From 373d8e3dcb62f76a5c2b3608251529c608b98b1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=81LI=20G=C3=A1bor=20J=C3=A1nos?= Date: Sat, 25 Jun 2022 23:04:28 +0200 Subject: Move to Linux 5.15.49 + Alpine 3.16.0. --- ...-ash-add-built-in-BB_ASH_VERSION-variable.patch | 29 +++-- ...defined-warnings-when-building-with-utmps.patch | 16 +++ ...1-modinfo-add-k-option-for-kernel-version.patch | 140 +++++++++++++++++++++ .../0013-ash-fix-unsafe-use-of-mempcpy.patch | 32 +++++ ...e-after-free-in-bash-pattern-substitution.patch | 81 ++++++++++++ ...se-memcpy-with-overlapping-memory-regions.patch | 34 +++++ ...ead-past-end-of-var-in-subvareval-for-bas.patch | 88 +++++++++++++ ...17-ash-Fix-use-after-free-on-idx-variable.patch | 94 ++++++++++++++ aports/busybox/APKBUILD | 46 ++++--- aports/busybox/config | 68 +++++----- 10 files changed, 565 insertions(+), 63 deletions(-) create mode 100644 aports/busybox/0001-avoid-redefined-warnings-when-building-with-utmps.patch create mode 100644 aports/busybox/0001-modinfo-add-k-option-for-kernel-version.patch create mode 100644 aports/busybox/0013-ash-fix-unsafe-use-of-mempcpy.patch create mode 100644 aports/busybox/0014-ash-fix-use-after-free-in-bash-pattern-substitution.patch create mode 100644 aports/busybox/0015-ed-don-t-use-memcpy-with-overlapping-memory-regions.patch create mode 100644 aports/busybox/0016-ash-don-t-read-past-end-of-var-in-subvareval-for-bas.patch create mode 100644 aports/busybox/0017-ash-Fix-use-after-free-on-idx-variable.patch (limited to 'aports/busybox') diff --git a/aports/busybox/0001-ash-add-built-in-BB_ASH_VERSION-variable.patch b/aports/busybox/0001-ash-add-built-in-BB_ASH_VERSION-variable.patch index f7f901f..d8f5ea0 100644 --- a/aports/busybox/0001-ash-add-built-in-BB_ASH_VERSION-variable.patch +++ b/aports/busybox/0001-ash-add-built-in-BB_ASH_VERSION-variable.patch @@ -1,4 +1,4 @@ -From cf95fcc20717e4c0906109b13565fdd06d874ee0 Mon Sep 17 00:00:00 2001 +From df5fffa062ebc46bd13d65c84a4abca6ae1c614d Mon Sep 17 00:00:00 2001 From: Ariadne Conill Date: Wed, 10 Mar 2021 23:38:57 -0700 Subject: [PATCH] ash: add built-in $BB_ASH_VERSION variable @@ -19,11 +19,11 @@ varinit_data 360 384 +24 Signed-off-by: Ariadne Conill --- - shell/ash.c | 26 +++++++++++++++++++------- - 1 file changed, 19 insertions(+), 7 deletions(-) + shell/ash.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/shell/ash.c b/shell/ash.c -index 6a16833b1..b8525dd57 100644 +index 827643808..5f8f41ee9 100644 --- a/shell/ash.c +++ b/shell/ash.c @@ -153,6 +153,14 @@ @@ -41,7 +41,7 @@ index 6a16833b1..b8525dd57 100644 //config:endif # ash options //applet:IF_ASH(APPLET(ash, BB_DIR_BIN, BB_SUID_DROP)) -@@ -2109,6 +2117,9 @@ static const struct { +@@ -2138,6 +2146,9 @@ static const struct { { VSTRFIXED|VTEXTFIXED , "PS1=$ " , NULL }, { VSTRFIXED|VTEXTFIXED , "PS2=> " , NULL }, { VSTRFIXED|VTEXTFIXED , "PS4=+ " , NULL }, @@ -51,7 +51,7 @@ index 6a16833b1..b8525dd57 100644 #if ENABLE_ASH_GETOPTS { VSTRFIXED|VTEXTFIXED , defoptindvar, getoptsreset }, #endif -@@ -2159,18 +2170,19 @@ extern struct globals_var *BB_GLOBAL_CONST ash_ptr_to_globals_var; +@@ -2197,19 +2208,20 @@ extern struct globals_var *BB_GLOBAL_CONST ash_ptr_to_globals_var; #define vps1 varinit[VAR_OFFSET1 + 2] #define vps2 varinit[VAR_OFFSET1 + 3] #define vps4 varinit[VAR_OFFSET1 + 4] @@ -62,22 +62,21 @@ index 6a16833b1..b8525dd57 100644 #endif -#define