[Bug 15216] New: There is a stack overflower in ash of busybox. Here is asan report.

bugzilla at busybox.net bugzilla at busybox.net
Wed Dec 28 08:54:16 UTC 2022


https://bugs.busybox.net/show_bug.cgi?id=15216

            Bug ID: 15216
           Summary: There is a stack overflower in ash of busybox. Here is
                    asan report.
           Product: Busybox
           Version: 1.35.x
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Standard Compliance
          Assignee: unassigned at busybox.net
          Reporter: 79167666 at qq.com
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

Created attachment 9441
  --> https://bugs.busybox.net/attachment.cgi?id=9441&action=edit
./busybox_unstripped  < poc

Discoverer: focu5 at Vlab of Vecentek

> ./busybox_unstripped  < poc
=================================================================
==1034263==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address
0x7fffffffcdd8 at pc 0x000001352be8 bp 0x7fffffffcc50 sp 0x7fffffffcc48
WRITE of size 8 at 0x7fffffffcdd8 thread T0
    #0 0x1352be7 in evaluate_string
/home/focus/Desktop/work/target/busybox/shell/math.c:639:21
    #1 0x114b813 in ash_arith
/home/focus/Desktop/work/target/busybox/shell/ash.c:6030:11
    #2 0x113c7b7 in substr_atoi
/home/focus/Desktop/work/target/busybox/shell/ash.c:6042:14
    #3 0x113c7b7 in subevalvar
/home/focus/Desktop/work/target/busybox/shell/ash.c:7160:10
    #4 0x112c76a in evalvar
/home/focus/Desktop/work/target/busybox/shell/ash.c:7665:6
    #5 0x1125a33 in argstr
/home/focus/Desktop/work/target/busybox/shell/ash.c:6892:8
    #6 0x11172e9 in expandarg
/home/focus/Desktop/work/target/busybox/shell/ash.c:8089:2
    #7 0x118136f in fill_arglist
/home/focus/Desktop/work/target/busybox/shell/ash.c:8810:3
    #8 0x10f7bf2 in evalcommand
/home/focus/Desktop/work/target/busybox/shell/ash.c:10337:8
    #9 0x10e8af8 in evaltree
/home/focus/Desktop/work/target/busybox/shell/ash.c:9364:12
    #10 0x10403d0 in evalstring
/home/focus/Desktop/work/target/busybox/shell/ash.c:13435:7
    #11 0x102cb24 in ash_main
/home/focus/Desktop/work/target/busybox/shell/ash.c:14688:3
    #12 0x56f31b in run_applet_no_and_exit
/home/focus/Desktop/work/target/busybox/libbb/appletlib.c:1004:23
    #13 0x57133c in run_applet_and_exit
/home/focus/Desktop/work/target/busybox/libbb/appletlib.c:1022:4
    #14 0x571009 in main
/home/focus/Desktop/work/target/busybox/libbb/appletlib.c:1182:13
    #15 0x7ffff7c43082 in __libc_start_main
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #16 0x4200dd in _start
(/home/focus/Desktop/work/target/busybox/busybox_unstripped+0x4200dd)

Address 0x7fffffffcdd8 is located in stack of thread T0
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow
/home/focus/Desktop/work/target/busybox/shell/math.c:639:21 in evaluate_string
Shadow bytes around the buggy address:
  0x10007fff7960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7980: 00 00 00 00 00 00 00 00 00 00 00 00 ca ca ca ca
  0x10007fff7990: 02 cb cb cb cb cb cb cb ca ca ca ca 00 01 cb cb
  0x10007fff79a0: cb cb cb cb ca ca ca ca 00 00 00 00 00 00 00 00
=>0x10007fff79b0: 00 00 00 00 00 00 00 00 cb cb cb[cb]f1 f1 f1 f1
  0x10007fff79c0: 00 f2 f2 f2 00 f3 f3 f3 00 00 00 00 00 00 00 00
  0x10007fff79d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff79e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff79f0: f1 f1 f1 f1 00 00 00 00 f3 f3 f3 f3 00 00 00 00
  0x10007fff7a00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f3 f3 f3
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1034263==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list