[oe-commits] [openembedded-core] 13/17: busybox: Security Fix CVE-2016-2148

git at git.openembedded.org git at git.openembedded.org
Fri Apr 29 06:55:09 UTC 2016 

rpurdie pushed a commit to branch krogoth
in repository openembedded-core.

commit ff1a31824a2a43e63682a176a904de43ad0e1c2e
Author: Armin Kuster <akuster at mvista.com>
AuthorDate: Wed Apr 27 17:47:21 2016 -0700

    busybox: Security Fix CVE-2016-2148
    
    busybox <= 1.24.2
    
    Signed-off-by: Armin Kuster <akuster at mvista.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
---
 .../busybox/busybox/CVE-2016-2148.patch            | 74 ++++++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.24.1.bb        |  1 +
 2 files changed, 75 insertions(+)

diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2148.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2148.patch
new file mode 100644
index 0000000..af04a7f
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2016-2148.patch
@@ -0,0 +1,74 @@
+From 352f79acbd759c14399e39baef21fc4ffe180ac2 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux at googlemail.com>
+Date: Fri, 26 Feb 2016 15:54:56 +0100
+Subject: [PATCH] udhcpc: fix OPTION_6RD parsing (could overflow its malloced
+ buffer)
+
+Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2016-2148
+https://git.busybox.net/busybox/commit/?id=352f79
+
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ networking/udhcp/common.c | 15 +++++++++++++--
+ networking/udhcp/dhcpc.c  |  4 ++--
+ 2 files changed, 15 insertions(+), 4 deletions(-)
+
+Index: busybox-1.23.2/networking/udhcp/common.c
+===================================================================
+--- busybox-1.23.2.orig/networking/udhcp/common.c
++++ busybox-1.23.2/networking/udhcp/common.c
+@@ -142,7 +142,7 @@ const char dhcp_option_strings[] ALIGN1
+  * udhcp_str2optset: to determine how many bytes to allocate.
+  * xmalloc_optname_optval: to estimate string length
+  * from binary option length: (option[LEN] / dhcp_option_lengths[opt_type])
+- * is the number of elements, multiply in by one element's string width
++ * is the number of elements, multiply it by one element's string width
+  * (len_of_option_as_string[opt_type]) and you know how wide string you need.
+  */
+ const uint8_t dhcp_option_lengths[] ALIGN1 = {
+@@ -162,7 +162,18 @@ const uint8_t dhcp_option_lengths[] ALIG
+ 	[OPTION_S32] =     4,
+ 	/* Just like OPTION_STRING, we use minimum length here */
+ 	[OPTION_STATIC_ROUTES] = 5,
+-	[OPTION_6RD] =    22,  /* ignored by udhcp_str2optset */
++	[OPTION_6RD] =    12,  /* ignored by udhcp_str2optset */
++	/* The above value was chosen as follows:
++	 * len_of_option_as_string[] for this option is >60: it's a string of the form
++	 * "32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 ".
++	 * Each additional ipv4 address takes 4 bytes in binary option and appends
++	 * another "255.255.255.255 " 16-byte string. We can set [OPTION_6RD] = 4
++	 * but this severely overestimates string length: instead of 16 bytes,
++	 * it adds >60 for every 4 bytes in binary option.
++	 * We cheat and declare here that option is in units of 12 bytes.
++	 * This adds more than 60 bytes for every three ipv4 addresses - more than enough.
++	 * (Even 16 instead of 12 should work, but let's be paranoid).
++	 */
+ };
+ 
+ 
+Index: busybox-1.23.2/networking/udhcp/dhcpc.c
+===================================================================
+--- busybox-1.23.2.orig/networking/udhcp/dhcpc.c
++++ busybox-1.23.2/networking/udhcp/dhcpc.c
+@@ -103,7 +103,7 @@ static const uint8_t len_of_option_as_st
+ 	[OPTION_IP              ] = sizeof("255.255.255.255 "),
+ 	[OPTION_IP_PAIR         ] = sizeof("255.255.255.255 ") * 2,
+ 	[OPTION_STATIC_ROUTES   ] = sizeof("255.255.255.255/32 255.255.255.255 "),
+-	[OPTION_6RD             ] = sizeof("32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
++	[OPTION_6RD             ] = sizeof("132 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
+ 	[OPTION_STRING          ] = 1,
+ 	[OPTION_STRING_HOST     ] = 1,
+ #if ENABLE_FEATURE_UDHCP_RFC3397
+@@ -214,7 +214,7 @@ static NOINLINE char *xmalloc_optname_op
+ 	type = optflag->flags & OPTION_TYPE_MASK;
+ 	optlen = dhcp_option_lengths[type];
+ 	upper_length = len_of_option_as_string[type]
+-		* ((unsigned)(len + optlen - 1) / (unsigned)optlen);
++		* ((unsigned)(len + optlen) / (unsigned)optlen);
+ 
+ 	dest = ret = xmalloc(upper_length + strlen(opt_name) + 2);
+ 	dest += sprintf(ret, "%s=", opt_name);
diff --git a/meta/recipes-core/busybox/busybox_1.24.1.bb b/meta/recipes-core/busybox/busybox_1.24.1.bb
index f699f99..61fc878 100644
--- a/meta/recipes-core/busybox/busybox_1.24.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.24.1.bb
@@ -44,6 +44,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://rcS \
            file://rcK \
            file://runlevel \
+           file://CVE-2016-2148.patch \
 "
 SRC_URI_append_libc-musl = " file://musl.cfg "
 

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list