[Bug 14896] New: ash: Add ifsfree to varunset and varvalue function to fix a buffer over-read

bugzilla at busybox.net bugzilla at busybox.net
Tue Jul 5 23:08:05 UTC 2022


https://bugs.busybox.net/show_bug.cgi?id=14896

            Bug ID: 14896
           Summary: ash: Add ifsfree to varunset and varvalue function to
                    fix a buffer over-read
           Product: Busybox
           Version: 1.35.x
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Other
          Assignee: unassigned at busybox.net
          Reporter: algore3698 at gmail.com
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

Due to a logic error in the ifsbreakup function in ash.c when a
heredoc and normal command is run one after the other by means of a
semi-colon, when the second command drops into ifsbreakup the command
will be evaluated with the ifslastp/ifsfirst struct that was set when
the heredoc was evaluated. This results in a buffer over-read that
can leak the program's heap, stack, and arena addresses which can be
used to beat ASLR.

Steps to Reproduce:
First bug:
cmd args: ~/exampleDir/example> busybox ash
$ M='AAAAAAAAAAAAAAAAA'    <note: 17 A's>
$ q00(){
$ <<000;echo
$ ${D?$M$M$M$M$M$M}        <note: 6 $M's>
$ 000
$ }
$ q00                      <note: After the q00 is typed in the leak
should be echo'd out; this works with ash, busybox ash, and dash and
all options.>

Patch:
Adding the following to ash.c will fix the bug.
================================
--- a/shell/ash.c
+++ b/shell/ash.c
@@ -7030,6 +7030,7 @@
msg = umsg;
}
}
+ifsfree();
ash_msg_and_raise_error("%.*s: %s%s", (int)(end - var - 1), var, msg, tail);
}

@@ -7445,6 +7446,7 @@
if (discard)
return -1;
+ifsfree();
raise_error_syntax("bad substitution");
}
================================

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list