[PATCH] busybox: Fix zlma segfaults

[PATCH] busybox: Fix zlma segfaults

[Andrej Valek]

- fix multiple lzma segmentation faults
- patch includes multiple fixing commits with tests-cases

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 .../busybox/busybox/busybox-fix-unlzma-segfaults.patch   | Bin 0 -> 6965 bytes
 meta/recipes-core/busybox/busybox_1.27.2.bb              |   1 +
 2 files changed, 1 insertion(+)
 create mode 100644 meta/recipes-core/busybox/busybox/busybox-fix-unlzma-segfaults.patch

diff --git a/meta/recipes-core/busybox/busybox/busybox-fix-unlzma-segfaults.patch b/meta/recipes-core/busybox/busybox/busybox-fix-unlzma-segfaults.patch
new file mode 100644
index 0000000000000000000000000000000000000000..405bfbcc58fc0cfadfb22ca2694d4a59ba9bf150
GIT binary patch
literal 6965
zcmd5>Ym6jS6&?bpT_m8vDA5ql_5$0z)m>dx-97!7nceMWXGycOy(=>dfn}*wSKaO@
zwjOO&_0G()CJ-egs6R}=7)_KA9uhSM_@RhI2@-!0{-~gVApX$!_~ip4g1DY@t7^J?
zrnh$%R%4}8k9*HO_uO;7d(OG1+x=jz?XBh&Nv%j~9rjzRaME^k2w1nH_w6tcgrhAF
z`n@3ZneIU7>&9`*?H+@C9+tzf7t{-dcE1})?TD4+vak>=dn+2YN=Db(ZJBe5T&*aA
zU|Vh7H<qmvtPaL9Gmb;M-{~+PEZ1bKcnABWqiZHJJg4Wg04Kl63YQ`1F~jOu2AHg4
zcy7n);y^AqbacxOAoOB>C#@cIESoJe-9)~Q-n9%N6HThyg}#dfl92`7HK8A{00w;n
z;R*u*w7yFs;SizY`8a<fndP~#vTPa4VB=I=0#up9+)xjxk1J1tW(c^D6WAPpZWy>E
z)EzD~^n_^XxtNO;K;Y=MjY5aZx(huoh_oWXVLilYaNU6wAR7m*V)blBCR(3Q=vb?`
zniY#kLl%U2L&xPwf^a0ZTz(NH>j!n%iw5j@eh5bs^L4Fo#CoxA3%FLt3JYXFy*OQ~
zPPf}tS*_L##W1U;Qr64m3M<uAxnk7xl3FWGw~yhnx^+<GQgIsZWc5X>>oPO%bvpU>
zS{)j$>9gD6M%`w|VHWLxU(yNs+7nm|7ZgZ1?=C?wtxgB>Exqq2#*R^1SU2ZnlfB1b
zLLQMFtKb}GOsTR`$;<e|#aHS|sa~!~a&mzvtFkPJqWC`8SMzc?Uz9;9*Gr{(u_{fM
zlxn%8RHkG0d-gzHQF8c+cclb-_6V@uat*t0GDxGw+HGk$J>1rAYw@n+9fBx`+pP|u
zq}yr3SuO*!-OWgnlm(<^zVG>(6Ld40c4I?p+;H8Zre%?s*#R3jCX+egS!Pz|G%lKz
zW*`ANFyCtIU6|MQ&o`Ei+%T^#+;Xs??QbkDVJ{?e<K}0kX1O*A(pb2uar2_qY%Mff
z^CMK&Nfr|cqykl`kPcL}oU3phq<ljQVW)4*2#~@J2o}Bc@vTbj(Qcd(MBY?Xu`O!S
z0^~eQO8eRJ`hnJ73mMFTOr1nD7($yDJ95yqy|!*^@pm$_&D>}l7qm2u5{hcMoU2BH
zqFyqQ|B_702)O_-hy1cQQEFq4C?Z=SpNc){9ITQX@r=yDW^0{I5OK-D#?jd<EqQ3A
zDA?8p4#we-WX>T*$QV%GJ4j|yx7&BLp6|7T8E&6qNx}7s#WI3ajn<u_D?l$rT8*Bw
zz#-8(a!^}nE@_KPjivcT*bOy6AEQJw@L`dL<LT)m4?gRmY4W@~MLNx(7-ZNi_0N(z
z#R;9jC0}PQ&TY~iX&|}^JJA_4;L$~E>!!xTm?~kgsl(2~Ivq(tlkb`v2G_bAsZ`g)
