Initial commit

package/system/uci/Makefile

@@ -0,0 +1,88 @@
+#
+# Copyright (C) 2008-2014 OpenWrt.org
+# Copyright (C) 2016 LEDE project
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=uci
+PKG_RELEASE:=2
+
+PKG_SOURCE_URL=$(PROJECT_GIT)/project/uci.git
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_DATE=2019-05-17
+PKG_SOURCE_VERSION:=f199b961c2970b63cc83947ad49b327b3f48f05f
+PKG_MIRROR_HASH:=bd860a1a97a5c8f1cd77875afcadba9dafff0c4a0d6743ba0c915d76e1c624cd
+
+PKG_LICENSE:=LGPL-2.1
+PKG_LICENSE_FILES:=
+
+PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
+
+PKG_BUILD_PARALLEL:=0
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/cmake.mk
+
+# set to 1 to enable debugging
+DEBUG=
+
+define Package/libuci
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=C library for the Unified Configuration Interface (UCI)
+  DEPENDS:=+libubox
+endef
+
+define Package/uci
+  SECTION:=base
+  CATEGORY:=Base system
+  DEPENDS:=+libuci
+  TITLE:=Utility for the Unified Configuration Interface (UCI)
+endef
+
+define Package/libuci-lua
+  SECTION=libs
+  CATEGORY=Libraries
+  DEPENDS:=+libuci +liblua
+  TITLE:=Lua plugin for UCI
+endef
+
+TARGET_CFLAGS += -I$(STAGING_DIR)/usr/include
+TARGET_LDFLAGS += -L$(STAGING_DIR)/usr/lib
+
+CMAKE_OPTIONS = \
+	-DLUAPATH=/usr/lib/lua \
+	$(if $(DEBUG),-DUCI_DEBUG=ON)
+
+define Package/libuci/install
+	$(INSTALL_DIR) $(1)/lib
+	$(CP) $(PKG_BUILD_DIR)/libuci.so* $(1)/lib/
+endef
+
+define Package/libuci-lua/install
+	$(INSTALL_DIR) $(1)/usr/lib/lua
+	$(CP) $(PKG_BUILD_DIR)/lua/uci.so $(1)/usr/lib/lua/
+endef
+
+define Package/uci/install
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_DIR) $(1)/sbin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/uci $(1)/sbin/
+	$(CP) ./files/* $(1)/
+endef
+
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/include
+	$(CP) $(PKG_BUILD_DIR)/uci{,_config,_blob,map}.h $(1)/usr/include
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_BUILD_DIR)/libuci.so* $(1)/usr/lib
+	$(CP) $(PKG_BUILD_DIR)/libucimap.a $(1)/usr/lib
+endef
+
+$(eval $(call BuildPackage,uci))
+$(eval $(call BuildPackage,libuci))
+$(eval $(call BuildPackage,libuci-lua))

