[Bug 15868] New: [busybox 1.36.1] use-after-free in awk
bugzilla at busybox.net
bugzilla at busybox.net
Thu Nov 23 04:29:04 UTC 2023
https://bugs.busybox.net/show_bug.cgi?id=15868
Bug ID: 15868
Summary: [busybox 1.36.1] use-after-free in awk
Product: Busybox
Version: unspecified
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Other
Assignee: unassigned at busybox.net
Reporter: zclin21 at gmail.com
CC: busybox-cvs at busybox.net
Target Milestone: ---
Created attachment 9664
--> https://bugs.busybox.net/attachment.cgi?id=9664&action=edit
P
Hi, busybox developers,
We found a use-after-free vulnerability in awk applet of busybox v1.36.1. The
affected component is awk.c:3009, in evaluate function. Following is the
reproduction process, and we put the poc file in the attachment.
[1.] Environment
Ubuntu 18.04, 64 bit
BusyBox 1.36.1
Clang 6.0.0
[2.] Compilation
2.1 Modify the Makefile:
HOSTCC=clang -fsanitize=address
HOSTCXX=clang++ -fsanitize=address
CC=clang
CFLAGS=-fsanitize=address
CPPFLAGS=-fsanitize=address
LDFLAGS="-Wl,--allow-multiple-definition"
2.2 Modify the Config.in file, switch the following configs to y:
DEBUG: y
DEBUG_PESSIMIZE: y
FEATURE_CLEAN_UP: y
DEBUG_SANITIZE: y
2.3 Commands for compilation:
export ASAN_OPTIONS=detect_leaks=0
make defconfig
make install
[3.] Reproduction
export ASAN_OPTIONS="abort_on_error=1 symbolize=0"
./busybox_unstripped awk -f $poc ./awk_t1_input
[ASAN report]:
==13571==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000118520
at pc 0x000000e4a94f bp 0x7ffd6848ae30 sp 0x7ffd6848ae28
READ of size 4 at 0x606000118520 thread T0
#0 0xe4a94e
(/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe4a94e)
#1 0xe54597
(/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe54597)
#2 0xe409ce
(/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe409ce)
#3 0x50ac81
(/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50ac81)
#4 0x50dbaf
(/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50dbaf)
#5 0x51036d
(/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x51036d)
#6 0x50db58
(/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50db58)
#7 0x50c3fd
(/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50c3fd)
#8 0x7f592e27cc86 (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#9 0x41e459
(/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x41e459)
0x606000118520 is located 0 bytes inside of 64-byte region
[0x606000118520,0x606000118560)
freed by thread T0 here:
#0 0x4dc500
(/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x4dc500)
#1 0xe7f4ca
(/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe7f4ca)
#2 0xe4a878
(/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe4a878)
#3 0xe54597
(/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe54597)
#4 0x50ac81
(/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50ac81)
previously allocated by thread T0 here:
#0 0x4dc6d0
(/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x4dc6d0)
#1 0x519df2
(/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x519df2)
#2 0xe4a878
(/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe4a878)
#3 0xe54597
(/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe54597)
#4 0x50ac81
(/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50ac81)
SUMMARY: AddressSanitizer: heap-use-after-free
(/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe4a94e)
[line number]:
addr2line -e ./busybox_unstripped 0xe4a94e
.../busybox-1_36_1/editors/awk.c:3009
Best wishes,
Zclin
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list