diff options
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-core/busybox')
7 files changed, 316 insertions, 43 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-core/busybox/busybox-1.24.1/ifupdown-pass-interface-device-name-for-ipv6-route-c.patch b/import-layers/yocto-poky/meta/recipes-core/busybox/busybox-1.24.1/ifupdown-pass-interface-device-name-for-ipv6-route-c.patch new file mode 100644 index 000000000..5715378af --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-core/busybox/busybox-1.24.1/ifupdown-pass-interface-device-name-for-ipv6-route-c.patch @@ -0,0 +1,52 @@ +From 06fcf98f6ca40dc6b823d7d6231a240a1794ef2d Mon Sep 17 00:00:00 2001 +From: Haiqing Bai <Haiqing.Bai@windriver.com> +Date: Tue, 28 Feb 2017 10:40:37 +0800 +Subject: [PATCH] ifupdown: pass interface device name for ipv6 route commands +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 028524317d8d0011ed38e86e507a06738a5b5a97 from upstream + +IPv6 routes need the device argument for link-local routes, or they +cannot be used at all. E.g. "gateway fe80::def" seems to be used in +some places, but kernel refuses to insert the route unless device +name is explicitly specified in the route addition. + +Signed-off-by: Timo Teräs <timo.teras@iki.fi> +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> + +Upstream-Status: Backport +Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> +--- + networking/ifupdown.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/networking/ifupdown.c b/networking/ifupdown.c +index 17bc4e9..a00f68d 100644 +--- a/networking/ifupdown.c ++++ b/networking/ifupdown.c +@@ -394,8 +394,8 @@ static int FAST_FUNC static_up6(struct interface_defn_t *ifd, execfn *exec) + # if ENABLE_FEATURE_IFUPDOWN_IP + result = execute("ip addr add %address%/%netmask% dev %iface%[[ label %label%]]", ifd, exec); + result += execute("ip link set[[ mtu %mtu%]][[ addr %hwaddress%]] %iface% up", ifd, exec); +- /* Was: "[[ ip ....%gateway% ]]". Removed extra spaces w/o checking */ +- result += execute("[[ip route add ::/0 via %gateway%]][[ metric %metric%]]", ifd, exec); ++ /* Reportedly, IPv6 needs "dev %iface%", but IPv4 does not: */ ++ result += execute("[[ip route add ::/0 via %gateway% dev %iface%]][[ metric %metric%]]", ifd, exec); + # else + result = execute("ifconfig %iface%[[ media %media%]][[ hw %hwaddress%]][[ mtu %mtu%]] up", ifd, exec); + result += execute("ifconfig %iface% add %address%/%netmask%", ifd, exec); +@@ -421,7 +421,8 @@ static int FAST_FUNC v4tunnel_up(struct interface_defn_t *ifd, execfn *exec) + "%endpoint%[[ local %local%]][[ ttl %ttl%]]", ifd, exec); + result += execute("ip link set %iface% up", ifd, exec); + result += execute("ip addr add %address%/%netmask% dev %iface%", ifd, exec); +- result += execute("[[ip route add ::/0 via %gateway%]]", ifd, exec); ++ /* Reportedly, IPv6 needs "dev %iface%", but IPv4 does not: */ ++ result += execute("[[ip route add ::/0 via %gateway% dev %iface%]]", ifd, exec); + return ((result == 4) ? 