[Bug 16156] New: Global Buffer Overflow at ash

bugzilla at busybox.net bugzilla at busybox.net
Sun Aug 11 08:00:35 UTC 2024


https://bugs.busybox.net/show_bug.cgi?id=16156

            Bug ID: 16156
           Summary: Global Buffer Overflow at ash
           Product: Busybox
           Version: 1.36.x
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Standard Compliance
          Assignee: unassigned at busybox.net
          Reporter: stasos24 at gmail.com
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

Created attachment 9793
  --> https://bugs.busybox.net/attachment.cgi?id=9793&action=edit
Config.in with sanitizer flags

PoC: 
- build busybox with sanitizer flags
- use provided commands below

./ash
=================================================================
==1371894==ERROR: AddressSanitizer: global-buffer-overflow on address
0x557c50d2fc65 at pc 0x557c50bbca20 bp 0x7ffecf336120 sp 0x7ffecf336118
READ of size 1 at 0x557c50d2fc65 thread T0
    #0 0x557c50bbca1f in padvance_magic shell/ash.c:2652

0x557c50d2fc65 is located 0 bytes to the right of global variable '*.LC321'
defined in 'shell/ash.c' (0x557c50d2fc60) of size 5
  '*.LC321' is ascii string 'MAIL'
0x557c50d2fc65 is located 59 bytes to the left of global variable '*.LC322'
defined in 'shell/ash.c' (0x557c50d2fca0) of size 9
  '*.LC322' is ascii string 'MAILPATH'
SUMMARY: AddressSanitizer: global-buffer-overflow shell/ash.c:2652 in
padvance_magic
Shadow bytes around the buggy address:
  0x0ab00a19df30: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9
  0x0ab00a19df40: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 01 f9 f9
  0x0ab00a19df50: f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9
  0x0ab00a19df60: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
  0x0ab00a19df70: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9
=>0x0ab00a19df80: f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9[05]f9 f9 f9
  0x0ab00a19df90: f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
  0x0ab00a19dfa0: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
  0x0ab00a19dfb0: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 05 f9 f9
  0x0ab00a19dfc0: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 01 f9 f9
  0x0ab00a19dfd0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 03 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1371894==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list