VAR_OFFSET2 (VAR_OFFSET1 + ENABLE_ASH_GETOPTS) -#define vlineno varinit[VAR_OFFSET2 + 5] +-#define vfuncname varinit[VAR_OFFSET2 + 6] +#define VAR_OFFSET3 (VAR_OFFSET2 + ENABLE_ASH_GETOPTS) +#define vlineno varinit[VAR_OFFSET3 + 5] ++#define vfuncname varinit[VAR_OFFSET3 + 6] #if ENABLE_ASH_RANDOM_SUPPORT --# define vrandom varinit[VAR_OFFSET2 + 6] -+# define vrandom varinit[VAR_OFFSET3 + 6] +-# define vrandom varinit[VAR_OFFSET2 + 7] ++# define vrandom varinit[VAR_OFFSET3 + 7] #endif -#define VAR_OFFSET3 (VAR_OFFSET2 + ENABLE_ASH_RANDOM_SUPPORT) +#define VAR_OFFSET4 (VAR_OFFSET2 + ENABLE_ASH_RANDOM_SUPPORT) #if BASH_EPOCH_VARS --# define vepochs varinit[VAR_OFFSET3 + 6] --# define vepochr varinit[VAR_OFFSET3 + 7] -+# define vepochs varinit[VAR_OFFSET4 + 6] -+# define vepochr varinit[VAR_OFFSET4 + 7] +-# define vepochs varinit[VAR_OFFSET3 + 7] +-# define vepochr varinit[VAR_OFFSET3 + 8] ++# define vepochs varinit[VAR_OFFSET4 + 7] ++# define vepochr varinit[VAR_OFFSET4 + 8] #endif #define INIT_G_var() do { \ unsigned i; \ --- -2.30.2 - diff --git a/aports/busybox/0001-avoid-redefined-warnings-when-building-with-utmps.patch b/aports/busybox/0001-avoid-redefined-warnings-when-building-with-utmps.patch new file mode 100644 index 0000000..246e9b0 --- /dev/null +++ b/aports/busybox/0001-avoid-redefined-warnings-when-building-with-utmps.patch @@ -0,0 +1,16 @@ +From: Jakub Jirutka +Date: Mon, 06 Sep 2021 23:13:05 +0200 +Subject: [PATCH] Avoid redefined warnings when building with utmps + +--- a/include/libbb.h ++++ b/include/libbb.h +@@ -107,6 +107,9 @@ + # define _PATH_UTMPX _PATH_UTMP + # else + # if !defined(__FreeBSD__) ++/* _PATH_UTMP and _PATH_WTMP are defined both in paths.h and utmps/utmp.h. */ ++# undef _PATH_UTMP ++# undef _PATH_WTMP + # include + # else + # define _PATH_UTMPX "/var/run/utx.active" diff --git a/aports/busybox/0001-modinfo-add-k-option-for-kernel-version.patch b/aports/busybox/0001-modinfo-add-k-option-for-kernel-version.patch new file mode 100644 index 0000000..f1bf02f --- /dev/null +++ b/aports/busybox/0001-modinfo-add-k-option-for-kernel-version.patch @@ -0,0 +1,140 @@ +From 8fed81a74070cb42e1dff1a8c2382bd123385e22 Mon Sep 17 00:00:00 2001 +From: Natanael Copa +Date: Thu, 28 Apr 2022 16:03:16 +0200 +Subject: [PATCH] modinfo: add -k option for kernel version + +It is useful to be able to specify kernel version when generating +initramfs and similar for a kernel version that might not be the running +one. + +bloatcheck on x86_64: + +function old new delta +packed_usage 26193 26218 +25 +modinfo_main 391 414 +23 +.rodata 80296 80298 +2 +------------------------------------------------------------------------------ +(add/remove: 0/0 grow/shrink: 3/0 up/down: 50/0) Total: 50 +bytes + text data bss dec hex filename + 834606 14124 2008 850738 cfb32 busybox_old + 834657 14124 2008 850789 cfb65 busybox_unstripped + +Signed-off-by: Natanael Copa +--- + modutils/modinfo.c | 30 ++++++++++++++++++------------ + 1 file changed, 18 insertions(+), 12 deletions(-) + +diff --git a/modutils/modinfo.c b/modutils/modinfo.c +index 0a86c3296..53bc02880 100644 +--- a/modutils/modinfo.c ++++ b/modutils/modinfo.c +@@ -38,17 +38,18 @@ static const char *const shortcuts[] ALIGN_PTR = { + + enum { + OPT_0 = (1 << 0), /* \0 as separator */ +- OPT_F = (1 << 1), /* field name */ ++ OPT_k = (1 << 1), /* kernel version */ ++ OPT_F = (1 << 2), /* field name */ + /* first bits are for -nadlp options, the rest are for + * fields not selectable with "shortcut" options + */ +- OPT_n = (1 << 2), +- OPT_TAGS = ((1 << ARRAY_SIZE(shortcuts)) - 1) << 2, ++ OPT_n = (1 << 3), ++ OPT_TAGS = ((1 << ARRAY_SIZE(shortcuts)) - 1) << 3, + }; + + static void display(const char *data, const char *pattern) + { +- int flag = option_mask32 >> 1; /* shift out -0 bit */ ++ int flag = option_mask32 >> 2; /* shift out -0 and -k bits */ + if (flag & (flag-1)) { + /* more than one field to show: print "FIELD:" pfx */ + int n = printf("%s:", pattern); +@@ -82,7 +83,8 @@ static void modinfo(const char *path, const char *version, + } + } + +- for (j = 1; (1< +Date: Tue, 1 Mar 2022 09:56:54 +0100 +Subject: [PATCH] ash: fix unsafe use of mempcpy + +function old new delta +subevalvar 1549 1557 +8 + +Signed-off-by: Denys Vlasenko +--- + shell/ash.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/shell/ash.c b/shell/ash.c +index 54335c5dd..44ec2eafd 100644 +--- a/shell/ash.c ++++ b/shell/ash.c +@@ -7191,7 +7191,13 @@ subevalvar(char *start, char *str, int strloc, + len = orig_len - pos; + + if (!quotes) { +- loc = mempcpy(startp, startp + pos, len); ++ /* want: loc = mempcpy(startp, startp + pos, len) ++ * but it does not allow overlapping arguments */ ++ loc = startp; ++ while (--len >= 0) { ++ *loc = loc[pos]; ++ loc++; ++ } + } else { + for (vstr = startp; pos != 0; pos--) { + if ((unsigned char)*vstr == CTLESC) diff --git a/aports/busybox/0014-ash-fix-use-after-free-in-bash-pattern-substitution.patch b/aports/busybox/0014-ash-fix-use-after-free-in-bash-pattern-substitution.patch new file mode 100644 index 0000000..6ff2b82 --- /dev/null +++ b/aports/busybox/0014-ash-fix-use-after-free-in-bash-pattern-substitution.patch @@ -0,0 +1,81 @@ +From 103728181bfd9a60537166d036e5baca7b67cc1f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?S=C3=B6ren=20Tempel?= +Date: Sat, 29 Jan 2022 06:11:12 +0100 +Subject: [PATCH] ash: fix use-after-free in bash pattern substitution +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +At Alpine Linux downstream, we were made aware of a segmentation fault +occurring during string replacement in BusyBox ash [0]. Further +debugging revealed that the segmentation fault occurs due to a +use-after-free in BusyBox's bash pattern substitution implementation. +Specially, the problem is that the repl variable (pointing to the +replacement string) points to a value in the stack string. However, when +accessing the repl pointer in Line 7350 it is possible that the stack +has been moved since the last repl assignment due to the STPUTC +invocations in Line 7317 and 7321 (since STPUTC may grow the stack via +realloc(3)). + +For this reason, the code in Line 7350 may access an unmapped memory +region and therefore causes a segmentation fault if prior STPUTC +invocations moved the stack via realloc(3). The valgrind output +for this edge case looks as follows: + + Invalid read of size 1 + at 0x15D8DD: subevalvar (ash.c:7350) + by 0x15DC43: evalvar (ash.c:7666) + by 0x15B717: argstr (ash.c:6893) + by 0x15BAEC: expandarg (ash.c:8090) + by 0x15F4CC: evalcommand (ash.c:10429) + by 0x15B26C: evaltree (ash.c:9365) + by 0x15E4FC: cmdloop (ash.c:13569) + by 0x15FD8B: ash_main (ash.c:14748) + by 0x115BF2: run_applet_no_and_exit (appletlib.c:967) + by 0x115F16: run_applet_and_exit (appletlib.c:986) + by 0x115EF9: busybox_main (appletlib.c:917) + by 0x115EF9: run_applet_and_exit (appletlib.c:979) + by 0x115F8F: main (appletlib.c:1126) + Address 0x48b8646 is 2,054 bytes inside a block of size 4,776 free'd + at 0x48A6FC9: realloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) + by 0x116E86: xrealloc (xfuncs_printf.c:61) + by 0x1565DB: growstackblock (ash.c:1736) + by 0x156EF7: growstackstr (ash.c:1775) + by 0x156F1A: _STPUTC (ash.c:1816) + by 0x15D843: subevalvar (ash.c:7317) + by 0x15DC43: evalvar (ash.c:7666) + by 0x15B717: argstr (ash.c:6893) + by 0x15BAEC: expandarg (ash.c:8090) + by 0x15F4CC: evalcommand (ash.c:10429) + by 0x15B26C: evaltree (ash.c:9365) + by 0x15E4FC: cmdloop (ash.c:13569) + +A testcase for reproducing this edge case is provided in the downstream +bug report [1]. This commit fixes the issue by reconstructing the repl +pointer relative to stackblock() via strloc and slash_pos. + +[0]: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13469 +[1]: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13469#note_210530 + +Signed-off-by: Sören Tempel +--- + shell/ash.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/shell/ash.c b/shell/ash.c +index 55df54bd0..24f9a8270 100644 +--- a/shell/ash.c ++++ b/shell/ash.c +@@ -7346,6 +7346,12 @@ subevalvar(char *start, char *str, int strloc, + idx = loc; + } + ++ // The STPUTC invocations above may resize and move the ++ // stack via realloc(3). Since repl is a pointer into the ++ // stack, we need to reconstruct it relative to stackblock(). ++ if (slash_pos >= 0) ++ repl = (char *)stackblock() + strloc + slash_pos + 1; ++ + //bb_error_msg("repl:'%s'", repl); + for (loc = (char*)repl; *loc; loc++) { + char *restart_detect = stackblock(); diff --git a/aports/busybox/0015-ed-don-t-use-memcpy-with-overlapping-memory-regions.patch b/aports/busybox/0015-ed-don-t-use-memcpy-with-overlapping-memory-regions.patch new file mode 100644 index 0000000..5697a55 --- /dev/null +++ b/aports/busybox/0015-ed-don-t-use-memcpy-with-overlapping-memory-regions.patch @@ -0,0 +1,34 @@ +From 65bb493f2475368161431ed72816fd0c61e479b1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?S=C3=B6ren=20Tempel?= +Date: Tue, 8 Feb 2022 09:29:21 +0100 +Subject: [PATCH] ed: don't use memcpy with overlapping memory regions + +The memcpy invocations in the subCommand function, modified by this +commit, previously used memcpy with overlapping memory regions. This is +undefined behavior. On Alpine Linux, it causes BusyBox ed to crash since +we compile BusyBox with -D_FORTIFY_SOURCE=2 and our fortify-headers +implementation catches this source of undefined behavior [0]. The issue +can only be triggered if the replacement string is the same size or +shorter than the old string. + +Looking at the code, it seems to me that a memmove(3) is what was +actually intended here, this commit modifies the code accordingly. + +[0]: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13504 +--- + editors/ed.