4 : 0); + } + +-- +1.9.1 + diff --git a/import-layers/yocto-poky/meta/recipes-core/busybox/busybox/0001-flock-update-the-behaviour-of-c-parameter-to-match-u.patch b/import-layers/yocto-poky/meta/recipes-core/busybox/busybox/0001-flock-update-the-behaviour-of-c-parameter-to-match-u.patch index 8bcbd73de..78520f0d9 100644 --- a/import-layers/yocto-poky/meta/recipes-core/busybox/busybox/0001-flock-update-the-behaviour-of-c-parameter-to-match-u.patch +++ b/import-layers/yocto-poky/meta/recipes-core/busybox/busybox/0001-flock-update-the-behaviour-of-c-parameter-to-match-u.patch @@ -1,35 +1,24 @@ -From 198f18addf1d814c2fefcb492f3b9fbd221669bb Mon Sep 17 00:00:00 2001 -From: "Maxin B. John" <maxin.john@intel.com> -Date: Wed, 20 Apr 2016 18:24:45 +0300 -Subject: [PATCH] flock: update the behaviour of -c parameter to match upstream - -In upstream, -c 'PROG ARGS' means "run sh -c 'PROG ARGS'" +From e1d426fd65c00a6d01a10d85edf8a294ae8a2d2b Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko <vda.linux@googlemail.com> +Date: Sun, 24 Apr 2016 18:19:49 +0200 +Subject: [PATCH] flock: fix -c; improve error handling of fork+exec function old new delta -flock_main 286 377 +91 -.rodata 155849 155890 +41 +flock_main 254 334 +80 -Upstream-Status: Submitted -[ http://lists.busybox.net/pipermail/busybox/2016-April/084142.html ] +Upstream-Status: Backport +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> Signed-off-by: Maxin B. John <maxin.john@intel.com> --- - util-linux/flock.c | 20 ++++++++++++++------ - 1 file changed, 14 insertions(+), 6 deletions(-) + util-linux/flock.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/util-linux/flock.c b/util-linux/flock.c -index 05a747f..c85a25d 100644 +index 05a747f..539a835 100644 --- a/util-linux/flock.c +++ b/util-linux/flock.c -@@ -20,6 +20,7 @@ int flock_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE; - int flock_main(int argc UNUSED_PARAM, char **argv) - { - int mode, opt, fd; -+ char *cmd_args[4]; - enum { - OPT_s = (1 << 0), - OPT_x = (1 << 1), -@@ -57,7 +58,6 @@ int flock_main(int argc UNUSED_PARAM, char **argv) +@@ -57,7 +57,6 @@ int flock_main(int argc UNUSED_PARAM, char **argv) /* If it is "flock FILE -c PROG", then -c isn't caught by getopt32: * we use "+" in order to support "flock -opt FILE PROG -with-opts", * we need to remove -c by hand. @@ -37,35 +26,37 @@ index 05a747f..c85a25d 100644 */ if (argv[0] && argv[0][0] == '-' -@@ -65,7 +65,10 @@ int flock_main(int argc UNUSED_PARAM, char **argv) - || (ENABLE_LONG_OPTS && strcmp(argv[0] + 1, "-command") == 0) +@@ -66,6 +65,9 @@ int flock_main(int argc UNUSED_PARAM, char **argv) ) ) { -- argv++; -+ if (argc != optind + 3) -+ bb_error_msg_and_die("-c requires exactly one command argument"); -+ else -+ argv++; + argv++; ++ if (argv[1]) ++ bb_error_msg_and_die("-c takes only one argument"); ++ opt |= OPT_c; } if (OPT_s == LOCK_SH && OPT_x == LOCK_EX && OPT_n == LOCK_NB && OPT_u == LOCK_UN) { -@@ -89,9 +92,14 @@ int flock_main(int argc UNUSED_PARAM, char **argv) - return EXIT_FAILURE; +@@ -90,8 +92,21 @@ int flock_main(int argc UNUSED_PARAM, char **argv) bb_perror_nomsg_and_die(); } -- + - if (argv[0]) -- return spawn_and_wait(argv); -- -+ if (argv[0]) { -+ cmd_args[0] = getenv("SHELL"); -+ if (!cmd_args[0]) -+ cmd_args[0] = (char*)DEFAULT_SHELL; -+ cmd_args[1] = (char*)"-c"; -+ cmd_args[2] = argv[0]; -+ cmd_args[3] = NULL; -+ return spawn_and_wait(cmd_args); -+ } ++ if (argv[0]) { ++ if (!