[Bug 14896] New: ash: Add ifsfree to varunset and varvalue function to fix a buffer over-read
bugzilla at busybox.net
bugzilla at busybox.net
Tue Jul 5 23:08:05 UTC 2022
https://bugs.busybox.net/show_bug.cgi?id=14896
Bug ID: 14896
Summary: ash: Add ifsfree to varunset and varvalue function to
fix a buffer over-read
Product: Busybox
Version: 1.35.x
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Other
Assignee: unassigned at busybox.net
Reporter: algore3698 at gmail.com
CC: busybox-cvs at busybox.net
Target Milestone: ---
Due to a logic error in the ifsbreakup function in ash.c when a
heredoc and normal command is run one after the other by means of a
semi-colon, when the second command drops into ifsbreakup the command
will be evaluated with the ifslastp/ifsfirst struct that was set when
the heredoc was evaluated. This results in a buffer over-read that
can leak the program's heap, stack, and arena addresses which can be
used to beat ASLR.
Steps to Reproduce:
First bug:
cmd args: ~/exampleDir/example> busybox ash
$ M='AAAAAAAAAAAAAAAAA' <note: 17 A's>
$ q00(){
$ <<000;echo
$ ${D?$M$M$M$M$M$M} <note: 6 $M's>
$ 000
$ }
$ q00 <note: After the q00 is typed in the leak
should be echo'd out; this works with ash, busybox ash, and dash and
all options.>
Patch:
Adding the following to ash.c will fix the bug.
================================
--- a/shell/ash.c
+++ b/shell/ash.c
@@ -7030,6 +7030,7 @@
msg = umsg;
}
}
+ifsfree();
ash_msg_and_raise_error("%.*s: %s%s", (int)(end - var - 1), var, msg, tail);
}
@@ -7445,6 +7446,7 @@
if (discard)
return -1;
+ifsfree();
raise_error_syntax("bad substitution");
}
================================
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list