zNQMm7S$~$)N7qKwMN2)3+>W6dA{sv0a~Ve_X(!r}gfesxv>i%CRJS~&ZVGCd8E%}m
z6$UD7n;WRSvCzD(rR{AlEe=uS^BjhJMp7}_D#M?%v!G<*6yQEHEuSH9kz>X;2ndmU
zG1>ST5+#jTDjI>NLTe<-CSR1k+T`}FUu~vypdmO~^O~09Z5+`<3OR#1y><~r?|~St
zm#;OEG|{@HA_*#zYp^U6U`x~01hCNDueA;>ZT4On%#|?A*CR!lUIHa@Hr%ri2G$`!
zA0ucT(E#-husXIYVV@$}2{=WRI-ZYt1D6g{5}qhPW(;%{f^K#QyJtb}2HeK_n~d2r
zt1p4D8f!52Pe%vaTNICx@rFHdY^6$-a9)<>#7e0YnrYws;(?_@hclrUqB~yktuRC%
zjJg`IoZ;4@bz+L^2DmXC=5tb(S>@g+7gHxsa_d>zFd5A1$o*#r+z7BhJGstri>g0_
z(aY<Ahv^I^o_>H_+I_c&$yg?v1Gb7OE+%&x#udtD875wQB<#d|kO2?6;9&l!cNtEI
z0iA&r?!d$od)t`sLC@B)4aasdzfQ*XJX~mKVMJJqjBm0KGiGLDa!E_%$!b<g$oF~R
zdLd7$AwV)WwAYf($c>F80BOVX{eCY*cBUTc>3FM;YIzRxkr_Y@P^#WX{Gmfchrls{
zzM|tZ7I}#?Cw!F927N1Jn80(_Y6U@`X^KQ2XqDkJOkpDNxa4l)fRs|J$az`8AIM5w
zmhm@|(kbIpy2(s2PaI0*%5uF_8(~U$A~_v7Cu1H*{#raXHMs7aIvrnAYPI}@AAR!C
zFP8Sb`LC(B-}=RMi%)&?!P9Sinmuv3^V&z>{@ZVszI5}e_x}3+jMMzV!w+2l^XqSZ
z`j?AWe&fa0KmPDbr!wz8ciG%ipUdp|?IoYM?XkVjzVrI+voAdRnQ#5^%KI*VQ~s->
zR{xoM=C;zkD-V76ceBb}+g=t=!;4S+;hpTG_k882cdf46q}}$BU)kHf*1T`&@wv~Z
zABDS5pZe3!E){MCJTkg$g{N$K2n<hKh<!SkO-Sp{pfdGbtQ--agO#HJ=h@0J(@j<`
z7q?*L4<&XUva&qh#!n7x{QC?4{=l72H16*hyS`(;kbnO69rh*n{QHf&zk21HdtZ1Y
z`{0ki{`ke0?)cs-ckF!rrEmY^nQNYZ`rYSVu0H+BJrCUZ$XoZldd0!-fBERby*JcU
zwOFjEa&a0D6_rZ4D%bw}Sk4$mQ0rU}^utZ~If(cX|0np7IH1nv9wMr(ASR+bUr>p;
zjbfx&t(U4&rC2PMRJmLmI?_d+Ag4yoVEeX0+j6nYLPseHB<}Pu<&dJ5?L4wmr6El^
z09SWd8qixi4j#Aze2wA_`faSTU_Aj_Xmesv==JF%2u;gP(_s$yu8lgdykOfHY@#NE
zsud=rqcIUJpUuGXg@MH)%;WWlG_4z9U$@i9CJ3=yLe7AKFiD633up8C819J2J{@Z|
z$d<W=zs4g=RCo#mk(l!}ML_^E7+xVhxnk;>hFdX=rQ^=oagkydR(4Jl+`etk05g_7
zxb>>td{|l$L|iug-k%uiL@{DlwpB6MsujXj`y0)LYY!c1Ep5?tV&*nDgYZOd(iYfE
zeYUNzdBpkH5@WcIZjDl{E|<^dJ`W$b5WVL^Q<qLXY2^;w^4-6D?1NKN7m-7yTj8>c
zjx437E@ZD=Kur^`E5`L6K5+2|#<h=YdkZ7<xc1SuPYr)gob!UI3#OV#y>IF~gx3*m
z^K<H!F~X_O2_t;OdB;e^bpu8!bu42i^)^hMc)@K$B6Y49`N^<}M&8%$mEeLu&yRV|
z9=y<oTZ>)mgzvRH$>V68evdF4%3-k>sg$L%T&Y#D)-W8oloHjq_?_1x;o2lN1cuK`
z+fli|^Vg_i<Q&IOj9*Sq$Qx$#BE~Op>J*-o$SLk7((MT=9(H&D!)UVN`NydczAPaP
z*}klj0C+F*;0aj#Ts+V`Jcr$R-+`Tii1&PlUIfwWQTblCA*o3oY2DI1%qx>45eW5=
z{CB|kY*?UA&O-cDLIDYb5z*y)AW6}G4;wwRy6YM|9F4{zKB$h7+3`+LyrVxD=((e?
z13JFv;4#o?<NpK{)iEr_<b&zyD7M~=$2^-NF+V^GB9C(zC*x2T=>eDh-_QWX!buv4
W{LcTI1|nRc&RzV|3pPQNK=mIff;bTX

