[Bug 9236] New: SEGV on evalvar

bugzilla at busybox.net bugzilla at busybox.net
Tue Sep 13 12:14:19 UTC 2016 

https://bugs.busybox.net/show_bug.cgi?id=9236

            Bug ID: 9236
           Summary: SEGV on evalvar
           Product: Busybox
           Version: unspecified
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Other
          Assignee: unassigned at busybox.net
          Reporter: franco.costantini20 at gmail.com
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

Created attachment 6636
  --> https://bugs.busybox.net/attachment.cgi?id=6636&action=edit
test case

Hello, we recently found an invalid memory access parsing and executing fuzzed
bash code in Busybox 1.25.0.
We tested this issue on Ubuntu 14.04.5 (x86_64) but other configurations could
be affected. Please find attached the full .config file
Technical details about the issue are:

==24340== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc
0x0000004c8428 sp 0x7ffd63e2a340 bp 0x7ffd63e2a3c0 T0)
AddressSanitizer can not provide additional info.
    #0 0x4c8427
(/home/franco/testing/progs/busybox-1.25.0/busybox_unstripped+0x4c8427)

gdb backtrace is as follows:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004c8428 in evalvar (p=0x2 <error: Cannot access memory at address
0x2>, p at entry=0x60360000fe85 "`\210", flags=flags at entry=257,
var_str_list=var_str_list at entry=0x60340000fe68) at shell/ash.c:6835
6835                            unsigned char c = *p++;
#0  0x00000000004c8428 in evalvar (p=0x2 <error: Cannot access memory at
address 0x2>, p at entry=0x60360000fe85 "`\210", flags=flags at entry=257,
var_str_list=var_str_list at entry=0x60340000fe68) at shell/ash.c:6835
#1  0x00000000004bec00 in argstr (p=0x60360000fe85 "`\210", flags=1,
flags at entry=3, var_str_list=0x60340000fe68) at shell/ash.c:6143
#2  0x00000000004bf26f in expandarg (arg=arg at entry=0x60360000fe88,
arglist=arglist at entry=0x7fffffffe240, flag=3) at shell/ash.c:7223
#3  0x00000000004c8ed9 in evalcommand (cmd=0x60340000fe08, flags=0) at
shell/ash.c:9275
#4  0x00000000004c4cb8 in evaltree (n=0x60340000fe08, flags=flags at entry=0) at
shell/ash.c:8440
#5  0x00000000004c5d99 in cmdloop (top=top at entry=1) at shell/ash.c:12178
#6  0x00000000004cb1cb in ash_main (argc=<optimized out>, argv=0x7fffffffed60)
at shell/ash.c:13255
#7  0x0000000000408951 in run_applet_no_and_exit
(applet_no=applet_no at entry=271, argv=argv at entry=0x7fffffffed60) at
libbb/appletlib.c:879
#8  0x0000000000408efc in run_applet_and_exit (name=name at entry=0x7fffffffef2d
"sh", argv=argv at entry=0x7fffffffed60) at libbb/appletlib.c:893
#9  0x0000000000408ed6 in busybox_main (argv=0x7fffffffed60) at
libbb/appletlib.c:840
#10 run_applet_and_exit (name=name at entry=0x7fffffffef1a "busybox_unstripped",
argv=argv at entry=0x7fffffffed58) at libbb/appletlib.c:888
#11 0x0000000000408fcd in main (argc=<optimized out>, argv=0x7fffffffed58) at
libbb/appletlib.c:971

This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the busybox-cvs mailing list