[Bug 9266] New: SIGSEGV on readtoken

bugzilla at busybox.net bugzilla at busybox.net
Mon Sep 19 16:21:37 UTC 2016 

https://bugs.busybox.net/show_bug.cgi?id=9266

            Bug ID: 9266
           Summary: SIGSEGV on readtoken
           Product: Busybox
           Version: unspecified
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Other
          Assignee: unassigned at busybox.net
          Reporter: franco.costantini20 at gmail.com
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

Created attachment 6676
  --> https://bugs.busybox.net/attachment.cgi?id=6676&action=edit
test case

Hello, we recently found an invalid memory access parsing and executing fuzzed
bash code in Busybox 1.25.0.
We tested this issue on Ubuntu 14.04.5 (x86_64) but other configurations could
be affected. Please find attached the full .config file.

gdb backtrace is as follows:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
readtoken1 (c=123, syntax=0, eofmark=0x0, striptabs=0) at shell/ash.c:11153
11153   {
#0  readtoken1 (c=123, syntax=0, eofmark=0x0, striptabs=0) at shell/ash.c:11153
#1  0x00000000004c3238 in readtoken () at shell/ash.c:11953
#2  0x00000000004c4560 in pipeline () at shell/ash.c:10642
#3  0x00000000004c1409 in andor () at shell/ash.c:10612
#4  list (nlflag=nlflag at entry=0) at shell/ash.c:10565
#5  0x00000000004c3ef2 in parse_command () at shell/ash.c:11052
#6  0x00000000004c4583 in pipeline () at shell/ash.c:10647
#7  0x00000000004c1409 in andor () at shell/ash.c:10612
#8  list (nlflag=nlflag at entry=0) at shell/ash.c:10565
#9  0x00000000004c3ef2 in parse_command () at shell/ash.c:11052
#10 0x00000000004c4583 in pipeline () at shell/ash.c:10647
#11 0x00000000004c1409 in andor () at shell/ash.c:10612
#12 list (nlflag=nlflag at entry=0) at shell/ash.c:10565
#13 0x00000000004c3ef2 in parse_command () at shell/ash.c:11052
#14 0x00000000004c4583 in pipeline () at shell/ash.c:10647
#15 0x00000000004c1409 in andor () at shell/ash.c:10612
#16 list (nlflag=nlflag at entry=0) at shell/ash.c:10565
#17 0x00000000004c3ef2 in parse_command () at shell/ash.c:11052
#18 0x00000000004c4583 in pipeline () at shell/ash.c:10647
#19 0x00000000004c1409 in andor () at shell/ash.c:10612
#20 list (nlflag=nlflag at entry=0) at shell/ash.c:10565
#21 0x00000000004c3ef2 in parse_command () at shell/ash.c:11052
#22 0x00000000004c4583 in pipeline () at shell/ash.c:10647
#23 0x00000000004c1409 in andor () at shell/ash.c:10612
#24 list (nlflag=nlflag at entry=0) at shell/ash.c:10565

This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the busybox-cvs mailing list