literal 0
HcmV?d00001

diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb
index 36a6342aaf..9f0393505a 100644
--- a/meta/recipes-core/busybox/busybox_1.27.2.bb
+++ b/meta/recipes-core/busybox/busybox_1.27.2.bb
@@ -45,6 +45,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://CVE-2011-5325.patch \
            file://CVE-2017-15873.patch \
            file://busybox-CVE-2017-16544.patch \
+           file://busybox-fix-unlzma-segfaults.patch \
 "
 SRC_URI_append_libc-musl = " file://musl.cfg "
 
-- 
2.11.0

Re: [PATCH] busybox: Fix zlma segfaults

[Khem Raj]

The patch seems to be corrupt.

On Wed, May 30, 2018 at 7:48 AM, Andrej Valek <andrej.valek@siemens.com> wrote:
> - fix multiple lzma segmentation faults
> - patch includes multiple fixing commits with tests-cases
>
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
>  .../busybox/busybox/busybox-fix-unlzma-segfaults.patch   | Bin 0 -> 6965 bytes
>  meta/recipes-core/busybox/busybox_1.27.2.bb              |   1 +
>  2 files changed, 1 insertion(+)
>  create mode 100644 meta/recipes-core/busybox/busybox/busybox-fix-unlzma-segfaults.patch
>
> diff --git a/meta/recipes-core/busybox/busybox/busybox-fix-unlzma-segfaults.patch b/meta/recipes-core/busybox/busybox/busybox-fix-unlzma-segfaults.patch
> new file mode 100644
> index 0000000000000000000000000000000000000000..405bfbcc58fc0cfadfb22ca2694d4a59ba9bf150
> GIT binary patch
> literal 6965
> zcmd5>Ym6jS6&?bpT_m8vDA5ql_5$0z)m>dx-97!7nceMWXGycOy(=>dfn}*wSKaO@
> zwjOO&_0G()CJ-egs6R}=7)_KA9uhSM_@RhI2@-!0{-~gVApX$!_~ip4g1DY@t7^J?
> zrnh$%R%4}8k9*HO_uO;7d(OG1+x=jz?XBh&Nv%j~9rjzRaME^k2w1nH_w6tcgrhAF
> z`n@3ZneIU7>&9`*?H+@C9+tzf7t{-dcE1})?TD4+vak>=dn+2YN=Db(ZJBe5T&*aA
> zU|Vh7H<qmvtPaL9Gmb;M-{~+PEZ1bKcnABWqiZHJJg4Wg04Kl63YQ`1F~jOu2AHg4
> zcy7n);y^AqbacxOAoOB>C#@cIESoJe-9)~Q-n9%N6HThyg}#dfl92`7HK8A{00w;n
> z;R*u*w7yFs;SizY`8a<fndP~#vTPa4VB=I=0#up9+)xjxk1J1tW(c^D6WAPpZWy>E
> z)EzD~^n_^XxtNO;K;Y=MjY5aZx(huoh_oWXVLilYaNU6wAR7m*V)blBCR(3Q=vb?`
> zniY#kLl%U2L&xPwf^a0ZTz(NH>j!n%iw5j@eh5bs^L4Fo#CoxA3%FLt3JYXFy*OQ~
> zPPf}tS*_L##W1U;Qr64m3M<uAxnk7xl3FWGw~yhnx^+<GQgIsZWc5X>>oPO%bvpU>
> zS{)j$>9gD6M%`w|VHWLxU(yNs+7nm|7ZgZ1?=C?wtxgB>Exqq2#*R^1SU2ZnlfB1b
> zLLQMFtKb}GOsTR`$;<e|#aHS|sa~!~a&mzvtFkPJqWC`8SMzc?Uz9;9*Gr{(u_{fM
> zlxn%8RHkG0d-gzHQF8c+cclb-_6V@uat*t0GDxGw+HGk$J>1rAYw@n+9fBx`+pP|u
> zq}yr3SuO*!-OWgnlm(<^zVG>(6Ld40c4I?p+;H8Zre%?s*#R3jCX+egS!Pz|G%lKz
> zW*`ANFyCtIU6|MQ&o`Ei+%T^#+;Xs??QbkDVJ{?e<K}0kX1O*A(pb2uar2_qY%Mff
> z^CMK&Nfr|cqykl`kPcL}oU3phq<ljQVW)4*2#~@J2o}Bc@vTbj(Qcd(MBY?Xu`O!S
> z0^~eQO8eRJ`hnJ73mMFTOr1nD7($yDJ95yqy|!*^@pm$_&D>}l7qm2u5{hcMoU2BH
> zqFyqQ|B_702)O_-hy1cQQEFq4C?Z=SpNc){9ITQX@r=yDW^0{I5OK-D#?jd<EqQ3A
> zDA?8p4#we-WX>T*$QV%GJ4j|yx7&BLp6|7T8E&6qNx}7s#WI3ajn<u_D?l$rT8*Bw
> zz#-8(a!^}nE@_KPjivcT*bOy6AEQJw@L`dL<LT)m4?gRmY4W@~MLNx(7-ZNi_0N(z
> z#R;9jC0}PQ&TY~iX&|}^JJA_4;L$~E>!!xTm?~kgsl(2~Ivq(tlkb`v2G_bAsZ`g)