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/editors/ed.c b/editors/ed.c +index 209ce9942..4a84f7433 100644 +--- a/editors/ed.c ++++ b/editors/ed.c +@@ -720,7 +720,7 @@ static void subCommand(const char *cmd, int num1, int num2) + if (deltaLen <= 0) { + memcpy(&lp->data[offset], newStr, newLen); + if (deltaLen) { +- memcpy(&lp->data[offset + newLen], ++ memmove(&lp->data[offset + newLen], + &lp->data[offset + oldLen], + lp->len - offset - oldLen); + diff --git a/aports/busybox/0016-ash-don-t-read-past-end-of-var-in-subvareval-for-bas.patch b/aports/busybox/0016-ash-don-t-read-past-end-of-var-in-subvareval-for-bas.patch new file mode 100644 index 0000000..3527fa5 --- /dev/null +++ b/aports/busybox/0016-ash-don-t-read-past-end-of-var-in-subvareval-for-bas.patch @@ -0,0 +1,88 @@ +From fa52ac9781f479de8ab4d8526276244c0a0471f4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?S=C3=B6ren=20Tempel?= +Date: Mon, 28 Feb 2022 08:36:50 +0100 +Subject: [PATCH] ash: don't read past end of var in subvareval for bash + substitutions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Without this patch, BusyBox handles bash pattern substitutions without +a terminating '/' character incorrectly. + +Consider the following shell script: + + _bootstrapver=5.0.211-r0 + _referencesdir="/usr/${_bootstrapver/-*}/Sources" + echo $_referencesdir + +This should output `/usr/5.0.211/Sources`. However, without this patch +it instead outputs `/usr/5.0.211Sources`. This is due to the fact that +BusyBox expects the bash pattern substitutions to always be terminated +with a '/' (at least in this part of subvareval) and thus reads passed +the substitution itself and consumes the '/' character which is part of +the literal string. If there is no '/' after the substitution then +BusyBox might perform an out-of-bounds read under certain circumstances. + +When replacing the bash pattern substitution with `${_bootstrapver/-*/}`, +or with this patch applied, ash outputs the correct value. + +Signed-off-by: Sören Tempel +Signed-off-by: Denys Vlasenko +--- + shell/ash.c | 4 ++++ + shell/ash_test/ash-vars/var_bash_repl_unterminated.right | 1 + + shell/ash_test/ash-vars/var_bash_repl_unterminated.tests | 2 ++ + shell/hush_test/hush-vars/var_bash_repl_unterminated.right | 1 + + shell/hush_test/hush-vars/var_bash_repl_unterminated.tests | 2 ++ + 5 files changed, 10 insertions(+) + create mode 100644 shell/ash_test/ash-vars/var_bash_repl_unterminated.right + create mode 100755 shell/ash_test/ash-vars/var_bash_repl_unterminated.tests + create mode 100644 shell/hush_test/hush-vars/var_bash_repl_unterminated.right + create mode 100755 shell/hush_test/hush-vars/var_bash_repl_unterminated.tests + +diff --git a/shell/ash.c b/shell/ash.c +index adb0f223a..54335c5dd 100644 +--- a/shell/ash.c ++++ b/shell/ash.c +@@ -7081,6 +7081,10 @@ subevalvar(char *start, char *str, int strloc, + *repl = '\0'; + break; + } ++ if ((unsigned char)*repl == CTLENDVAR) { /* ${v/pattern} (no trailing /, no repl) */ ++ repl = NULL; ++ break; ++ } + /* Handle escaped slashes, e.g. "${v/\//_}" (they are CTLESC'ed by this point) */ + if ((unsigned char)*repl == CTLESC && repl[1]) + repl++; +diff --git a/shell/ash_test/ash-vars/var_bash_repl_unterminated.right b/shell/ash_test/ash-vars/var_bash_repl_unterminated.right +new file mode 100644 +index 000000000..5bff3a6fa +--- /dev/null ++++ b/shell/ash_test/ash-vars/var_bash_repl_unterminated.right +@@ -0,0 +1 @@ ++b/d +diff --git a/shell/ash_test/ash-vars/var_bash_repl_unterminated.tests b/shell/ash_test/ash-vars/var_bash_repl_unterminated.tests +new file mode 100755 +index 000000000..c9513343d +--- /dev/null ++++ b/shell/ash_test/ash-vars/var_bash_repl_unterminated.tests +@@ -0,0 +1,2 @@ ++a=b-c ++echo ${a/-*}/d +diff --git a/shell/hush_test/hush-vars/var_bash_repl_unterminated.right