[Bug 7856] New: null pointer dereference in ash

bugzilla at busybox.net bugzilla at busybox.net
Mon Feb 2 23:56:33 UTC 2015 

https://bugs.busybox.net/show_bug.cgi?id=7856

           Summary: null pointer dereference in ash
           Product: Busybox
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: critical
          Priority: P5
         Component: Other
        AssignedTo: unassigned at busybox.net
        ReportedBy: brian.carpenter at gmail.com
                CC: busybox-cvs at busybox.net
   Estimated Hours: 0.0


Created attachment 5840
  --> https://bugs.busybox.net/attachment.cgi?id=5840
Testcase that crashes busybox ash

I'm fuzzing busybox with american fuzzy lop (http://lcamtuf.coredump.cx/afl)
and I found a test case which causes ash to segfault, most likely because of a
null ptr deref.

Compilation steps on Debian 7 x64:
1) edited the Makefile to point to afl-gcc and afl-gxx instead of the system
defaults for binary instrumention.
2) make menuconfig (defaults only, nothing extra selected or toggled)
3) make

BusyBox v1.24.0.git (2015-02-02 16:46:08 CST)

GDB output:
Program received signal SIGSEGV, Segmentation fault.
[Switching to process 49119]
id:000000,sig:11,src:000258,op:havoc,rep:16: line 1: ++: not found
[----------------------------------registers-----------------------------------]
RAX: 0x1
RBX: 0xb17310 --> 0xb17340 --> 0x0
RCX: 0x0
RDX: 0x0
RSI: 0x7fffffffd7f0 --> 0x0
RDI: 0xd ('\r')
RBP: 0x0
RSP: 0x7fffffffd9f0 --> 0x0
RIP: 0x51c424 (mov    rsi,QWORD PTR [rcx+0x18])
R8 : 0x7fffffffd8a0 --> 0x1
R9 : 0xbd87
R10: 0x8
R11: 0x202
R12: 0xb17550 --> 0x100000000
R13: 0xb17010 --> 0x10000bd87
R14: 0x0
R15: 0x8
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
   0x51c414:    mov    r15d,DWORD PTR [rsp+0x24]
   0x51c419:    mov    rbx,QWORD PTR [rip+0x5fa6e8]        # 0xb16b08
   0x51c420:    mov    DWORD PTR [rbx+0x28],r15d
=> 0x51c424:    mov    rsi,QWORD PTR [rcx+0x18]
   0x51c428:    mov    rdi,QWORD PTR [rcx+0x10]
   0x51c42c:    call   0x7c2448
   0x51c431:    mov    rsi,QWORD PTR [rbx+0x10]
   0x51c435:    mov    rdx,QWORD PTR [rip+0x5f4284]        # 0xb106c0
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd9f0 --> 0x0
0008| 0x7fffffffd9f8 --> 0x7b4755 (add    rsp,0x8)
0016| 0x7fffffffda00 --> 0xffffffff007b3422
0024| 0x7fffffffda08 --> 0x300000000
0032| 0x7fffffffda10 --> 0x800000007
0040| 0x7fffffffda18 --> 0xb17400 --> 0x2b2b ('++')
0048| 0x7fffffffda20 --> 0x4f9bb2 (mov    rdx,QWORD PTR [rsp])
0056| 0x7fffffffda28 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000051c424 in ?? ()
gdb-peda$ bt
#0  0x000000000051c424 in ?? ()
#1  0x0000000000000000 in ?? ()

Valgrind output:
==5301== Invalid read of size 8
==5301==    at 0x51C424: ??? (in /home/geeknik/busybox/busybox)
==5301==    by 0x543D3B7: ???
==5301==    by 0x7B4754: ??? (in /home/geeknik/busybox/busybox)
==5301==    by 0xFFFFFFFF007B3421: ???
==5301==    by 0x2FFFFFFFF: ???
==5301==    by 0x400000002: ???
==5301==    by 0x543D46F: ???
==5301==    by 0x4F9BB1: ??? (in /home/geeknik/busybox/busybox)
==5301==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==5301== 
==5301== 
==5301== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==5301==  Access not within mapped region at address 0x18
==5301==    at 0x51C424: ??? (in /home/geeknik/busybox/busybox)
==5301==    by 0x543D3B7: ???
==5301==    by 0x7B4754: ??? (in /home/geeknik/busybox/busybox)
==5301==    by 0xFFFFFFFF007B3421: ???
==5301==    by 0x2FFFFFFFF: ???
==5301==    by 0x400000002: ???
==5301==    by 0x543D46F: ???
==5301==    by 0x4F9BB1: ??? (in /home/geeknik/busybox/busybox)
==5301==  If you believe this happened as a result of a stack
==5301==  overflow in your program's main thread (unlikely but
==5301==  possible), you can try to increase the size of the
==5301==  main thread stack using the --main-stacksize= flag.
==5301==  The main thread stack size used in this run was 8388608.
id:000000,sig:11,src:000258,op:havoc,rep:16: line 1: ++: not found
==2822== Invalid read of size 1
==2822==    at 0x7C3503: ??? (in /home/geeknik/busybox/busybox)
==2822==    by 0x543D447: ???
==2822==    by 0x543D447: ???
==2822==    by 0x543D447: ???
==2822==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==2822== 
==2822== 
==2822== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==2822==  Access not within mapped region at address 0x0
==2822==    at 0x7C3503: ??? (in /home/geeknik/busybox/busybox)
==2822==    by 0x543D447: ???
==2822==    by 0x543D447: ???
==2822==    by 0x543D447: ???
==2822==  If you believe this happened as a result of a stack
==2822==  overflow in your program's main thread (unlikely but
==2822==  possible), you can try to increase the size of the
==2822==  main thread stack using the --main-stacksize= flag.
==2822==  The main thread stack size used in this run was 8388608.
Segmentation fault

The testcase is only 15 bytes and the command line used was "./busybox ash
test" and here we are.

Hexdump of testcase: 
0000000 2b2b 3c3c 0061 293b 1c28 3e20 2f24 0061
000000f

I believe the same crash happens with busybox sh as well. Wasn't sure if I
needed to open a 2nd bug for that

-- 
Configure bugmail: https://bugs.busybox.net/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the busybox-cvs mailing list