[Bug 12931] New: Uninitialized stack variable in bbunzip.c
bugzilla at busybox.net
bugzilla at busybox.net
Wed May 20 19:13:35 UTC 2020
https://bugs.busybox.net/show_bug.cgi?id=12931
Bug ID: 12931
Summary: Uninitialized stack variable in bbunzip.c
Product: Busybox
Version: 1.31.x
Hardware: All
OS: Linux
Status: NEW
Severity: critical
Priority: P5
Component: Other
Assignee: unassigned at busybox.net
Reporter: changochen1 at gmail.com
CC: busybox-cvs at busybox.net
Target Milestone: ---
POC:
---
BZh (Yes, just three bytes).
---
`bd` is uninitialized and passed to `free`, which is potentially exploitable.
Stack trace:
---
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x0
RCX: 0x7ffff753b154 (<__GI___libc_write+20>: cmp rax,0xfffffffffffff000)
RDX: 0x19
RSI: 0x7fffffffded0 --> 0x5555555f39f6 (<bb_error_msg+326>: mov
rax,QWORD PTR [rsp+0x10])
RDI: 0x7fffffffded0 --> 0x5555555f39f6 (<bb_error_msg+326>: mov
rax,QWORD PTR [rsp+0x10])
RBP: 0xfffffffd
RSP: 0x7fffffffe050 --> 0x0
RIP: 0x5555559a208d (<unpack_bz2_stream+1025>: mov rdi,QWORD PTR
[r12+0x40])
R8 : 0x0
R9 : 0x7fffffffded0 --> 0x5555555f39f6 (<bb_error_msg+326>: mov
rax,QWORD PTR [rsp+0x10])
R10: 0x0
R11: 0x246
R12: 0x400000004
R13: 0x7fffffffe1e0 --> 0x2
R14: 0x7fffffffe4f0 --> 0x0
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
0x5555559a207c <unpack_bz2_stream+1008>: mov rdx,QWORD PTR [rsp]
0x5555559a2080 <unpack_bz2_stream+1012>: lea rsp,[rsp+0x98]
0x5555559a2088 <unpack_bz2_stream+1020>: mov r12,QWORD PTR [rsp+0x8]
=> 0x5555559a208d <unpack_bz2_stream+1025>: mov rdi,QWORD PTR [r12+0x40]
0x5555559a2092 <unpack_bz2_stream+1030>: call 0x555555562ac0
<free at plt>
0x5555559a2097 <unpack_bz2_stream+1035>: mov rdi,r12
0x5555559a209a <unpack_bz2_stream+1038>: call 0x555555562ac0
<free at plt>
0x5555559a209f <unpack_bz2_stream+1043>: mov rdi,QWORD PTR [rsp+0x10]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe050 --> 0x0
0008| 0x7fffffffe058 --> 0x400000004
0016| 0x7fffffffe060 --> 0x555555d7e260 --> 0x0
0024| 0x7fffffffe068 --> 0x0
0032| 0x7fffffffe070 --> 0x7fffffffe1e0 --> 0x2
0040| 0x7fffffffe078 --> 0x7fffffffe090 --> 0x0
0048| 0x7fffffffe080 --> 0x555555d7e262 --> 0x0
0056| 0x7fffffffe088 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555559a208d in dealloc_bunzip (bd=0x400000004)
at archival/libarchive/decompress_bunzip2.c:764
764 free(bd->dbuf);
gdb-peda$ bt
#0 0x00005555559a208d in dealloc_bunzip (bd=0x400000004)
at archival/libarchive/decompress_bunzip2.c:764
#1 unpack_bz2_stream (xstate=xstate at entry=0x7fffffffe1e0)
at archival/libarchive/decompress_bunzip2.c:844
#2 0x000055555594065e in bbunpack (argv=0x7fffffffe4f0,
unpacker=0x5555559a1c8c <unpack_bz2_stream>,
make_new_name=0x55555593f964 <make_new_name_generic>,
expected_ext=0x555555b7045b "bz2") at archival/bbunzip.c:126
#3 0x00005555555eda72 in run_applet_no_and_exit (applet_no=0x15,
name=<optimized out>, argv=<optimized out>) at libbb/appletlib.c:997
#4 0x00005555555ee839 in run_applet_and_exit (name=0x7fffffffe75b "bunzip2",
argv=0x7fffffffe4e0) at libbb/appletlib.c:1015
#5 0x00005555555eeef2 in busybox_main (argv=0x7fffffffe4e0) at
libbb/appletlib.c:958
#6 run_applet_and_exit (name=0x7fffffffe74f "busyboxfull", argv=<optimized
out>)
at libbb/appletlib.c:1008
#7 0x00005555555ef75c in main (argc=argc at entry=0x3,
argv=argv at entry=0x7fffffffe4d8)
at libbb/appletlib.c:1123
#8 0x00007ffff744cb97 in __libc_start_main (main=0x5555555ef63c <main>,
argc=0x3,
argv=0x7fffffffe4d8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe4c8) at
../csu/libc-start.c:310
#9 0x0000555555562b4a in _start ()
---
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list