From e865e5056235a9b4e3911d4c734a3ffa71bb9e62 Mon Sep 17 00:00:00 2001
From: Andrej Valek <andrej.valek@siemens.com>
Date: Thu, 31 May 2018 10:23:26 +0200
Subject: busybox: Fix lzma segfaults

- fix multiple lzma segmentation faults
- patch includes multiple fixing commits
- test-cases have been removed due to binary data

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../busybox/busybox-fix-lzma-segfaults.patch       | 106 +++++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.27.2.bb        |   1 +
 2 files changed, 107 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/busybox-fix-lzma-segfaults.patch

(limited to 'meta/recipes-core/busybox')

diff --git a/meta/recipes-core/busybox/busybox/busybox-fix-lzma-segfaults.patch b/meta/recipes-core/busybox/busybox/busybox-fix-lzma-segfaults.patch
new file mode 100644
index 0000000000..da6dfa8023
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/busybox-fix-lzma-segfaults.patch
@@ -0,0 +1,106 @@
+busybox-1.27.2: Fix lzma segfaults
+
+[No upstream tracking] -- https://bugs.busybox.net/show_bug.cgi?id=10871
+
+libarchive: check buffer index in lzma_decompress
+
+With specific defconfig busybox fails to check zip fileheader magic
+(archival/unzip.c) and uses (archival/libarchive/decompress_unlzma.c)
+for decompression which leads to segmentation fault. It prevents accessing into
+buffer, which is smaller than pos index. Patch includes multiple segmentation
+fault fixes.
+
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=a36986bb80289c1cd8d15a557e49207c9a42946b]
+bug: 10436 10871
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
+index a904087..29eee2a 100644
+--- a/archival/libarchive/decompress_unlzma.c
++++ b/archival/libarchive/decompress_unlzma.c
+@@ -11,6 +11,14 @@
+ #include "libbb.h"
+ #include "bb_archive.h"
+ 
++
++#if 0
++# define dbg(...) bb_error_msg(__VA_ARGS__)
++#else
++# define dbg(...) ((void)0)
++#endif
++
++
+ #if ENABLE_FEATURE_LZMA_FAST
+ #  define speed_inline ALWAYS_INLINE
+ #  define size_inline
+@@ -217,6 +225,7 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 	rc_t *rc;
+ 	int i;
+ 	uint8_t *buffer;
++	uint32_t buffer_size;
+ 	uint8_t previous_byte = 0;
+ 	size_t buffer_pos = 0, global_pos = 0;
+ 	int len = 0;
+@@ -246,7 +255,8 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 	if (header.dict_size == 0)
+ 		header.dict_size++;
+ 
+-	buffer = xmalloc(MIN(header.dst_size, header.dict_size));
++	buffer_size = MIN(header.dst_size, header.dict_size);
++	buffer = xmalloc(buffer_size);
+ 
+ 	{
+ 		int num_probs;
+@@ -341,8 +351,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 						state = state < LZMA_NUM_LIT_STATES ? 9 : 11;
+ 
+ 						pos = buffer_pos - rep0;
+-						if ((int32_t)pos < 0)
++						if ((int32_t)pos < 0) {
+ 							pos += header.dict_size;
++							/* see unzip_bad_lzma_2.zip: */
++							if (pos >= buffer_size)
++								goto bad;
++						}
+ 						previous_byte = buffer[pos];
+ 						goto one_byte1;
+ #else
+@@ -417,6 +431,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 						for (; num_bits2 != LZMA_NUM_ALIGN_BITS; num_bits2--)
+ 							rep0 = (rep0 << 1) | rc_direct_bit(rc);
+ 						rep0 <<= LZMA_NUM_ALIGN_BITS;
++						if ((int32_t)rep0 < 0) {
++							dbg("%d rep0:%d", __LINE__, rep0);
++							goto bad;
++						}
+ 						prob3 = p + LZMA_ALIGN;
+ 					}
+ 					i2 = 1;
+@@ -450,8 +468,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
+  IF_NOT_FEATURE_LZMA_FAST(string:)
+ 			do {
+ 				uint32_t pos = buffer_pos - rep0;
+-				if ((int32_t)pos < 0)
++				if ((int32_t)pos < 0) {
+ 					pos += header.dict_size;
++					/* more stringent test (see unzip_bad_lzma_1.zip): */
++					if (pos >= buffer_size)
++						goto bad;
++				}
+ 				previous_byte = buffer[pos];
+  IF_NOT_FEATURE_LZMA_FAST(one_byte2:)
+ 				buffer[buffer_pos++] = previous_byte;
+@@ -478,6 +500,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 		IF_DESKTOP(total_written += buffer_pos;)
+ 		if (transformer_write(xstate, buffer, buffer_pos) != (ssize_t)buffer_pos) {
+  bad:
++			/* One of our users, bbunpack(), expects _us_ to emit
++			 * the error message (since it's the best place to give
++			 * potentially more detailed information).
++			 * Do not fail silently.
++			 */
++			bb_error_msg("corrupted data");
+ 			total_written = -1; /* failure */
+ 		}
+ 		rc_free(rc);
+ 
diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb
index 36a6342aaf..92678701fc 100644
--- a/meta/recipes-core/busybox/busybox_1.27.2.bb
+++ b/meta/recipes-core/busybox/busybox_1.27.2.bb
@@ -45,6 +45,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://CVE-2011-5325.patch \
            file://CVE-2017-15873.patch \
            file://busybox-CVE-2017-16544.patch \
+           file://busybox-fix-lzma-segfaults.patch \
 "
 SRC_URI_append_libc-musl = " file://musl.cfg "
 
-- 
cgit 1.2.3-korg