox/busybox_1.33.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.33.1.bb
@@ -49,6 +49,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://0001-gen_build_files-Use-C-locale-when-calling-sed-on-glo.patch \
file://0001-mktemp-add-tmpdir-option.patch \
file://CVE-2021-42374.patch \
+ file://CVE-2021-42376.patch \
"
SRC_URI_append_libc-musl = " file://musl.cfg "
--
2.33.0
next prev parent reply other threads:[~2021-12-22 2:11 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-22 2:11 [OE-core][hardknott][PATCH 1/3] busybox: Fix for CVE-2021-42374 Chen Qi
2021-12-22 2:11 ` Chen Qi [this message]
2021-12-22 2:11 ` [OE-core][hardknott][PATCH 3/3] busybox: backport patches to fix CVEs Chen Qi
2021-12-22 2:36 ` [OE-core][hardknott][PATCH 1/3] busybox: Fix for CVE-2021-42374 Mittal, Anuj
2021-12-22 5:07 ` ChenQi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211222021125.55893-2-Qi.Chen@windriver.com \
--to=qi.chen@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.