> zNQMm7S$~$)N7qKwMN2)3+>W6dA{sv0a~Ve_X(!r}gfesxv>i%CRJS~&ZVGCd8E%}m
> z6$UD7n;WRSvCzD(rR{AlEe=uS^BjhJMp7}_D#M?%v!G<*6yQEHEuSH9kz>X;2ndmU
> zG1>ST5+#jTDjI>NLTe<-CSR1k+T`}FUu~vypdmO~^O~09Z5+`<3OR#1y><~r?|~St
> zm#;OEG|{@HA_*#zYp^U6U`x~01hCNDueA;>ZT4On%#|?A*CR!lUIHa@Hr%ri2G$`!
> zA0ucT(E#-husXIYVV@$}2{=WRI-ZYt1D6g{5}qhPW(;%{f^K#QyJtb}2HeK_n~d2r
> zt1p4D8f!52Pe%vaTNICx@rFHdY^6$-a9)<>#7e0YnrYws;(?_@hclrUqB~yktuRC%
> zjJg`IoZ;4@bz+L^2DmXC=5tb(S>@g+7gHxsa_d>zFd5A1$o*#r+z7BhJGstri>g0_
> z(aY<Ahv^I^o_>H_+I_c&$yg?v1Gb7OE+%&x#udtD875wQB<#d|kO2?6;9&l!cNtEI
> z0iA&r?!d$od)t`sLC@B)4aasdzfQ*XJX~mKVMJJqjBm0KGiGLDa!E_%$!b<g$oF~R
> zdLd7$AwV)WwAYf($c>F80BOVX{eCY*cBUTc>3FM;YIzRxkr_Y@P^#WX{Gmfchrls{
> zzM|tZ7I}#?Cw!F927N1Jn80(_Y6U@`X^KQ2XqDkJOkpDNxa4l)fRs|J$az`8AIM5w
> zmhm@|(kbIpy2(s2PaI0*%5uF_8(~U$A~_v7Cu1H*{#raXHMs7aIvrnAYPI}@AAR!C
> zFP8Sb`LC(B-}=RMi%)&?!P9Sinmuv3^V&z>{@ZVszI5}e_x}3+jMMzV!w+2l^XqSZ
> z`j?AWe&fa0KmPDbr!wz8ciG%ipUdp|?IoYM?XkVjzVrI+voAdRnQ#5^%KI*VQ~s->
> zR{xoM=C;zkD-V76ceBb}+g=t=!;4S+;hpTG_k882cdf46q}}$BU)kHf*1T`&@wv~Z
> zABDS5pZe3!E){MCJTkg$g{N$K2n<hKh<!SkO-Sp{pfdGbtQ--agO#HJ=h@0J(@j<`
> z7q?*L4<&XUva&qh#!n7x{QC?4{=l72H16*hyS`(;kbnO69rh*n{QHf&zk21HdtZ1Y
> z`{0ki{`ke0?)cs-ckF!rrEmY^nQNYZ`rYSVu0H+BJrCUZ$XoZldd0!-fBERby*JcU
> zwOFjEa&a0D6_rZ4D%bw}Sk4$mQ0rU}^utZ~If(cX|0np7IH1nv9wMr(ASR+bUr>p;
> zjbfx&t(U4&rC2PMRJmLmI?_d+Ag4yoVEeX0+j6nYLPseHB<}Pu<&dJ5?L4wmr6El^
> z09SWd8qixi4j#Aze2wA_`faSTU_Aj_Xmesv==JF%2u;gP(_s$yu8lgdykOfHY@#NE
> zsud=rqcIUJpUuGXg@MH)%;WWlG_4z9U$@i9CJ3=yLe7AKFiD633up8C819J2J{@Z|
> z$d<W=zs4g=RCo#mk(l!}ML_^E7+xVhxnk;>hFdX=rQ^=oagkydR(4Jl+`etk05g_7
> zxb>>td{|l$L|iug-k%uiL@{DlwpB6MsujXj`y0)LYY!c1Ep5?tV&*nDgYZOd(iYfE
> zeYUNzdBpkH5@WcIZjDl{E|<^dJ`W$b5WVL^Q<qLXY2^;w^4-6D?1NKN7m-7yTj8>c
> zjx437E@ZD=Kur^`E5`L6K5+2|#<h=YdkZ7<xc1SuPYr)gob!UI3#OV#y>IF~gx3*m
> z^K<H!F~X_O2_t;OdB;e^bpu8!bu42i^)^hMc)@K$B6Y49`N^<}M&8%$mEeLu&yRV|
> z9=y<oTZ>)mgzvRH$>V68evdF4%3-k>sg$L%T&Y#D)-W8oloHjq_?_1x;o2lN1cuK`
> z+fli|^Vg_i<Q&IOj9*Sq$Qx$#BE~Op>J*-o$SLk7((MT=9(H&D!)UVN`NydczAPaP
> z*}klj0C+F*;0aj#Ts+V`Jcr$R-+`Tii1&PlUIfwWQTblCA*o3oY2DI1%qx>45eW5=
> z{CB|kY*?UA&O-cDLIDYb5z*y)AW6}G4;wwRy6YM|9F4{zKB$h7+3`+LyrVxD=((e?
> z13JFv;4#o?<NpK{)iEr_<b&zyD7M~=$2^-NF+V^GB9C(zC*x2T=>eDh-_QWX!buv4
> W{LcTI1|nRc&RzV|3pPQNK=mIff;bTX
>
> literal 0
> HcmV?d00001
>
> diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb
> index 36a6342aaf..9f0393505a 100644
> --- a/meta/recipes-core/busybox/busybox_1.27.2.bb
> +++ b/meta/recipes-core/busybox/busybox_1.27.2.bb
> @@ -45,6 +45,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
>             file://CVE-2011-5325.patch \
>             file://CVE-2017-15873.patch \
>             file://busybox-CVE-2017-16544.patch \
> +           file://busybox-fix-unlzma-segfaults.patch \
>  "
>  SRC_URI_append_libc-musl = " file://musl.cfg "
>
> --
> 2.11.0
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

