[Bug 16108] New: Use after free at setvareq function, ash.c file
bugzilla at busybox.net
bugzilla at busybox.net
Fri Jun 14 10:00:47 UTC 2024
https://bugs.busybox.net/show_bug.cgi?id=16108
Bug ID: 16108
Summary: Use after free at setvareq function, ash.c file
Product: Busybox
Version: 1.37.x
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Other
Assignee: unassigned at busybox.net
Reporter: marcin.w.nowakowski at gmail.com
CC: busybox-cvs at busybox.net
Target Milestone: ---
Static analyses tool shows an issue in ash.c file, rmaliases function.
The issue is Use after free (USE_AFTER_FREE).
The detailed information is provided below.
2412static struct var *
2413setvareq(char *s, int flags)
2414{
2415 struct var *vp, **vpp;
2416
2417 vpp = hashvar(s);
2418 flags |= (VEXPORT & (((unsigned) (1 - aflag)) - 1));
2419 vpp = findvar(vpp, s);
1. alias: Assigning: vp = *vpp. Now both point to the same storage.
2420 vp = *vpp;
2. Condition vp, taking true branch.
2421 if (vp) {
3. Condition (vp->flags & (2 /* 2 | 0 */)) == 2, taking false branch.
2422 if ((vp->flags & (VREADONLY|VDYNAMIC)) == VREADONLY) {
2423 const char *n;
2424
2425 if (flags & VNOSAVE)
2426 free(s);
2427 n = vp->var_text;
2428 exitstatus = 1;
2429 ash_msg_and_raise_error("%.*s: is read only",
strchrnul(n, '=') - n, n);
2430 }
2431
4. Condition flags & 0x80, taking false branch.
2432 if (flags & VNOSET)
2433 goto out;
2434
5. Condition vp->var_func, taking true branch.
6. Condition !(flags & 0x40), taking true branch.
2435 if (vp->var_func && !(flags & VNOFUNC))
2436 vp->var_func(var_end(s));
2437
7. Condition !(vp->flags & (24 /* 8 | 0x10 */)), taking true branch.
2438 if (!(vp->flags & (VTEXTFIXED|VSTACK)))
2439 free((char*)vp->var_text);
2440
8. Condition ((flags & (39 /* ((1 | 2) | 4) | 0x20 */)) | (vp->flags & 4)) ==
0x20, taking true branch.
2441 if (((flags & (VEXPORT|VREADONLY|VSTRFIXED|VUNSET)) |
(vp->flags & VSTRFIXED)) == VUNSET) {
2442 *vpp = vp->next;
9. freed_arg: free frees vp.
2443 free(vp);
2444 out_free:
10. Condition (flags & (280 /* (8 | 0x10) | 0x100 */)) == 0x100, taking true
branch.
2445 if ((flags & (VTEXTFIXED|VSTACK|VNOSAVE)) ==
VNOSAVE)
2446 free(s);
11. Jumping to label out.
2447 goto out;
2448 }
2449
2450 flags |= vp->flags & ~(VTEXTFIXED|VSTACK|VNOSAVE|VUNSET);
2451#if ENABLE_ASH_RANDOM_SUPPORT || BASH_EPOCH_VARS
2452 if (flags & VUNSET)
2453 flags &= ~VDYNAMIC;
2454#endif
2455 } else {
2456 /* variable s is not found */
2457 if (flags & VNOSET)
2458 goto out;
2459 if ((flags & (VEXPORT|VREADONLY|VSTRFIXED|VUNSET)) ==
VUNSET)
2460 goto out_free;
2461 vp = ckzalloc(sizeof(*vp));
2462 vp->next = *vpp;
2463 /*vp->func = NULL; - ckzalloc did it */
2464 *vpp = vp;
2465 }
2466 if (!(flags & (VTEXTFIXED|VSTACK|VNOSAVE)))
2467 s = ckstrdup(s);
2468 vp->var_text = s;
2469 vp->flags = flags;
2470
2471 out:
CID 5896517: (#1 of 1): Use after free (USE_AFTER_FREE)
12. use_after_free: Using freed pointer vp.
2472 return vp;
2473}
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list