[Bug 16168] New: Null-pointer-dereference at awk.c in busybox1.36.1

bugzilla at busybox.net bugzilla at busybox.net
Thu Aug 22 06:54:59 UTC 2024


https://bugs.busybox.net/show_bug.cgi?id=16168

            Bug ID: 16168
           Summary: Null-pointer-dereference at awk.c in busybox1.36.1
           Product: Busybox
           Version: 1.36.x
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Other
          Assignee: unassigned at busybox.net
          Reporter: adhoprsy at gmail.com
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

Created attachment 9802
  --> https://bugs.busybox.net/attachment.cgi?id=9802&action=edit
zip contains poc1 + poc2 + poc3

Hello, busybox developers.
I found some null-pointer-deref vuln in awk.c of busybox version 1.36.1 with
fuzzing.
Following are testing environment, reproduction step and asan report.
Thank you for your time.

[Environment]
ubuntu20.04
gcc 9.4.0

[Reproduction]
1. make menuconfig
    Settings -> Debugging Options -> 
    include "Build with debug information"
    include "Disable compiler optimization"
    include "Enable runtime sanitizers"
2. quit
3. make

Run with
    ./busybox_unstripped awk -f ./poc1
    ./busybox_unstripped awk -f ./poc2 ...etc

[Asan Report]
[POC1]
$ ./busybox_unstripped awk -f ./poc1
editors/awk.c:2207:7: runtime error: member access within misaligned address
0xbebebebebebebebe for type 'struct walker_list', which requires 8 byte
alignment
0xbebebebebebebebe: note: pointer points here
<memory cannot be printed>
AddressSanitizer:DEADLYSIGNAL
=================================================================
==868012==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x55691987a6ae bp 0x7ffc7a11b7a0 sp 0x7ffc7a11b650 T0)
==868012==The signal is caused by a READ memory access.
==868012==Hint: address points to the zero page.
    #0 0x55691987a6ad in hashwalk_next editors/awk.c:2207

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV editors/awk.c:2207 in hashwalk_next
==868012==ABORTING


[POC2]
$ ./busybox_unstripped awk -f ./poc2
editors/awk.c:731:29: runtime error: member access within null pointer of type
'struct xhash'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==870510==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc
0x55babd3698b0 bp 0x7ffec2a81830 sp 0x7ffec2a816a0 T0)
==870510==The signal is caused by a READ memory access.
==870510==Hint: address points to the zero page.
    #0 0x55babd3698af in hash_search3 editors/awk.c:731

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV editors/awk.c:731 in hash_search3
==870510==ABORTING


[POC3]
$ ./busybox_unstripped awk -f ./poc3
editors/awk.c:842:9: runtime error: load of null pointer of type 'char'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==872204==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x55fb0045f44d bp 0x7fff77b3c430 sp 0x7fff77b3c2b0 T0)
==872204==The signal is caused by a READ memory access.
==872204==Hint: address points to the zero page.
    #0 0x55fb0045f44c in nextword editors/awk.c:842

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV editors/awk.c:842 in nextword
==872204==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list