[PATCH v2] busybox: Fix zlma segfaults

[Andrej Valek]

- fix multiple lzma segmentation faults
- patch includes multiple fixing commits
- test-cases have been removed due to binary data

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 .../busybox/busybox-fix-unlzma-segfaults.patch     | 106 +++++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.27.2.bb        |   1 +
 2 files changed, 107 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/busybox-fix-unlzma-segfaults.patch

diff --git a/meta/recipes-core/busybox/busybox/busybox-fix-unlzma-segfaults.patch b/meta/recipes-core/busybox/busybox/busybox-fix-unlzma-segfaults.patch
new file mode 100644
index 0000000000..5215da74a5
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/busybox-fix-unlzma-segfaults.patch
@@ -0,0 +1,106 @@
+busybox-1.27.2: Fix zlma segfaults
+
+[No upstream tracking] -- https://bugs.busybox.net/show_bug.cgi?id=10871
+
+libarchive: check buffer index in lzma_decompress
+
+With specific defconfig busybox fails to check zip fileheader magic
+(archival/unzip.c) and uses (archival/libarchive/decompress_unlzma.c)
+for decompression which leads to segmentation fault. It prevents accessing into
+buffer, which is smaller than pos index. Patch includes multiple segmentation
+fault fixes.
+
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=a36986bb80289c1cd8d15a557e49207c9a42946b]
+bug: 10436 10871
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
+index a904087..29eee2a 100644
+--- a/archival/libarchive/decompress_unlzma.c
++++ b/archival/libarchive/decompress_unlzma.c
+@@ -11,6 +11,14 @@
+ #include "libbb.h"
+ #include "bb_archive.h"
+ 
++
++#if 0
++# define dbg(...) bb_error_msg(__VA_ARGS__)
++#else
++# define dbg(...) ((void)0)
++#endif
++
++
+ #if ENABLE_FEATURE_LZMA_FAST
+ #  define speed_inline ALWAYS_INLINE
+ #  define size_inline
+@@ -217,6 +225,7 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 	rc_t *rc;
+ 	int i;
+ 	uint8_t *buffer;
++	uint32_t buffer_size;
+ 	uint8_t previous_byte = 0;
+ 	size_t buffer_pos = 0, global_pos = 0;
+ 	int len = 0;
+@@ -246,7 +255,8 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 	if (header.dict_size == 0)
+ 		header.dict_size++;
+ 
+-	buffer = xmalloc(MIN(header.dst_size, header.dict_size));
++	buffer_size = MIN(header.dst_size, header.dict_size);
++	buffer = xmalloc(buffer_size);
+ 
+ 	{
+ 		int num_probs;
+@@ -341,8 +351,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 						state = state < LZMA_NUM_LIT_STATES ? 9 : 11;
+ 
+ 						pos = buffer_pos - rep0;
+-						if ((int32_t)pos < 0)
++						if ((int32_t)pos < 0) {
+ 							pos += header.dict_size;
++							/* see unzip_bad_lzma_2.zip: */
++							if (pos >= buffer_size)
++								goto bad;
++						}
+ 						previous_byte = buffer[pos];
+ 						goto one_byte1;
+ #else
+@@ -417,6 +431,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 						for (; num_bits2 != LZMA_NUM_ALIGN_BITS; num_bits2--)
+ 							rep0 = (rep0 << 1) | rc_direct_bit(rc);
+ 						rep0 <<= LZMA_NUM_ALIGN_BITS;
++						if ((int32_t)rep0 < 0) {
++							dbg("%d rep0:%d", __LINE__, rep0);
++							goto bad;
++						}
+ 						prob3 = p + LZMA_ALIGN;
+ 					}
+ 					i2 = 1;
+@@ -450,8 +468,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
+  IF_NOT_FEATURE_LZMA_FAST(string:)
+ 			do {
+ 				uint32_t pos = buffer_pos - rep0;
+-				if ((int32_t)pos < 0)
++				if ((int32_t)pos < 0) {
+ 					pos += header.dict_size;
++					/* more stringent test (see unzip_bad_lzma_1.zip): */
++					if (pos >= buffer_size)
++						goto bad;
++				}
+ 				previous_byte = buffer[pos];
+  IF_NOT_FEATURE_LZMA_FAST(one_byte2:)
+ 				buffer[buffer_pos++] = previous_byte;
+@@ -478,6 +500,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 		IF_DESKTOP(total_written += buffer_pos;)
+ 		if (transformer_write(xstate, buffer, buffer_pos) != (ssize_t)buffer_pos) {
+  bad:
++			/* One of our users, bbunpack(), expects _us_ to emit
++			 * the error message (since it's the best place to give
++			 * potentially more detailed information).
++			 * Do not fail silently.
++			 */
++			bb_error_msg("corrupted data");
+ 			total_written = -1; /* failure */
+ 		}
+ 		rc_free(rc);
+ 
diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb
index 36a6342aaf..9f0393505a 100644
--- a/meta/recipes-core/busybox/busybox_1.27.2.bb
+++ b/meta/recipes-core/busybox/busybox_1.27.2.bb
@@ -45,6 +45,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://CVE-2011-5325.patch \
            file://CVE-2017-15873.patch \
            file://busybox-CVE-2017-16544.patch \
+           file://busybox-fix-unlzma-segfaults.patch \
 "
 SRC_URI_append_libc-musl = " file://musl.cfg "
 