b/shell/hush_test/hush-vars/var_bash_repl_unterminated.right +new file mode 100644 +index 000000000..5bff3a6fa +--- /dev/null ++++ b/shell/hush_test/hush-vars/var_bash_repl_unterminated.right +@@ -0,0 +1 @@ ++b/d +diff --git a/shell/hush_test/hush-vars/var_bash_repl_unterminated.tests b/shell/hush_test/hush-vars/var_bash_repl_unterminated.tests +new file mode 100755 +index 000000000..c9513343d +--- /dev/null ++++ b/shell/hush_test/hush-vars/var_bash_repl_unterminated.tests +@@ -0,0 +1,2 @@ ++a=b-c ++echo ${a/-*}/d diff --git a/aports/busybox/0017-ash-Fix-use-after-free-on-idx-variable.patch b/aports/busybox/0017-ash-Fix-use-after-free-on-idx-variable.patch new file mode 100644 index 0000000..22a2578 --- /dev/null +++ b/aports/busybox/0017-ash-Fix-use-after-free-on-idx-variable.patch @@ -0,0 +1,94 @@ +From 3813e89e3622b034b0e51acae496493a717555cc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?S=C3=B6ren=20Tempel?= +Date: Wed, 1 Jun 2022 11:51:40 +0200 +Subject: [PATCH] ash: Fix use-after-free on idx variable + +Consider the following code from ash.c: + + STPUTC(*idx, expdest); + if (quotes && (unsigned char)*idx == CTLESC) { + +The idx variable points to a value in the stack string (as managed +by STPUTC). STPUTC may resize this stack string via realloc(3). If +this happens, the idx pointer needs to be updated. Otherwise, +dereferencing idx may result in a use-after free. + +The valgrind output for this edge case looks as follows: + + Invalid read of size 1 + at 0x113AD7: subevalvar (ash.c:7326) + by 0x112EC7: evalvar (ash.c:7674) + by 0x113219: argstr (ash.c:6891) + by 0x113D10: expandarg (ash.c:8098) + by 0x118989: evalcommand (ash.c:10377) + by 0x116744: evaltree (ash.c:9373) + by 0x1170DC: cmdloop (ash.c:13577) + by 0x1191E4: ash_main (ash.c:14756) + by 0x10CB3B: run_applet_no_and_exit (appletlib.c:967) + by 0x10CBCA: run_applet_and_exit (appletlib.c:986) + by 0x10CBCA: main (appletlib.c:1126) + Address 0x48b4099 is 857 bytes inside a block of size 2,736 free'd + at 0x48A6FC9: realloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) + by 0x125B03: xrealloc (xfuncs_printf.c:61) + by 0x10F9D2: growstackblock (ash.c:1736) + by 0x10FA4E: growstackstr (ash.c:1775) + by 0x10FA71: _STPUTC (ash.c:1816) + by 0x113A94: subevalvar (ash.c:7325) + by 0x112EC7: evalvar (ash.c:7674) + by 0x113219: argstr (ash.c:6891) + by 0x113D10: expandarg (ash.c:8098) + by 0x118989: evalcommand (ash.c:10377) + by 0x116744: evaltree (ash.c:9373) + by 0x1170DC: cmdloop (ash.c:13577) + Block was alloc'd at + at 0x48A26D5: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) + by 0x125AE9: xmalloc (xfuncs_printf.c:50) + by 0x10ED56: stalloc (ash.c:1622) + by 0x10F9FF: growstackblock (ash.c:1746) + by 0x10FB2A: growstackto (ash.c:1783) + by 0x10FB47: makestrspace (ash.c:1795) + by 0x10FDE7: memtodest (ash.c:6390) + by 0x10FE91: strtodest (ash.c:6417) + by 0x112CC5: varvalue (ash.c:7558) + by 0x112D80: evalvar (ash.c:7603) + by 0x113219: argstr (ash.c:6891) + by 0x113D10: expandarg (ash.c:8098) + +This patch fixes this issue by updating the pointers again via +the restart label if STPUTC re-sized the stack. This issue +has been reported to us at Alpine Linux downstream. + +Also: Move the second realloc-check inside the if statement +that follows so it isn't done twice if the condition evaluates +to false. + +See also: + +* https://gitlab.alpinelinux.org/alpine/aports/-/issues/13900 +* http://lists.busybox.net/pipermail/busybox/2022-April/089655.html +--- + shell/ash.