From cf5d0889262e1b04ec2aa4caff2f5da2d602c665 Mon Sep 17 00:00:00 2001 From: Denys Vlasenko Date: Mon, 12 Jun 2023 17:48:47 +0200 Subject: [PATCH] busybox: shell: avoid segfault on ${0::0/0~09J}. Closes 15216 function old new delta evaluate_string 1011 1053 +42 Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=d417193cf37ca1005830d7e16f5fa7e1d8a44209] CVE: CVE-2022-48174 Signed-off-by: Meenali Gupta --- shell/math.c | 39 +++++++++++++++++++++++++++++++++++---- 1 file changed, 35 insertions(+), 4 deletions(-) diff --git a/shell/math.c b/shell/math.c index 76d22c9..727c294 100644 --- a/shell/math.c +++ b/shell/math.c @@ -577,6 +577,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr) # endif #endif +//TODO: much better estimation than expr_len/2? Such as: +//static unsigned estimate_nums_and_names(const char *expr) +//{ +// unsigned count = 0; +// while (*(expr = skip_whitespace(expr)) != '\0') { +// const char *p; +// if (isdigit(*expr)) { +// while (isdigit(*++expr)) +// continue; +// count++; +// continue; +// } +// p = endofname(expr); +// if (p != expr) { +// expr = p; +// count++; +// continue; +// } +// } +// return count; +//} + static arith_t evaluate_string(arith_state_t *math_state, const char *expr) { @@ -584,10 +606,12 @@ evaluate_string(arith_state_t *math_state, const char *expr) const char *errmsg; const char *start_expr = expr = skip_whitespace(expr); unsigned expr_len = strlen(expr) + 2; - /* Stack of integers */ - /* The proof that there can be no more than strlen(startbuf)/2+1 - * integers in any given correct or incorrect expression - * is left as an exercise to the reader. */ + /* Stack of integers/names */ + /* There can be no more than strlen(startbuf)/2+1 + * integers/names in any given correct or incorrect expression. + * (modulo "09v09v09v09v09v" case, + * but we have code to detect that early) + */ var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0])); var_or_num_t *numstackptr = numstack; /* Stack of operator tokens */ @@ -652,6 +676,13 @@ evaluate_string(arith_state_t *math_state, const char *expr) numstackptr->var = NULL; errno = 0; numstackptr->val = strto_arith_t(expr, (char**) &expr); + /* A number can't be followed by another number, or a variable name. + * We'd catch this later anyway, but this would require numstack[] + * to be twice as deep to handle strings where _every_ char is + * a new number or name. Example: 09v09v09v09v09v09v09v09v09v + */ + if (isalnum(*expr) || *expr == '_') + goto err; //bb_error_msg("val:%lld", numstackptr->val); if (errno) numstackptr->val = 0; /* bash compat */ -- 2.40.0