-- 
2.11.0

Re: [PATCH v2] busybox: Fix zlma segfaults

[André Draszik]

Typo in the subject: zlma -> lzma

A.

On Thu, 2018-05-31 at 08:15 +0200, Andrej Valek wrote:
> - fix multiple lzma segmentation faults
> - patch includes multiple fixing commits
> - test-cases have been removed due to binary data
> 
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
>  .../busybox/busybox-fix-unlzma-segfaults.patch     | 106
> +++++++++++++++++++++
>  meta/recipes-core/busybox/busybox_1.27.2.bb        |   1 +
>  2 files changed, 107 insertions(+)
>  create mode 100644 meta/recipes-core/busybox/busybox/busybox-fix-unlzma-
> segfaults.patch
> 
> diff --git a/meta/recipes-core/busybox/busybox/busybox-fix-unlzma-
> segfaults.patch b/meta/recipes-core/busybox/busybox/busybox-fix-unlzma-
> segfaults.patch
> new file mode 100644
> index 0000000000..5215da74a5
> --- /dev/null
> +++ b/meta/recipes-core/busybox/busybox/busybox-fix-unlzma-segfaults.patch
> @@ -0,0 +1,106 @@
> +busybox-1.27.2: Fix zlma segfaults
> +
> +[No upstream tracking] -- https://bugs.busybox.net/show_bug.cgi?id=10871
> +
> +libarchive: check buffer index in lzma_decompress
> +
> +With specific defconfig busybox fails to check zip fileheader magic
> +(archival/unzip.c) and uses (archival/libarchive/decompress_unlzma.c)
> +for decompression which leads to segmentation fault. It prevents
> accessing into
> +buffer, which is smaller than pos index. Patch includes multiple
> segmentation
> +fault fixes.
> +
> +Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=a36
> 986bb80289c1cd8d15a557e49207c9a42946b]
> +bug: 10436 10871
> +Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> +
> +diff --git a/archival/libarchive/decompress_unlzma.c
> b/archival/libarchive/decompress_unlzma.c
> +index a904087..29eee2a 100644
> +--- a/archival/libarchive/decompress_unlzma.c
> ++++ b/archival/libarchive/decompress_unlzma.c
> +@@ -11,6 +11,14 @@
> + #include "libbb.h"
> + #include "bb_archive.h"
> + 
> ++
> ++#if 0
> ++# define dbg(...) bb_error_msg(__VA_ARGS__)
> ++#else
> ++# define dbg(...) ((void)0)
> ++#endif
> ++
> ++
> + #if ENABLE_FEATURE_LZMA_FAST
> + #  define speed_inline ALWAYS_INLINE
> + #  define size_inline
> +@@ -217,6 +225,7 @@ unpack_lzma_stream(transformer_state_t *xstate)
> + 	rc_t *rc;
> + 	int i;
> + 	uint8_t *buffer;
> ++	uint32_t buffer_size;
> + 	uint8_t previous_byte = 0;
> + 	size_t buffer_pos = 0, global_pos = 0;
> + 	int len = 0;
> +@@ -246,7 +255,8 @@ unpack_lzma_stream(transformer_state_t *xstate)
> + 	if (header.dict_size == 0)
> + 		header.dict_size++;
> + 
> +-	buffer = xmalloc(MIN(header.dst_size, header.dict_size));
> ++	buffer_size = MIN(header.dst_size, header.dict_size);
> ++	buffer = xmalloc(buffer_size);
> + 
> + 	{
