[Bug 14781] New: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function

bugzilla at busybox.net bugzilla at busybox.net
Wed Apr 27 06:31:51 UTC 2022


https://bugs.busybox.net/show_bug.cgi?id=14781

            Bug ID: 14781
           Summary: A use-after-free in Busybox's awk applet leads to
                    denial of service and possibly code execution when
                    processing a crafted awk pattern in the copyvar
                    function
           Product: Busybox
           Version: 1.35.x
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: Standard Compliance
          Assignee: unassigned at busybox.net
          Reporter: magicgoogol at gmail.com
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

Created attachment 9301
  --> https://bugs.busybox.net/attachment.cgi?id=9301&action=edit
poc

Discoverer: Taolaw at Vlab of Vecentek

command: ./busybox_unstripped awk -f crash2 1.txt

=================================================================
==716531==ERROR: AddressSanitizer: heap-use-after-free on address
0x606000001d60 at pc 0x55df2f6b595d bp 0x7fffc8cf08a0 sp 0x7fffc8cf0890
READ of size 4 at 0x606000001d60 thread T0
    #0 0x55df2f6b595c in copyvar editors/awk.c:1051

0x606000001d60 is located 0 bytes inside of 64-byte region
[0x606000001d60,0x606000001da0)
freed by thread T0 here:
    #0 0x7f7b1aeec40f in __interceptor_free
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x55df2f6bf305 in nvfree editors/awk.c:1840
    #2 0x55df2f95bdff 
(/home/test/fuzz/busybox-ASAN/busybox_unstripped+0x1044dff)

previously allocated by thread T0 here:
    #0 0x7f7b1aeec808 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x55df2f1b24a5 in xmalloc libbb/xfuncs_printf.c:50
    #2 0x55df2f95bdff 
(/home/test/fuzz/busybox-ASAN/busybox_unstripped+0x1044dff)

SUMMARY: AddressSanitizer: heap-use-after-free editors/awk.c:1051 in copyvar
Shadow bytes around the buggy address:
  0x0c0c7fff8350: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fff8360: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fff8370: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c7fff8380: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fff8390: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
=>0x0c0c7fff83a0: fd fd fd fd fd fd fd fd fa fa fa fa[fd]fd fd fd
  0x0c0c7fff83b0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fff83c0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fff83d0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c7fff83e0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fff83f0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==716531==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list