[Bug 16156] New: Global Buffer Overflow at ash
bugzilla at busybox.net
bugzilla at busybox.net
Sun Aug 11 08:00:35 UTC 2024
https://bugs.busybox.net/show_bug.cgi?id=16156
Bug ID: 16156
Summary: Global Buffer Overflow at ash
Product: Busybox
Version: 1.36.x
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Standard Compliance
Assignee: unassigned at busybox.net
Reporter: stasos24 at gmail.com
CC: busybox-cvs at busybox.net
Target Milestone: ---
Created attachment 9793
--> https://bugs.busybox.net/attachment.cgi?id=9793&action=edit
Config.in with sanitizer flags
PoC:
- build busybox with sanitizer flags
- use provided commands below
./ash
=================================================================
==1371894==ERROR: AddressSanitizer: global-buffer-overflow on address
0x557c50d2fc65 at pc 0x557c50bbca20 bp 0x7ffecf336120 sp 0x7ffecf336118
READ of size 1 at 0x557c50d2fc65 thread T0
#0 0x557c50bbca1f in padvance_magic shell/ash.c:2652
0x557c50d2fc65 is located 0 bytes to the right of global variable '*.LC321'
defined in 'shell/ash.c' (0x557c50d2fc60) of size 5
'*.LC321' is ascii string 'MAIL'
0x557c50d2fc65 is located 59 bytes to the left of global variable '*.LC322'
defined in 'shell/ash.c' (0x557c50d2fca0) of size 9
'*.LC322' is ascii string 'MAILPATH'
SUMMARY: AddressSanitizer: global-buffer-overflow shell/ash.c:2652 in
padvance_magic
Shadow bytes around the buggy address:
0x0ab00a19df30: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9
0x0ab00a19df40: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 01 f9 f9
0x0ab00a19df50: f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9
0x0ab00a19df60: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
0x0ab00a19df70: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9
=>0x0ab00a19df80: f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9[05]f9 f9 f9
0x0ab00a19df90: f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
0x0ab00a19dfa0: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
0x0ab00a19dfb0: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 05 f9 f9
0x0ab00a19dfc0: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 01 f9 f9
0x0ab00a19dfd0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 03 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1371894==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list