> + 		int num_probs;
> +@@ -341,8 +351,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
> + 						state = state <
> LZMA_NUM_LIT_STATES ? 9 : 11;
> + 
> + 						pos = buffer_pos - rep0;
> +-						if ((int32_t)pos < 0)
> ++						if ((int32_t)pos < 0) {
> + 							pos +=
> header.dict_size;
> ++							/* see
> unzip_bad_lzma_2.zip: */
> ++							if (pos >=
> buffer_size)
> ++								goto
> bad;
> ++						}
> + 						previous_byte =
> buffer[pos];
> + 						goto one_byte1;
> + #else
> +@@ -417,6 +431,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
> + 						for (; num_bits2 !=
> LZMA_NUM_ALIGN_BITS; num_bits2--)
> + 							rep0 = (rep0 <<
> 1) | rc_direct_bit(rc);
> + 						rep0 <<=
> LZMA_NUM_ALIGN_BITS;
> ++						if ((int32_t)rep0 < 0) {
> ++							dbg("%d
> rep0:%d", __LINE__, rep0);
> ++							goto bad;
> ++						}
> + 						prob3 = p + LZMA_ALIGN;
> + 					}
> + 					i2 = 1;
> +@@ -450,8 +468,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
> +  IF_NOT_FEATURE_LZMA_FAST(string:)
> + 			do {
> + 				uint32_t pos = buffer_pos - rep0;
> +-				if ((int32_t)pos < 0)
> ++				if ((int32_t)pos < 0) {
> + 					pos += header.dict_size;
> ++					/* more stringent test (see
> unzip_bad_lzma_1.zip): */
> ++					if (pos >= buffer_size)
> ++						goto bad;
> ++				}
> + 				previous_byte = buffer[pos];
> +  IF_NOT_FEATURE_LZMA_FAST(one_byte2:)
> + 				buffer[buffer_pos++] = previous_byte;
> +@@ -478,6 +500,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
> + 		IF_DESKTOP(total_written += buffer_pos;)
> + 		if (transformer_write(xstate, buffer, buffer_pos) !=
> (ssize_t)buffer_pos) {
> +  bad:
> ++			/* One of our users, bbunpack(), expects _us_ to
> emit
> ++			 * the error message (since it's the best place
> to give
> ++			 * potentially more detailed information).
> ++			 * Do not fail silently.
> ++			 */
> ++			bb_error_msg("corrupted data");
> + 			total_written = -1; /* failure */
> + 		}
> + 		rc_free(rc);
> + 
> diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-
> core/busybox/busybox_1.27.2.bb
> index 36a6342aaf..9f0393505a 100644
> --- a/meta/recipes-core/busybox/busybox_1.27.2.bb
> +++ b/meta/recipes-core/busybox/busybox_1.27.2.bb
> @@ -45,6 +45,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV
> }.tar.bz2;name=tarball \
>             file://CVE-2011-5325.patch \
>             file://CVE-2017-15873.patch \
>             file://busybox-CVE-2017-16544.patch \
> +           file://busybox-fix-unlzma-segfaults.patch \
>  "
>  SRC_URI_append_libc-musl = " file://musl.cfg "
>  
> -- 
> 2.11.0
> 

[PATCH v3] busybox: Fix lzma segfaults

[Andrej Valek]

- fix multiple lzma segmentation faults
- patch includes multiple fixing commits
- test-cases have been removed due to binary data