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/shell/ash.c b/shell/ash.c +index ef4a47afe..cbc50eefe 100644 +--- a/shell/ash.c ++++ b/shell/ash.c +@@ -7323,13 +7323,15 @@ subevalvar(char *start, char *str, int strloc, + if (idx >= end) + break; + STPUTC(*idx, expdest); ++ if (stackblock() != restart_detect) ++ goto restart; + if (quotes && (unsigned char)*idx == CTLESC) { + idx++; + len++; + STPUTC(*idx, expdest); ++ if (stackblock() != restart_detect) ++ goto restart; + } +- if (stackblock() != restart_detect) +- goto restart; + idx++; + len++; + rmesc++; diff --git a/aports/busybox/APKBUILD b/aports/busybox/APKBUILD index 40b1d3f..ec0d3fb 100644 --- a/aports/busybox/APKBUILD +++ b/aports/busybox/APKBUILD @@ -1,13 +1,16 @@ # Maintainer: Gabor Pali pkgname=busybox -pkgver=1.34.1 -pkgrel=5 +pkgver=1.35.0 +pkgrel=0 # base: 14, -initscripts: 4.1-r1 pkgdesc="Size optimized toolbox of many common UNIX utilities" url="https://busybox.net/" arch="all" license="GPL-2.0-only" makedepends_build="perl" -makedepends_host="linux-headers openssl1.1-compat-dev libretls-dev" +makedepends_host="linux-headers openssl-dev" +# Only build with UTMPS support if we are not bootstrapping. +# skalibs-static is needed for utmps-static +[ -z "$BOOTSTRAP" ] && makedepends_host="$makedepends_host utmps-dev utmps-static skalibs-static" makedepends="$makedepends_build $makedepends_host" checkdepends= provides="/bin/sh" @@ -15,8 +18,6 @@ install= subpackages= options="!check" source="https://busybox.net/downloads/busybox-$pkgver.tar.bz2 - 0001-rev-correct-output-for-long-input-lines.patch - 0001-nologin-Install-applet-to-sbin-instead-of-usr-sbin.patch 0001-adduser-default-to-sbin-nologin-as-shell-for-system-.patch 0001-properly-fix-wget-https-support.patch @@ -31,16 +32,17 @@ source="https://busybox.net/downloads/busybox-$pkgver.tar.bz2 0009-depmod-support-generating-kmod-binary-index-files.patch 0010-Add-flag-for-not-following-symlinks-when-recursing.patch 0012-udhcpc-Don-t-background-if-n-is-given.patch - + 0013-ash-fix-unsafe-use-of-mempcpy.patch + 0014-ash-fix-use-after-free-in-bash-pattern-substitution.patch + 0015-ed-don-t-use-memcpy-with-overlapping-memory-regions.patch + 0016-ash-don-t-read-past-end-of-var-in-subvareval-for-bas.patch + 0017-ash-Fix-use-after-free-on-idx-variable.patch 0001-ash-add-built-in-BB_ASH_VERSION-variable.patch - - 0001-cpio-add-support-for-ignore-devno-like-GNU-cpio.patch - 0002-cpio-add-support-for-renumber-inodes-like-GNU-cpio.patch - 0001-pgrep-add-support-for-matching-against-UID-and-RUID.patch - + 0001-avoid-redefined-warnings-when-building-with-utmps.patch 0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch 0002-nslookup-sanitize-all-printed-strings-with-printable.patch + 0001-modinfo-add-k-option-for-kernel-version.patch acpid.logrotate config @@ -59,6 +61,9 @@ source="https://busybox.net/downloads/busybox-$pkgver.tar.bz2 " # secfixes: +# 1.35.0-r7: +# - ALPINE-13661 +# - CVE-2022-28391 # 1.34.1-r5: # - ALPINE-13661 # - CVE-2022-28391 @@ -162,7 +167,8 @@ EOF install -m644 "$srcdir"/$i "$pkgdir"/etc/conf.d/${i%.*} || return 1 done install -m644 mdev.conf "$pkgdir"/etc - install -m755 persistent-storage "$pkgdir"/lib/mdev/ + install -m755 persistent-storage \ + "$pkgdir"/lib/mdev/ # poweroff script for acpid cat >"$pkgdir"/etc/acpi/PWRF/00000080 <