From ff1a31824a2a43e63682a176a904de43ad0e1c2e Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Wed, 27 Apr 2016 17:47:21 -0700 Subject: busybox: Security Fix CVE-2016-2148 busybox <= 1.24.2 Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- .../busybox/busybox/CVE-2016-2148.patch | 74 ++++++++++++++++++++++ meta/recipes-core/busybox/busybox_1.24.1.bb | 1 + 2 files changed, 75 insertions(+) create mode 100644 meta/recipes-core/busybox/busybox/CVE-2016-2148.patch diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2148.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2148.patch new file mode 100644 index 0000000000..af04a7f5bd --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2016-2148.patch @@ -0,0 +1,74 @@ +From 352f79acbd759c14399e39baef21fc4ffe180ac2 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Fri, 26 Feb 2016 15:54:56 +0100 +Subject: [PATCH] udhcpc: fix OPTION_6RD parsing (could overflow its malloced + buffer) + +Signed-off-by: Denys Vlasenko + +Upstream-Status: Backport +CVE: CVE-2016-2148 +https://git.busybox.net/busybox/commit/?id=352f79 + +Signed-off-by: Armin Kuster + +--- + networking/udhcp/common.c | 15 +++++++++++++-- + networking/udhcp/dhcpc.c | 4 ++-- + 2 files changed, 15 insertions(+), 4 deletions(-) + +Index: busybox-1.23.2/networking/udhcp/common.c +=================================================================== +--- busybox-1.23.2.orig/networking/udhcp/common.c ++++ busybox-1.23.2/networking/udhcp/common.c +@@ -142,7 +142,7 @@ const char dhcp_option_strings[] ALIGN1 + * udhcp_str2optset: to determine how many bytes to allocate. + * xmalloc_optname_optval: to estimate string length + * from binary option length: (option[LEN] / dhcp_option_lengths[opt_type]) +- * is the number of elements, multiply in by one element's string width ++ * is the number of elements, multiply it by one element's string width + * (len_of_option_as_string[opt_type]) and you know how wide string you need. + */ + const uint8_t dhcp_option_lengths[] ALIGN1 = { +@@ -162,7 +162,18 @@ const uint8_t dhcp_option_lengths[] ALIG + [OPTION_S32] = 4, + /* Just like OPTION_STRING, we use minimum length here */ + [OPTION_STATIC_ROUTES] = 5, +- [OPTION_6RD] = 22, /* ignored by udhcp_str2optset */ ++ [OPTION_6RD] = 12, /* ignored by udhcp_str2optset */ ++ /* The above value was chosen as follows: ++ * len_of_option_as_string[] for this option is >60: it's a string of the form ++ * "32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 ". ++ * Each additional ipv4 address takes 4 bytes in binary option and appends ++ * another "255.255.255.255 " 16-byte string. We can set [OPTION_6RD] = 4 ++ * but this severely overestimates string length: instead of 16 bytes, ++ * it adds >60 for every 4 bytes in binary option. ++ * We cheat and declare here that option is in units of 12 bytes. ++ * This adds more than 60 bytes for every three ipv4 addresses - more than enough. ++ * (Even 16 instead of 12 should work, but let's be paranoid). ++ */ + }; + + +Index: busybox-1.23.2/networking/udhcp/dhcpc.c +=================================================================== +--- busybox-1.23.2.orig/networking/udhcp/dhcpc.c ++++ busybox-1.23.2/networking/udhcp/dhcpc.c +@@ -103,7 +103,7 @@ static const uint8_t len_of_option_as_st + [OPTION_IP ] = sizeof("255.255.255.255 "), + [OPTION_IP_PAIR ] = sizeof("255.255.255.255 ") * 2, + [OPTION_STATIC_ROUTES ] = sizeof("255.255.255.255/32 255.255.255.255 "), +- [OPTION_6RD ] = sizeof("32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "), ++ [OPTION_6RD ] = sizeof("132 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "), + [OPTION_STRING ] = 1, + [OPTION_STRING_HOST ] = 1, + #if ENABLE_FEATURE_UDHCP_RFC3397 +@@ -214,7 +214,7 @@ static NOINLINE char *xmalloc_optname_op + type = optflag->flags & OPTION_TYPE_MASK; + optlen = dhcp_option_lengths[type]; + upper_length = len_of_option_as_string[type] +- * ((unsigned)(len + optlen - 1) / (unsigned)optlen); ++ * ((unsigned)(len + optlen) / (unsigned)optlen); + + dest = ret = xmalloc(upper_length + strlen(opt_name) + 2); + dest += sprintf(ret, "%s=", opt_name); diff --git a/meta/recipes-core/busybox/busybox_1.24.1.bb b/meta/recipes-core/busybox/busybox_1.24.1.bb index f699f993b5..61fc878697 100644 --- a/meta/recipes-core/busybox/busybox_1.24.1.bb +++ b/meta/recipes-core/busybox/busybox_1.24.1.bb @@ -44,6 +44,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://rcS \ file://rcK \ file://runlevel \ + file://CVE-2016-2148.patch \ " SRC_URI_append_libc-musl = " file://musl.cfg " -- cgit 1.2.3-korg