[Bug 9276] New: Heap overflow on redirect

bugzilla at busybox.net bugzilla at busybox.net
Tue Sep 20 16:43:35 UTC 2016 

https://bugs.busybox.net/show_bug.cgi?id=9276

            Bug ID: 9276
           Summary: Heap overflow on redirect
           Product: Busybox
           Version: unspecified
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Other
          Assignee: unassigned at busybox.net
          Reporter: franco.costantini20 at gmail.com
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

Created attachment 6696
  --> https://bugs.busybox.net/attachment.cgi?id=6696&action=edit
test case

Hello, we recently found an invalid memory access parsing and executing fuzzed
bash code in Busybox 1.25.0.
We tested this issue on Ubuntu 14.04.5 (x86_64) but other configurations could
be affected. Please find attached the full .config file.
Technical details about the issue are:

==24867== ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60360000ffb0 at pc 0x4c04be bp 0x7ffe43425f20 sp 0x7ffe43425f18
READ of size 8 at 0x60360000ffb0 thread T0

gdb backtrace is as follows:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGABRT, Aborted.
0x00007ffff47b6c37 in __GI_raise (sig=sig at entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#0  0x00007ffff47b6c37 in __GI_raise (sig=sig at entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff47ba028 in __GI_abort () at abort.c:89
#2  0x00007ffff4e66829 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#3  0x00007ffff4e5d3ec in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#4  0x00007ffff4e64012 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#5  0x00007ffff4e63121 in __asan_report_error () from
/usr/lib/x86_64-linux-gnu/libasan.so.0
#6  0x00007ffff4e5d734 in __asan_report_load8 () from
/usr/lib/x86_64-linux-gnu/libasan.so.0
#7  0x00000000004c04be in openredirect (redir=0x60360000ff90) at
shell/ash.c:5104
#8  redirect (redir=redir at entry=0x60360000ff90, flags=flags at entry=3) at
shell/ash.c:5322
#9  0x00000000004c0e3d in redirectsafe (redir=0x60360000ff90,
flags=flags at entry=3) at shell/ash.c:5469
#10 0x00000000004c911b in evalcommand (cmd=0x60340000fd30, flags=0) at
shell/ash.c:9294
#11 0x00000000004c4cb8 in evaltree (n=0x60340000fd30, flags=flags at entry=0) at
shell/ash.c:8440
#12 0x00000000004c5d99 in cmdloop (top=top at entry=1) at shell/ash.c:12178
#13 0x00000000004cb1cb in ash_main (argc=<optimized out>, argv=0x7fffffffed60)
at shell/ash.c:13255
#14 0x0000000000408951 in run_applet_no_and_exit
(applet_no=applet_no at entry=271, argv=argv at entry=0x7fffffffed60) at
libbb/appletlib.c:879
#15 0x0000000000408efc in run_applet_and_exit (name=name at entry=0x7fffffffef2e
"sh", argv=argv at entry=0x7fffffffed60) at libbb/appletlib.c:893
#16 0x0000000000408ed6 in busybox_main (argv=0x7fffffffed60) at
libbb/appletlib.c:840
#17 run_applet_and_exit (name=name at entry=0x7fffffffef1b "busybox_unstripped",
argv=argv at entry=0x7fffffffed58) at libbb/appletlib.c:888
#18 0x0000000000408fcd in main (argc=<optimized out>, argv=0x7fffffffed58) at
libbb/appletlib.c:971

This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the busybox-cvs mailing list