[Bug 14781] A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function

bugzilla at busybox.net bugzilla at busybox.net
Tue Jun 7 19:14:25 UTC 2022


https://bugs.busybox.net/show_bug.cgi?id=14781

--- Comment #5 from Natanael Copa <ncopa at alpinelinux.org> ---
This change makes it segfault early:

$ git diff
diff --git a/editors/awk.c b/editors/awk.c
index 079d0bde5..840f2595f 100644
--- a/editors/awk.c
+++ b/editors/awk.c
@@ -55,7 +55,7 @@
 /* If you comment out one of these below, it will be #defined later
  * to perform debug printfs to stderr: */
 #define debug_printf_walker(...)  do {} while (0)
-#define debug_printf_eval(...)  do {} while (0)
+//#define debug_printf_eval(...)  do {} while (0)
 #define debug_printf_parse(...)  do {} while (0)

 #ifndef debug_printf_walker
@@ -2922,7 +2922,7 @@ static var *evaluate(node *op, var *res)
                if (opinfo & OF_RES2) {
                        R.v = evaluate(op->r.n, TMPVAR1);
                        //TODO: L.v may be invalid now, set L.v to NULL to
catch bugs?
-                       //L.v = NULL;
+                       L.v = NULL;
                        if (opinfo & OF_STR2) {
                                R.s = getvar_s(R.v);
                                debug_printf_eval("R.s:'%s'\n", R.s);
$ echo "foo" | ./busybox_unstripped awk '$1$1=0'
fsrealloc: xrealloc(0, 512)
fsrealloc: Fields=0x7f6dbda05030..0x7f6dbda0522f
getvar_i: 0.000000
getvar_i: 1.000000
entered awk_getline()
returning from awk_getline(): 1
getvar_i: 0.000000
getvar_i: 0.000000
entered evaluate()
opinfo:00000300 opn:00000000
switch(0x3)
NEWSOURCE
opinfo:00000d00 opn:00000000
switch(0xd)
TEST
entered evaluate()
opinfo:4a031f00 opn:00000000
entered evaluate()
opinfo:230f1500 opn:00000000
entered evaluate()
opinfo:05021700 opn:00000000
entered evaluate()
opinfo:00002700 opn:00000000
switch(0x27)
VAR
returning from evaluate(): 0x7f6dbda03410
switch(0x17)
FIELD
getvar_i: 1.000000
returning from evaluate(): 0x7f6dbda05030
L.s:'foo'
entered evaluate()
opinfo:05021700 opn:00000000
entered evaluate()
opinfo:00002700 opn:00000000
switch(0x27)
VAR
returning from evaluate(): 0x7f6dbda034d0
switch(0x17)
FIELD
getvar_i: 1.000000
returning from evaluate(): 0x7f6dbda05030
R.s:'foo'
switch(0x15)
CONCAT /
COMMA
returning from evaluate(): 0x7f6dbda04bb0
entered evaluate()
opinfo:00002700 opn:00000000
switch(0x27)
VAR
returning from evaluate(): 0x7f6dbda03560
switch(0x1f)
MOVE
Segmentation fault

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list