package/system/uci/files/lib/config/uci.sh

@@ -0,0 +1,138 @@
+#!/bin/sh
+# Shell script compatibility wrappers for /sbin/uci
+#
+# Copyright (C) 2008-2010  OpenWrt.org
+# Copyright (C) 2008  Felix Fietkau <nbd@nbd.name>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+CONFIG_APPEND=
+uci_load() {
+	local PACKAGE="$1"
+	local DATA
+	local RET
+	local VAR
+
+	_C=0
+	if [ -z "$CONFIG_APPEND" ]; then
+		for VAR in $CONFIG_LIST_STATE; do
+			export ${NO_EXPORT:+-n} CONFIG_${VAR}=
+			export ${NO_EXPORT:+-n} CONFIG_${VAR}_LENGTH=
+		done
+		export ${NO_EXPORT:+-n} CONFIG_LIST_STATE=
+		export ${NO_EXPORT:+-n} CONFIG_SECTIONS=
+		export ${NO_EXPORT:+-n} CONFIG_NUM_SECTIONS=0
+		export ${NO_EXPORT:+-n} CONFIG_SECTION=
+	fi
+
+	DATA="$(/sbin/uci ${UCI_CONFIG_DIR:+-c $UCI_CONFIG_DIR} ${LOAD_STATE:+-P /var/state} -S -n export "$PACKAGE" 2>/dev/null)"
+	RET="$?"
+	[ "$RET" != 0 -o -z "$DATA" ] || eval "$DATA"
+	unset DATA
+
+	${CONFIG_SECTION:+config_cb}
+	return "$RET"
+}
+
+uci_set_default() {
+	local PACKAGE="$1"
+	/sbin/uci ${UCI_CONFIG_DIR:+-c $UCI_CONFIG_DIR} -q show "$PACKAGE" > /dev/null && return 0
+	/sbin/uci ${UCI_CONFIG_DIR:+-c $UCI_CONFIG_DIR} import "$PACKAGE"
+	/sbin/uci ${UCI_CONFIG_DIR:+-c $UCI_CONFIG_DIR} commit "$PACKAGE"
+}
+
+uci_revert_state() {
+	local PACKAGE="$1"
+	local CONFIG="$2"
+	local OPTION="$3"
+
+	/sbin/uci ${UCI_CONFIG_DIR:+-c $UCI_CONFIG_DIR} -P /var/state revert "$PACKAGE${CONFIG:+.$CONFIG}${OPTION:+.$OPTION}"
+}
+
+uci_set_state() {
+	local PACKAGE="$1"
+	local CONFIG="$2"
+	local OPTION="$3"
+	local VALUE="$4"
+
+	[ "$#" = 4 ] || return 0
+	/sbin/uci ${UCI_CONFIG_DIR:+-c $UCI_CONFIG_DIR} -P /var/state set "$PACKAGE.$CONFIG${OPTION:+.$OPTION}=$VALUE"
+}
+
+uci_toggle_state() {
+	uci_revert_state "$1" "$2" "$3"
+	uci_set_state "$1" "$2" "$3" "$4"
+}
+
+uci_set() {
+	local PACKAGE="$1"
+	local CONFIG="$2"
+	local OPTION="$3"
+	local VALUE="$4"
+
+	/sbin/uci ${UCI_CONFIG_DIR:+-c $UCI_CONFIG_DIR} set "$PACKAGE.$CONFIG.$OPTION=$VALUE"
+}
+
+uci_get_state() {
+	uci_get "$1" "$2" "$3" "$4" "/var/state"
+}
+
+uci_get() {
+	local PACKAGE="$1"
+	local CONFIG="$2"
+	local OPTION="$3"
+	local DEFAULT="$4"
+	local STATE="$5"
+
+	/sbin/uci ${UCI_CONFIG_DIR:+-c $UCI_CONFIG_DIR} ${STATE:+-P $STATE} -q get "$PACKAGE${CONFIG:+.$CONFIG}${OPTION:+.$OPTION}"
+	RET="$?"
+	[ "$RET" -ne 0 ] && [ -n "$DEFAULT" ] && echo "$DEFAULT"
+	return "$RET"
+}
+
+uci_add() {
+	local PACKAGE="$1"
+	local TYPE="$2"
+	local CONFIG="$3"
+
+	if [ -z "$CONFIG" ]; then
+		export ${NO_EXPORT:+-n} CONFIG_SECTION="$(/sbin/uci add "$PACKAGE" "$TYPE")"
+	else
+		/sbin/uci ${UCI_CONFIG_DIR:+-c $UCI_CONFIG_DIR} set "$PACKAGE.$CONFIG=$TYPE"
+		export ${NO_EXPORT:+-n} CONFIG_SECTION="$CONFIG"
+	fi
+}
+
+uci_rename() {
+	local PACKAGE="$1"
+	local CONFIG="$2"
+	local OPTION="$3"
+	local VALUE="$4"
+
+	/sbin/uci ${UCI_CONFIG_DIR:+-c $UCI_CONFIG_DIR} rename "$PACKAGE.$CONFIG${VALUE:+.$OPTION}=${VALUE:-$OPTION}"
+}
+
+uci_remove() {
+	local PACKAGE="$1"
+	local CONFIG="$2"
+	local OPTION="$3"
+
+	/sbin/uci ${UCI_CONFIG_DIR:+-c $UCI_CONFIG_DIR} del "$PACKAGE.$CONFIG${OPTION:+.$OPTION}"
+}
+
+uci_commit() {
+	local PACKAGE="$1"
+	/sbin/uci ${UCI_CONFIG_DIR:+-c $UCI_CONFIG_DIR} commit $PACKAGE
+}