(opt & OPT_c)) { ++ int rc = spawn_and_wait(argv); ++ if (rc < 0) ++ bb_simple_perror_msg(argv[0]); ++ return rc; ++ } ++ /* -c 'PROG ARGS' means "run sh -c 'PROG ARGS'" */ ++ argv -= 2; ++ argv[0] = (char*)get_shell_name(); ++ argv[1] = (char*)"-c"; ++ /* argv[2] = "PROG ARGS"; */ ++ /* argv[3] = NULL; */ + return spawn_and_wait(argv); ++ } + return EXIT_SUCCESS; } -- diff --git a/import-layers/yocto-poky/meta/recipes-core/busybox/busybox/0001-libiproute-handle-table-ids-larger-than-255.patch b/import-layers/yocto-poky/meta/recipes-core/busybox/busybox/0001-libiproute-handle-table-ids-larger-than-255.patch new file mode 100644 index 000000000..aac5b4029 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-core/busybox/busybox/0001-libiproute-handle-table-ids-larger-than-255.patch @@ -0,0 +1,134 @@ +From b5a9234272e6084557224c73ab7737ed47f09848 Mon Sep 17 00:00:00 2001 +From: Lukasz Nowak <lnowak@tycoint.com> +Date: Wed, 23 Nov 2016 12:48:21 +0000 +Subject: [PATCH v2] libiproute: handle table ids larger than 255 + +Linux kernel, starting from 2.6.19 allows ip table ids to have 32-bit values. +In order to preserve compatibility, the old 8-bit field: rtm_table is still +in use when table id is lower than 256. + +Add support for the 32-bit table id (RTA_TABLE attribute) in: +- ip route print +- ip route modify +- ip rule print +- ip rule modify + +Add printing of table ids to ip route. + +Changes are compatible with the mainline iproute2 utilities. + +These changes are required for compatibility with ConnMan, which by default +uses table ids greater than 255. + +Upstream-Status: Submitted [http://lists.busybox.net/pipermail/busybox/2016-December/084989.html] + +Signed-off-by: Lukasz Nowak <lnowak@tycoint.com> +--- + networking/libiproute/iproute.c | 24 ++++++++++++++++++++---- + networking/libiproute/iprule.c | 11 +++++++++-- + 2 files changed, 29 insertions(+), 6 deletions(-) + +diff --git a/networking/libiproute/iproute.c b/networking/libiproute/iproute.c +index 6ecd5f7..d5af498 100644 +--- a/networking/libiproute/iproute.c ++++ b/networking/libiproute/iproute.c +@@ -87,6 +87,7 @@ static int FAST_FUNC print_route(const struct sockaddr_nl *who UNUSED_PARAM, + inet_prefix dst; + inet_prefix src; + int host_len = -1; ++ uint32_t tid; + + if (n->nlmsg_type != RTM_NEWROUTE && n->nlmsg_type != RTM_DELROUTE) { + fprintf(stderr, "Not a route: %08x %08x %08x\n", +@@ -99,6 +100,14 @@ static int FAST_FUNC print_route(const struct sockaddr_nl *who UNUSED_PARAM, + if (len < 0) + bb_error_msg_and_die("wrong nlmsg len %d", len); + ++ memset(tb, 0, sizeof(tb)); ++ parse_rtattr(tb, RTA_MAX, RTM_RTA(r), len); ++ ++ if (tb[RTA_TABLE]) ++ tid = *(uint32_t *)RTA_DATA(tb[RTA_TABLE]); ++ else ++ tid = r->rtm_table; ++ + if (r->rtm_family == AF_INET6) + host_len = 128; + else if (r->rtm_family == AF_INET) +@@ -128,7 +137,7 @@ static int FAST_FUNC print_route(const struct sockaddr_nl *who UNUSED_PARAM, + } + } + } else { +- if (G_filter.tb > 0 && G_filter.tb != r->rtm_table) { ++ if (G_filter.tb > 0 && G_filter.tb != tid) { + return 0; + } + } +@@ -157,10 +166,8 @@ static int FAST_FUNC print_route(const struct sockaddr_nl *who UNUSED_PARAM, + return 0; + } + +- memset(tb, 0, sizeof(tb)); + memset(&src, 0, sizeof(src)); + memset(&dst, 0, sizeof(dst)); +- parse_rtattr(tb, RTA_MAX, RTM_RTA(r), len); + + if (tb[RTA_SRC]) { + src.bitlen = r->rtm_src_len; +@@ -283,6 +290,10 @@ static int FAST_FUNC print_route(const struct sockaddr_nl *who UNUSED_PARAM, + if (tb[RTA_OIF]) { + printf("dev %s ", ll_index_to_name(*(int*)RTA_DATA(tb[RTA_OIF]))); + } ++#if ENABLE_FEATURE_IP_RULE ++ if (tid && tid != RT_TABLE_MAIN && !G_filter.tb) ++ printf("table %s ", rtnl_rttable_n2a(tid)); ++#endif + + /* Todo: parse & show "proto kernel", "scope link" here */ + +@@ -434,7 +445,12 @@ IF_FEATURE_IP_RULE(ARG_table,) + NEXT_ARG(); + if (rtnl_rttable_a2n(&tid, *argv)) + invarg(*argv, "table"); +- req.r.rtm_table = tid; ++ if (tid < 256) ++ req.r.rtm_table = tid; ++ else { ++ req.r.rtm_table = RT_TABLE_UNSPEC; ++ addattr32(&req.n, sizeof(req), RTA_TABLE, tid); ++ } + #endif + } else if (arg == ARG_dev || arg == ARG_oif) { + NEXT_ARG(); +diff --git a/networking/libiproute/iprule.c b/networking/libiproute/iprule.c +index 774a3e2..3fac7c5 100644 +--- a/networking/libiproute/iprule.c ++++ b/networking/libiproute/iprule.c +@@ -119,7 +119,9 @@ static int FAST_FUNC print_rule(const struct sockaddr_nl *who UNUSED_PARAM, + printf("iif %s ", (char*)RTA_DATA(tb[RTA_IIF])); + } + +- if (r->rtm_table) ++ if (tb[RTA_TABLE]) ++ printf("lookup %s ", rtnl_rttable_n2a(*(uint32_t*)RTA_DATA(tb[RTA_TABLE]))); ++ else if (r->rtm_table) + printf("lookup %s ", rtnl_rttable_n2a(r->rtm_table)); + + if (tb[RTA_FLOW]) { +@@ -259,7 +261,12 @@ static int iprule_modify(int cmd, char **argv) + NEXT_ARG(); + if (rtnl_rttable_a2n(&tid, *argv)) + invarg(*argv, "table ID"); +- req.r.rtm_table = tid; ++ if (tid < 256) ++ req.r.rtm_table = tid; ++ else { ++ req.r.rtm_table = RT_TABLE_UNSPEC; ++ addattr32(&req.n, sizeof(req), RTA_TABLE, tid); ++ } + table_ok = 1; + } else if (key == ARG_dev || + key == ARG_iif +-- +2.7.4 + diff --git a/import-layers/yocto-poky/meta/recipes-core/busybox/busybox/BUG9071_buffer_overflow_arp.patch b/import-layers/yocto-poky/meta/recipes-core/busybox/busybox/BUG9071_buffer_overflow_arp.patch new file mode 100644 index 000000000..828694cbb --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-core/busybox/busybox/BUG9071_buffer_overflow_arp.patch @@ -0,0 +1,53 @@ +busybox1.24.1: Fix busybox - (local) cmdline stack buffer overwrite + +[No upstream tracking] -- https://bugs.busybox.net/show_bug.cgi?id=9071 + +busybox - (local) cmdline stack buffer overwrite + +Busybox provides an `arp` applet which is missing an array bounds check for +command-line parameter `IFNAME`. It is therefore vulnerable to a command-line +based local stack buffer overwrite effectively allowing local users to write +past a 16 bytes fixed stack buffer. This leads to two scenarios, one (A) where +an IOCTL for GET_HW_ADDRESS (`SIOCGIFHWADDR`) fails and results in a corrupted +`va_list` being passed to `*printf()` and one (B) where an attacker might provide +valid params for the IOCTL and trick the program to proceed and result in a +`RET eip overwrite` eventually gaining code execution. + +Upstream-Status: Backport [https://git.busybox.net/busybox/commit/networking/arp.c?id=88e2b1cb626761b1924305b761a5dfc723613c4e] +BUG: BUG9071 +Signed-off-by: Martin Balik <martin.balik@siemens.com> +Signed-off-by: Pascal Bach <pascal.bach@siemens.com> + +-- + +diff --git a/networking/arp.c b/networking/arp.c +index 0099aa5..87eb327 100644 +--- a/networking/arp.c ++++ b/networking/arp.c +@@ -176,7 +176,7 @@ static int arp_del(char **args) + if (flags == 0) + flags = 3; + +- strncpy(req.arp_dev, device, sizeof(req.arp_dev)); ++ strncpy_IFNAMSIZ(req.arp_dev, device); + + err = -1; + +@@ -217,7 +217,7 @@ static void arp_getdevhw(char *ifname, struct sockaddr *sa) + struct ifreq ifr; + const struct hwtype *xhw; + +- strcpy(ifr.ifr_name, ifname); ++ strncpy_IFNAMSIZ(ifr.ifr_name, ifname); + ioctl_or_perror_and_die(sockfd, SIOCGIFHWADDR, &ifr, + "can't get HW-Address for '%s'", ifname); + if (hw_set && (ifr.ifr_hwaddr.sa_family != hw->type)) { +@@ -330,7 +330,7 @@ static int arp_set(char **args) + /* Fill in the remainder of the request. */ + req.arp_flags = flags; + +- strncpy(req.arp_dev, device, sizeof(req.arp_dev)); ++ strncpy_IFNAMSIZ(req.arp_dev, device); + + /* Call the kernel. */ + if (option_mask32 & ARP_OPT_v) diff --git a/import-layers/yocto-poky/meta/recipes-core/busybox/busybox/CVE-2016-6301.patch b/import-layers/yocto-poky/meta/recipes-core/busybox/busybox/CVE-2016-6301.patch new file mode 100644 index 000000000..851bc20f7 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-core/busybox/busybox/CVE-2016-6301.patch @@ -0,0 +1,37 @@ +busybox1.24.1: Fix CVE-2016-6301 + +[No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1363710 + +ntpd: NTP server denial of service flaw + +The busybox NTP implementation doesn't check the NTP mode of packets +received on the server port and responds to any packet with the right +size. This includes responses from another NTP server. An attacker can +send a packet with a spoofed source address in order to create an +infinite loop of responses between two busybox NTP servers. Adding +more packets to the loop increases the traffic between the servers +until one of them has a fully loaded CPU and/or network. + +Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=150dc7a2b483b8338a3e185c478b4b23ee884e71] +CVE: CVE-2016-6301 +Signed-off-by: Andrej Valek <andrej.valek@siemens.com> +Signed-off-by: Pascal Bach <pascal.bach@siemens.com> + +diff --git a/networking/ntpd.c b/networking/ntpd.c +index 9732c9b..0f6a55f 100644 +--- a/networking/ntpd.c ++++ b/networking/ntpd.c +@@ -1985,6 +1985,13 @@ recv_and_process_client_pkt(void /*int fd*/) + goto bail; + } + ++ /* Respond only to client and symmetric active packets */ ++ if ((msg.m_status & MODE_MASK) != MODE_CLIENT ++ && (msg.m_status & MODE_MASK) != MODE_SYM_ACT ++ ) { ++ goto bail; ++ } ++ + query_status = msg.m_status; + query_xmttime = msg.m_xmttime; + diff --git a/import-layers/yocto-poky/meta/recipes-core/busybox/busybox_1.24.1.bb b/import-layers/yocto-poky/meta/recipes-core/busybox/busybox_1.24.1.bb index df0e13126..400cdfe28 100644 --- a/import-layers/yocto-poky/meta/recipes-core/busybox/busybox_1.24.1.bb +++ b/import-layers/yocto-poky/meta/recipes-core/busybox/busybox_1.24.1.bb @@ -47,12 +47,16 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://CVE-2016-2148.patch \ file://CVE-2016-2147.patch \ file://CVE-2016-2147_2.patch \ + file://CVE-2016-6301.patch \ file://ip_fix_problem_on_mips64_n64_big_endian_musl_systems.patch \ file://makefile-fix-backport.patch \ file://0001-sed-fix-sed-n-flushes-pattern-space-terminates-early.patch \ file://busybox-kbuild-race-fix-commit-d8e61bb.patch \ file://commit-applet_tables-fix-commit-0dddbc1.patch \ file://makefile-libbb-race.patch \ + file://0001-libiproute-handle-table-ids-larger-than-255.patch \ + file://ifupdown-pass-interface-device-name-for-ipv6-route-c.patch \ + file://BUG9071_buffer_overflow_arp.patch \ " SRC_URI_append_libc-musl = " file://musl.cfg " diff --git a/import-layers/yocto-poky/meta/recipes-core/busybox/files/mdev.conf b/import-layers/yocto-poky/meta/recipes-core/busybox/files/mdev.conf index 17e93da7c..4e9c23f14 100644 --- a/import-layers/yocto-poky/meta/recipes-core/busybox/files/mdev.conf +++ b/import-layers/yocto-poky/meta/recipes-core/busybox/files/mdev.conf @@ -39,4 +39,6 @@ input/mouse.* 0:0 0660 tun[0-9]* 0:0 0660 =net/ [hs]d[a-z][0-9]? 0:0 660 */etc/mdev/mdev-mount.sh +mmcblk[0-9]rpmb 0:0 660 +mmcblk[0-9]boot[0-9] 0:0 660 mmcblk[0-9].* 0:0 660 */etc/mdev/mdev-mount.sh |