[Bug 14956] New: A use-after-free in busybox's bc applet

bugzilla at busybox.net bugzilla at busybox.net
Tue Aug 9 14:30:22 UTC 2022 

https://bugs.busybox.net/show_bug.cgi?id=14956

            Bug ID: 14956
           Summary: A use-after-free in busybox's bc applet
           Product: Busybox
           Version: 1.33.x
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Other
          Assignee: unassigned at busybox.net
          Reporter: xiechengliang1 at huawei.com
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

Created attachment 9356
  --> https://bugs.busybox.net/attachment.cgi?id=9356&action=edit
poc

command ./busybox_unstripped bc text.txt

bc 1.33.1
Adapted from https://github.com/gavinhoward/bc
Original code (c) 2018 Gavin D. Howard and contributors
=================================================================
==556554==ERROR: AddressSanitizer: heap-use-after-free on address
0x6030000002e0 at pc 0x7f0419528d4d bp 0x7ffd18813e60 sp 0x7ffd18813608
READ of size 2 at 0x6030000002e0 thread T0
    #0 0x7f0419528d4c  (/lib/x86_64-linux-gnu/libasan.so.5+0x73d4c)
    #1 0x564f7483d148 in bc_error_at miscutils/bc.c:988

0x6030000002e0 is located 0 bytes inside of 32-byte region
[0x6030000002e0,0x603000000300)
freed by thread T0 here:
    #0 0x7f04195c2ffe in __interceptor_realloc
(/lib/x86_64-linux-gnu/libasan.so.5+0x10dffe)
    #1 0x564f747fd10c in xrealloc libbb/xfuncs_printf.c:61

previously allocated by thread T0 here:
    #0 0x7f04195c2bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x564f747fd074 in xmalloc libbb/xfuncs_printf.c:50

SUMMARY: AddressSanitizer: heap-use-after-free
(/lib/x86_64-linux-gnu/libasan.so.5+0x73d4c)
Shadow bytes around the buggy address:
  0x0c067fff8000: fa fa 00 00 07 fa fa fa 00 00 06 fa fa fa 00 00
  0x0c067fff8010: 07 fa fa fa 00 00 00 fa fa fa 00 00 06 fa fa fa
  0x0c067fff8020: 00 00 00 01 fa fa 00 00 00 02 fa fa 00 00 00 01
  0x0c067fff8030: fa fa 00 00 07 fa fa fa 00 00 04 fa fa fa 00 00
  0x0c067fff8040: 00 01 fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
=>0x0c067fff8050: 00 00 00 00 fa fa 00 00 00 00 fa fa[fd]fd fd fd
  0x0c067fff8060: fa fa 00 00 00 00 fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==556554==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the busybox-cvs mailing list