[Bug 9236] New: SEGV on evalvar
bugzilla at busybox.net
bugzilla at busybox.net
Tue Sep 13 12:14:19 UTC 2016
https://bugs.busybox.net/show_bug.cgi?id=9236
Bug ID: 9236
Summary: SEGV on evalvar
Product: Busybox
Version: unspecified
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Other
Assignee: unassigned at busybox.net
Reporter: franco.costantini20 at gmail.com
CC: busybox-cvs at busybox.net
Target Milestone: ---
Created attachment 6636
--> https://bugs.busybox.net/attachment.cgi?id=6636&action=edit
test case
Hello, we recently found an invalid memory access parsing and executing fuzzed
bash code in Busybox 1.25.0.
We tested this issue on Ubuntu 14.04.5 (x86_64) but other configurations could
be affected. Please find attached the full .config file
Technical details about the issue are:
==24340== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc
0x0000004c8428 sp 0x7ffd63e2a340 bp 0x7ffd63e2a3c0 T0)
AddressSanitizer can not provide additional info.
#0 0x4c8427
(/home/franco/testing/progs/busybox-1.25.0/busybox_unstripped+0x4c8427)
gdb backtrace is as follows:
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00000000004c8428 in evalvar (p=0x2 <error: Cannot access memory at address
0x2>, p at entry=0x60360000fe85 "`\210", flags=flags at entry=257,
var_str_list=var_str_list at entry=0x60340000fe68) at shell/ash.c:6835
6835 unsigned char c = *p++;
#0 0x00000000004c8428 in evalvar (p=0x2 <error: Cannot access memory at
address 0x2>, p at entry=0x60360000fe85 "`\210", flags=flags at entry=257,
var_str_list=var_str_list at entry=0x60340000fe68) at shell/ash.c:6835
#1 0x00000000004bec00 in argstr (p=0x60360000fe85 "`\210", flags=1,
flags at entry=3, var_str_list=0x60340000fe68) at shell/ash.c:6143
#2 0x00000000004bf26f in expandarg (arg=arg at entry=0x60360000fe88,
arglist=arglist at entry=0x7fffffffe240, flag=3) at shell/ash.c:7223
#3 0x00000000004c8ed9 in evalcommand (cmd=0x60340000fe08, flags=0) at
shell/ash.c:9275
#4 0x00000000004c4cb8 in evaltree (n=0x60340000fe08, flags=flags at entry=0) at
shell/ash.c:8440
#5 0x00000000004c5d99 in cmdloop (top=top at entry=1) at shell/ash.c:12178
#6 0x00000000004cb1cb in ash_main (argc=<optimized out>, argv=0x7fffffffed60)
at shell/ash.c:13255
#7 0x0000000000408951 in run_applet_no_and_exit
(applet_no=applet_no at entry=271, argv=argv at entry=0x7fffffffed60) at
libbb/appletlib.c:879
#8 0x0000000000408efc in run_applet_and_exit (name=name at entry=0x7fffffffef2d
"sh", argv=argv at entry=0x7fffffffed60) at libbb/appletlib.c:893
#9 0x0000000000408ed6 in busybox_main (argv=0x7fffffffed60) at
libbb/appletlib.c:840
#10 run_applet_and_exit (name=name at entry=0x7fffffffef1a "busybox_unstripped",
argv=argv at entry=0x7fffffffed58) at libbb/appletlib.c:888
#11 0x0000000000408fcd in main (argc=<optimized out>, argv=0x7fffffffed58) at
libbb/appletlib.c:971
This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list