package/system/uci/patches/001-file-uci_parse_package-fix-heap-use-after-free.patch

@@ -0,0 +1,51 @@
+From a3e650911f5e6f67dcff09974df3775dfd615da6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Sat, 3 Oct 2020 01:29:21 +0200
+Subject: [PATCH] file: uci_parse_package: fix heap use after free
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes following issue which is caused by usage of pointer which pointed
+to a reallocated address:
+
+ ERROR: AddressSanitizer: heap-use-after-free on address 0x619000000087 at pc 0x000000509aa7 bp 0x7ffd6b9c3c40 sp 0x7ffd6b9c3400
+ READ of size 2 at 0x619000000087 thread T0
+     #0 0x509aa6 in strdup (test-fuzz+0x509aa6)
+     #1 0x7fc36d2a1636 in uci_strdup util.c:60:8
+     #2 0x7fc36d29e1ac in uci_alloc_generic list.c:55:13
+     #3 0x7fc36d29e241 in uci_alloc_package list.c:253:6
+     #4 0x7fc36d2a0ba3 in uci_switch_config file.c:375:18
+     #5 0x7fc36d2a09b8 in uci_parse_package file.c:397:2
+     #6 0x7fc36d2a09b8 in uci_parse_line file.c:513:6
+     #7 0x7fc36d2a09b8 in uci_import file.c:681:4
+
+ 0x619000000087 is located 7 bytes inside of 1024-byte region [0x619000000080,0x619000000480)
+ freed by thread T0 here:
+     #0 0x51daa9 in realloc (test-fuzz+0x51daa9)
+     #1 0x7fc36d2a1612 in uci_realloc util.c:49:8
+
+ previously allocated by thread T0 here:
+     #0 0x51daa9 in realloc (test-fuzz+0x51daa9)
+     #1 0x7fc36d2a1612 in uci_realloc util.c:49:8
+
+Reported-by: Jeremy Galindo <jgalindo@datto.com>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ file.c                                             |   2 +-
+ ...sig-06,src-000079,time-22005942,op-ext_AO,pos-8 | Bin 0 -> 56 bytes
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+ create mode 100644 tests/fuzz/corpus/id-000000,sig-06,src-000079,time-22005942,op-ext_AO,pos-8
+
+--- a/file.c
++++ b/file.c
+@@ -387,8 +387,8 @@ static void uci_parse_package(struct uci
+ 	pctx->pos += strlen(pctx_cur_str(pctx)) + 1;
+ 
+ 	ofs_name = next_arg(ctx, true, true, true);
+-	name = pctx_str(pctx, ofs_name);
+ 	assert_eol(ctx);
++	name = pctx_str(pctx, ofs_name);
+ 	if (single)
+ 		return;
+ 

