re-fixed CVE-2022-48174

Signed-off-by: songbuhuang <544824346@qq.com>
(cherry picked from commit 5ccb920553abee2d8a7d39c86c77dd37ce17f8dc)

backport-CVE-2022-48174.patch

@@ -1,27 +1,77 @@
-From dc5199deae8ea69613c60f177cdac709acecf5c9 Mon Sep 17 00:00:00 2001
+From a4bf2a7c172517c95d79f77701797a59b1ea3aa6 Mon Sep 17 00:00:00 2001
 From: songbuhuang <544824346@qq.com>
-Date: Wed, 30 Aug 2023 12:27:33 +0800
+Date: Thu, 31 Aug 2023 11:57:41 +0800
 Subject: [PATCH] fix CVE-2022-48174
 
 Signed-off-by: songbuhuang <544824346@qq.com>
 ---
- shell/math.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
+ shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
+ 1 file changed, 35 insertions(+), 4 deletions(-)
 
 diff --git a/shell/math.c b/shell/math.c
-index af1ab55..e596dd8 100644
+index af1ab55..79824e8 100644
 --- a/shell/math.c
 +++ b/shell/math.c
-@@ -589,7 +589,8 @@ evaluate_string(arith_state_t *math_state, const char *expr)
- 	/* The proof that there can be no more than strlen(startbuf)/2+1
- 	 * integers in any given correct or incorrect expression
- 	 * is left as an exercise to the reader. */
--	var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
-+	/* Counterexample: 09J results in three integers. */
-+	var_or_num_t *const numstack = alloca((expr_len - 2) * sizeof(numstack[0]));
+@@ -578,6 +578,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr)
+ # endif
+ #endif
+ 
++//TODO: much better estimation than expr_len/2? Such as:
++//static unsigned estimate_nums_and_names(const char *expr)
++//{
++//	unsigned count = 0;
++//	while (*(expr = skip_whitespace(expr)) != '\0') {
++//		const char *p;
++//		if (isdigit(*expr)) {
++//			while (isdigit(*++expr))
++//				continue;
++//			count++;
++//			continue;
++//		}
++//		p = endofname(expr);
++//		if (p != expr) {
++//			expr = p;
++//			count++;
++//			continue;
++//		}
++//	}
++//	return count;
++//}
++
+ static arith_t FAST_FUNC
+ evaluate_string(arith_state_t *math_state, const char *expr)
+ {
+@@ -585,10 +607,12 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+ 	const char *errmsg;
+ 	const char *start_expr = expr = skip_whitespace(expr);
+ 	unsigned expr_len = strlen(expr) + 2;
+-	/* Stack of integers */
+-	/* The proof that there can be no more than strlen(startbuf)/2+1
+-	 * integers in any given correct or incorrect expression
+-	 * is left as an exercise to the reader. */
++	/* Stack of integers/names */
++	/* There can be no more than strlen(startbuf)/2+1
++	 * integers/names in any given correct or incorrect expression.
++	 * (modulo "09v09v09v09v09v" case,
++	 * but we have code to detect that early)
++	 */
+ 	var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
  	var_or_num_t *numstackptr = numstack;
  	/* Stack of operator tokens */
- 	operator *const stack = alloca(expr_len * sizeof(stack[0]));
+@@ -657,6 +681,13 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+ 			numstackptr->var = NULL;
+ 			errno = 0;
+ 			numstackptr->val = strto_arith_t(expr, (char**) &expr);
++			/* A number can't be followed by another number, or a variable name.
++			 * We'd catch this later anyway, but this would require numstack[]
++			 * to be twice as deep to handle strings where _every_ char is
++			 * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
++			 */
++			if (isalnum(*expr) || *expr == '_')
++				goto err;
+ 			if (errno)
+ 				numstackptr->val = 0; /* bash compat */
+ 			goto num;
 -- 
 2.26.2
 

busybox.spec

@@ -4,7 +4,7 @@
 %endif
 
 %if "%{!?RELEASE:1}"
-%define RELEASE 18
+%define RELEASE 19
 %endif
 Epoch: 1
 
@@ -105,6 +105,12 @@ install -m 644 docs/busybox.dynamic.1 $RPM_BUILD_ROOT/%{_mandir}/man1/busybox.1
 %{_mandir}/man1/busybox.petitboot.1.gz
 
 %changelog
+* Thu Aug 31 2023 huangsong <huangsong14@huawei.com> - 1:1.31.1-19
+- Type:CVE
+- Id:NA
+- SUG:NA
+- DESC:re-fixed CVE-2022-48174
+
 * Wed Aug 30 2023 huangsong <huangsong14@huawei.com> - 1:1.31.1-18
 - Type:CVE
 - Id:NA