[Bug 9261] New: Heap overflow

bugzilla at busybox.net bugzilla at busybox.net
Mon Sep 19 16:17:53 UTC 2016 

https://bugs.busybox.net/show_bug.cgi?id=9261

            Bug ID: 9261
           Summary: Heap overflow
           Product: Busybox
           Version: unspecified
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Other
          Assignee: unassigned at busybox.net
          Reporter: franco.costantini20 at gmail.com
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

Created attachment 6666
  --> https://bugs.busybox.net/attachment.cgi?id=6666&action=edit
Test case

Hello, we recently found a heap overflow parsing and executing fuzzed bash code
in Busybox 1.25.0.
We tested this issue on Ubuntu 14.04.5 (x86_64) but other configurations could
be affected. Please find attached the full .config file.

Technical details about the issue are:

==24417== ERROR: AddressSanitizer: heap-buffer-overflow on address
0x605200006bb2 at pc 0x4b9cec bp 0x7fff0aeb13b0 sp 0x7fff0aeb13a8
WRITE of size 1 at 0x605200006bb2 thread T0

gdb backtrace is as follows:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGABRT, Aborted.
0x00007ffff47b6c37 in __GI_raise (sig=sig at entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#0  0x00007ffff47b6c37 in __GI_raise (sig=sig at entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff47ba028 in __GI_abort () at abort.c:89
#2  0x00007ffff4e66829 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#3  0x00007ffff4e5d3ec in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#4  0x00007ffff4e64012 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#5  0x00007ffff4e63121 in __asan_report_error () from
/usr/lib/x86_64-linux-gnu/libasan.so.0
#6  0x00007ffff4e5d797 in __asan_report_store1 () from
/usr/lib/x86_64-linux-gnu/libasan.so.0
#7  0x00000000004b9cec in expmeta (expdir=expdir at entry=0x605200006380 '['
<repeats 200 times>..., enddir=<optimized out>, enddir at entry=0x605200006380 '['
<repeats 200 times>..., name=name at entry=0x60560000f288 '[' <repeats 200
times>...) at shell/ash.c:7031
#8  0x00000000004bf915 in expandmeta (str=0x60560000fac0) at shell/ash.c:7182
#9  expandarg (arg=arg at entry=0x60620000f340,
arglist=arglist at entry=0x7fffffffe240, flag=<optimized out>) at shell/ash.c:7240
#10 0x00000000004c8ed9 in evalcommand (cmd=0x60340000eec0, flags=0) at
shell/ash.c:9275
#11 0x00000000004c4cb8 in evaltree (n=0x60340000eec0, flags=flags at entry=0) at
shell/ash.c:8440
#12 0x00000000004c5d99 in cmdloop (top=top at entry=1) at shell/ash.c:12178
#13 0x00000000004cb1cb in ash_main (argc=<optimized out>, argv=0x7fffffffed60)
at shell/ash.c:13255
#14 0x0000000000408951 in run_applet_no_and_exit
(applet_no=applet_no at entry=271, argv=argv at entry=0x7fffffffed60) at
libbb/appletlib.c:879
#15 0x0000000000408efc in run_applet_and_exit (name=name at entry=0x7fffffffef2e
"sh", argv=argv at entry=0x7fffffffed60) at libbb/appletlib.c:893
#16 0x0000000000408ed6 in busybox_main (argv=0x7fffffffed60) at
libbb/appletlib.c:840
#17 run_applet_and_exit (name=name at entry=0x7fffffffef1b "busybox_unstripped",
argv=argv at entry=0x7fffffffed58) at libbb/appletlib.c:888
#18 0x0000000000408fcd in main (argc=<optimized out>, argv=0x7fffffffed58) at
libbb/appletlib.c:971

This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the busybox-cvs mailing list