package/system/uci/patches/002-file-Check-buffer-size-after-strtok.patch

@@ -0,0 +1,112 @@
+From eae126f66663e5c73e5d290b8e3134449489340f Mon Sep 17 00:00:00 2001
+From: Hauke Mehrtens <hauke@hauke-m.de>
+Date: Sun, 4 Oct 2020 17:14:49 +0200
+Subject: [PATCH] file: Check buffer size after strtok()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fixes a heap overflow in the parsing of the uci line.
+
+The line which is parsed and put into pctx->buf is null terminated and
+stored on the heap. In the uci_parse_line() function we use strtok() to
+split this string in multiple parts after divided by a space or tab.
+strtok() replaces these characters with a NULL byte. If the next byte is
+NULL we assume that this NULL byte was added by strtok() and try to
+parse the string after this NULL byte. If this NULL byte was not added
+by strtok(), but by fgets() to mark the end of the string we would read
+over this end of the string in uninitialized memory and later over the
+allocated buffer.
+
+Fix this problem by storing how long the line we read was and check if
+we would read over the end of the string here.
+
+This also adds the input which detected this crash to the corpus of the
+fuzzer.
+
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+[fixed merge conflict in tests]
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ file.c                                        | 19 ++++++++++++++++---
+ tests/cram/test-san_uci_import.t              |  1 +
+ tests/cram/test_uci_import.t                  |  1 +
+ .../2e18ecc3a759dedc9357b1298e9269eccc5c5a6b  |  1 +
+ uci_internal.h                                |  1 +
+ 5 files changed, 20 insertions(+), 3 deletions(-)
+ create mode 100644 tests/fuzz/corpus/2e18ecc3a759dedc9357b1298e9269eccc5c5a6b
+
+--- a/file.c
++++ b/file.c
+@@ -28,6 +28,7 @@
+ #include <glob.h>
+ #include <string.h>
+ #include <stdlib.h>
++#include <errno.h>
+ 
+ #include "uci.h"
+ #include "uci_internal.h"
+@@ -63,6 +64,7 @@ __private void uci_getln(struct uci_cont
+ 			return;
+ 
+ 		ofs += strlen(p);
++		pctx->buf_filled = ofs;
+ 		if (pctx->buf[ofs - 1] == '\n') {
+ 			pctx->line++;
+ 			return;
+@@ -120,6 +122,15 @@ static inline void addc(struct uci_conte
+ 	*pos_src += 1;
+ }
+ 
++static int uci_increase_pos(struct uci_parse_context *pctx, size_t add)
++{
++	if (pctx->pos + add > pctx->buf_filled)
++		return -EINVAL;
++
++	pctx->pos += add;
++	return 0;
++}
++
+ /*
+  * parse a double quoted string argument from the command line
+  */
+@@ -384,7 +395,8 @@ static void uci_parse_package(struct uci
+ 	char *name;
+ 
+ 	/* command string null-terminated by strtok */
+-	pctx->pos += strlen(pctx_cur_str(pctx)) + 1;
++	if (uci_increase_pos(pctx, strlen(pctx_cur_str(pctx)) + 1))
++		uci_parse_error(ctx, "package without name");
+ 
+ 	ofs_name = next_arg(ctx, true, true, true);
+ 	assert_eol(ctx);
+@@ -416,7 +428,8 @@ static void uci_parse_config(struct uci_
+ 	}
+ 
+ 	/* command string null-terminated by strtok */
+-	pctx->pos += strlen(pctx_cur_str(pctx)) + 1;
++	if (uci_increase_pos(pctx, strlen(pctx_cur_str(pctx)) + 1))
++		uci_parse_error(ctx, "config without name");
+ 
+ 	ofs_type = next_arg(ctx, true, false, false);
+ 	type = pctx_str(pctx, ofs_type);
+@@ -466,7 +479,8 @@ static void uci_parse_option(struct uci_
+ 		uci_parse_error(ctx, "option/list command found before the first section");
+ 
+ 	/* command string null-terminated by strtok */
+-	pctx->pos += strlen(pctx_cur_str(pctx)) + 1;
++	if (uci_increase_pos(pctx, strlen(pctx_cur_str(pctx)) + 1))
++		uci_parse_error(ctx, "option without name");
+ 
+ 	ofs_name = next_arg(ctx, true, true, false);
+ 	ofs_value = next_arg(ctx, false, false, false);
+--- a/uci_internal.h
++++ b/uci_internal.h
+@@ -33,6 +33,7 @@ struct uci_parse_context
+ 	const char *name;
+ 	char *buf;
+ 	int bufsz;
++	size_t buf_filled;
+ 	int pos;
+ };
+ #define pctx_pos(pctx)		((pctx)->pos)