master

分支 (25)

标签 (25)

管理

管理

master

openEuler-24.03-LTS-SP1

openEuler-24.09

openEuler-24.03-LTS-Next

openEuler-22.03-LTS-SP4

openEuler-22.03-LTS-SP3

openEuler-24.03-LTS

openEuler-22.03-LTS-SP1

openEuler-20.03-LTS-SP4

openEuler-20.03-LTS-SP1

openEuler-23.09

openEuler-20.03-LTS-SP3

openEuler-22.03-LTS-SP2

openEuler-22.03-LTS

openEuler-22.03-LTS-Next

openEuler-23.03

openEuler-22.09

openEuler-20.03-LTS-SP2

openEuler-20.09

openEuler-20.03-LTS-Next

openEuler-24.03-LTS-SP1-release

openEuler-24.03-LTS-update-20241122

openEuler-22.03-LTS-SP4-update-20241122

openEuler-22.03-LTS-SP3-update-20241122

openEuler-20.03-LTS-SP4-update-20241122

openEuler-22.03-LTS-SP4-update-before-20241025

openEuler-22.03-LTS-SP4-release

openEuler-24.09-release

openEuler-24.03-LTS-release

openEuler-22.03-LTS-SP3-release

openEuler-23.09-rc5

openEuler-22.03-LTS-SP1-release

openEuler-22.09-release

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

busybox
/
backport-CVE-2022-48174.patch

From 1c4fc3ab4f6241a05a24b0593ce63bcb54e469eb Mon Sep 17 00:00:00 2001
From: songbuhuang <[email protected]>
Date: Thu, 31 Aug 2023 11:39:36 +0800
Subject: [PATCH] fix CVE-2022-48174

Signed-off-by: songbuhuang <[email protected]>
---
 shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
 1 file changed, 35 insertions(+), 4 deletions(-)

diff --git a/shell/math.c b/shell/math.c
index 76d22c9..727c294 100644
--- a/shell/math.c
+++ b/shell/math.c
@@ -577,6 +577,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr)
 # endif
 #endif

+//TODO: much better estimation than expr_len/2? Such as:
+//static unsigned estimate_nums_and_names(const char *expr)
+//{
+//	unsigned count = 0;
+//	while (*(expr = skip_whitespace(expr)) != '\0') {
+//		const char *p;
+//		if (isdigit(*expr)) {
+//			while (isdigit(*++expr))
+//				continue;
+//			count++;
+//			continue;
+//		}
+//		p = endofname(expr);
+//		if (p != expr) {
+//			expr = p;
+//			count++;
+//			continue;
+//		}
+//	}
+//	return count;
+//}
+
 static arith_t
 evaluate_string(arith_state_t *math_state, const char *expr)
 {
@@ -584,10 +606,12 @@ evaluate_string(arith_state_t *math_state, const char *expr)
 	const char *errmsg;
 	const char *start_expr = expr = skip_whitespace(expr);
 	unsigned expr_len = strlen(expr) + 2;
-	/* Stack of integers */
-	/* The proof that there can be no more than strlen(startbuf)/2+1
-	 * integers in any given correct or incorrect expression
-	 * is left as an exercise to the reader. */
+	/* Stack of integers/names */
+	/* There can be no more than strlen(startbuf)/2+1
+	 * integers/names in any given correct or incorrect expression.
+	 * (modulo "09v09v09v09v09v" case,
+	 * but we have code to detect that early)
+	 */
 	var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
 	var_or_num_t *numstackptr = numstack;
 	/* Stack of operator tokens */
@@ -652,6 +676,13 @@ evaluate_string(arith_state_t *math_state, const char *expr)
 			numstackptr->var = NULL;
 			errno = 0;
 			numstackptr->val = strto_arith_t(expr, (char**) &expr);
+			/* A number can't be followed by another number, or a variable name.
+			 * We'd catch this later anyway, but this would require numstack[]
+			 * to be twice as deep to handle strings where _every_ char is
+			 * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
+			 */
+			if (isalnum(*expr) || *expr == '_')
+				goto err;
 //bb_error_msg("val:%lld", numstackptr->val);
 			if (errno)
 				numstackptr->val = 0; /* bash compat */
--
2.26.2