[Bug 16168] New: Null-pointer-dereference at awk.c in busybox1.36.1
bugzilla at busybox.net
bugzilla at busybox.net
Thu Aug 22 06:54:59 UTC 2024
https://bugs.busybox.net/show_bug.cgi?id=16168
Bug ID: 16168
Summary: Null-pointer-dereference at awk.c in busybox1.36.1
Product: Busybox
Version: 1.36.x
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Other
Assignee: unassigned at busybox.net
Reporter: adhoprsy at gmail.com
CC: busybox-cvs at busybox.net
Target Milestone: ---
Created attachment 9802
--> https://bugs.busybox.net/attachment.cgi?id=9802&action=edit
zip contains poc1 + poc2 + poc3
Hello, busybox developers.
I found some null-pointer-deref vuln in awk.c of busybox version 1.36.1 with
fuzzing.
Following are testing environment, reproduction step and asan report.
Thank you for your time.
[Environment]
ubuntu20.04
gcc 9.4.0
[Reproduction]
1. make menuconfig
Settings -> Debugging Options ->
include "Build with debug information"
include "Disable compiler optimization"
include "Enable runtime sanitizers"
2. quit
3. make
Run with
./busybox_unstripped awk -f ./poc1
./busybox_unstripped awk -f ./poc2 ...etc
[Asan Report]
[POC1]
$ ./busybox_unstripped awk -f ./poc1
editors/awk.c:2207:7: runtime error: member access within misaligned address
0xbebebebebebebebe for type 'struct walker_list', which requires 8 byte
alignment
0xbebebebebebebebe: note: pointer points here
<memory cannot be printed>
AddressSanitizer:DEADLYSIGNAL
=================================================================
==868012==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x55691987a6ae bp 0x7ffc7a11b7a0 sp 0x7ffc7a11b650 T0)
==868012==The signal is caused by a READ memory access.
==868012==Hint: address points to the zero page.
#0 0x55691987a6ad in hashwalk_next editors/awk.c:2207
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV editors/awk.c:2207 in hashwalk_next
==868012==ABORTING
[POC2]
$ ./busybox_unstripped awk -f ./poc2
editors/awk.c:731:29: runtime error: member access within null pointer of type
'struct xhash'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==870510==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc
0x55babd3698b0 bp 0x7ffec2a81830 sp 0x7ffec2a816a0 T0)
==870510==The signal is caused by a READ memory access.
==870510==Hint: address points to the zero page.
#0 0x55babd3698af in hash_search3 editors/awk.c:731
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV editors/awk.c:731 in hash_search3
==870510==ABORTING
[POC3]
$ ./busybox_unstripped awk -f ./poc3
editors/awk.c:842:9: runtime error: load of null pointer of type 'char'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==872204==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x55fb0045f44d bp 0x7fff77b3c430 sp 0x7fff77b3c2b0 T0)
==872204==The signal is caused by a READ memory access.
==872204==Hint: address points to the zero page.
#0 0x55fb0045f44c in nextword editors/awk.c:842
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV editors/awk.c:842 in nextword
==872204==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list