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 .../busybox/busybox-fix-lzma-segfaults.patch       | 106 +++++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.27.2.bb        |   1 +
 2 files changed, 107 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/busybox-fix-lzma-segfaults.patch

diff --git a/meta/recipes-core/busybox/busybox/busybox-fix-lzma-segfaults.patch b/meta/recipes-core/busybox/busybox/busybox-fix-lzma-segfaults.patch
new file mode 100644
index 0000000000..da6dfa8023
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/busybox-fix-lzma-segfaults.patch
@@ -0,0 +1,106 @@
+busybox-1.27.2: Fix lzma segfaults
+
+[No upstream tracking] -- https://bugs.busybox.net/show_bug.cgi?id=10871
+
+libarchive: check buffer index in lzma_decompress
+
+With specific defconfig busybox fails to check zip fileheader magic
+(archival/unzip.c) and uses (archival/libarchive/decompress_unlzma.c)
+for decompression which leads to segmentation fault. It prevents accessing into
+buffer, which is smaller than pos index. Patch includes multiple segmentation
+fault fixes.
+
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=a36986bb80289c1cd8d15a557e49207c9a42946b]
+bug: 10436 10871
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
+index a904087..29eee2a 100644
+--- a/archival/libarchive/decompress_unlzma.c
++++ b/archival/libarchive/decompress_unlzma.c
+@@ -11,6 +11,14 @@
+ #include "libbb.h"
+ #include "bb_archive.h"
+ 
++
++#if 0
++# define dbg(...) bb_error_msg(__VA_ARGS__)
++#else
++# define dbg(...) ((void)0)
++#endif
++
++
+ #if ENABLE_FEATURE_LZMA_FAST
+ #  define speed_inline ALWAYS_INLINE
+ #  define size_inline
+@@ -217,6 +225,7 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 	rc_t *rc;
+ 	int i;
+ 	uint8_t *buffer;
++	uint32_t buffer_size;
+ 	uint8_t previous_byte = 0;
+ 	size_t buffer_pos = 0, global_pos = 0;
+ 	int len = 0;
+@@ -246,7 +255,8 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 	if (header.dict_size == 0)
+ 		header.dict_size++;
+ 
+-	buffer = xmalloc(MIN(header.dst_size, header.dict_size));
++	buffer_size = MIN(header.dst_size, header.dict_size);
++	buffer = xmalloc(buffer_size);
+ 
+ 	{
+ 		int num_probs;
+@@ -341,8 +351,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 						state = state < LZMA_NUM_LIT_STATES ? 9 : 11;
+ 
+ 						pos = buffer_pos - rep0;
+-						if ((int32_t)pos < 0)
++						if ((int32_t)pos < 0) {
+ 							pos += header.dict_size;
++							/* see unzip_bad_lzma_2.zip: */
++							if (pos >= buffer_size)
++								goto bad;
++						}
+ 						previous_byte = buffer[pos];
+ 						goto one_byte1;
+ #else
+@@ -417,6 +431,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 						for (; num_bits2 != LZMA_NUM_ALIGN_BITS; num_bits2--)
+ 							rep0 = (rep0 << 1) | rc_direct_bit(rc);
+ 						rep0 <<= LZMA_NUM_ALIGN_BITS;
++						if ((int32_t)rep0 < 0) {
++							dbg("%d rep0:%d", __LINE__, rep0);
++							goto bad;
++						}
+ 						prob3 = p + LZMA_ALIGN;
+ 					}
+ 					i2 = 1;
+@@ -450,8 +468,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
+  IF_NOT_FEATURE_LZMA_FAST(string:)
+ 			do {
+ 				uint32_t pos = buffer_pos - rep0;
+-				if ((int32_t)pos < 0)
++				if ((int32_t)pos < 0) {
+ 					pos += header.dict_size;
++					/* more stringent test (see unzip_bad_lzma_1.zip): */
++					if (pos >= buffer_size)
++						goto bad;
++				}
+ 				previous_byte = buffer[pos];
+  IF_NOT_FEATURE_LZMA_FAST(one_byte2:)
+ 				buffer[buffer_pos++] = previous_byte;
+@@ -478,6 +500,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 		IF_DESKTOP(total_written += buffer_pos;)
+ 		if (transformer_write(xstate, buffer, buffer_pos) != (ssize_t)buffer_pos) {
+  bad:
++			/* One of our users, bbunpack(), expects _us_ to emit
++			 * the error message (since it's the best place to give
++			 * potentially more detailed information).
++			 * Do not fail silently.
++			 */
++			bb_error_msg("corrupted data");
+ 			total_written = -1; /* failure */
+ 		}
+ 		rc_free(rc);
+ 
diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb
index 36a6342aaf..92678701fc 100644
--- a/meta/recipes-core/busybox/busybox_1.27.2.bb
+++ b/meta/recipes-core/busybox/busybox_1.27.2.bb
@@ -45,6 +45,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://CVE-2011-5325.patch \
            file://CVE-2017-15873.patch \
            file://busybox-CVE-2017-16544.patch \
+           file://busybox-fix-lzma-segfaults.patch \
 "
 SRC_URI_append_libc-musl = " file://musl.cfg "
 
-- 
2.11.0