[Bug 16108] New: Use after free at setvareq function, ash.c file

bugzilla at busybox.net bugzilla at busybox.net
Fri Jun 14 10:00:47 UTC 2024


https://bugs.busybox.net/show_bug.cgi?id=16108

            Bug ID: 16108
           Summary: Use after free at setvareq function, ash.c file
           Product: Busybox
           Version: 1.37.x
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Other
          Assignee: unassigned at busybox.net
          Reporter: marcin.w.nowakowski at gmail.com
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

Static analyses tool shows an issue in ash.c file, rmaliases function.
The issue is Use after free (USE_AFTER_FREE).
The detailed information is provided below.

2412static struct var *
2413setvareq(char *s, int flags)
2414{
2415        struct var *vp, **vpp;
2416
2417        vpp = hashvar(s);
2418        flags |= (VEXPORT & (((unsigned) (1 - aflag)) - 1));
2419        vpp = findvar(vpp, s);
1. alias: Assigning: vp = *vpp. Now both point to the same storage.
2420        vp = *vpp;
2. Condition vp, taking true branch.
2421        if (vp) {
3. Condition (vp->flags & (2 /* 2 | 0 */)) == 2, taking false branch.
2422                if ((vp->flags & (VREADONLY|VDYNAMIC)) == VREADONLY) {
2423                        const char *n;
2424
2425                        if (flags & VNOSAVE)
2426                                free(s);
2427                        n = vp->var_text;
2428                        exitstatus = 1;
2429                        ash_msg_and_raise_error("%.*s: is read only",
strchrnul(n, '=') - n, n);
2430                }
2431
4. Condition flags & 0x80, taking false branch.
2432                if (flags & VNOSET)
2433                        goto out;
2434
5. Condition vp->var_func, taking true branch.
6. Condition !(flags & 0x40), taking true branch.
2435                if (vp->var_func && !(flags & VNOFUNC))
2436                        vp->var_func(var_end(s));
2437
7. Condition !(vp->flags & (24 /* 8 | 0x10 */)), taking true branch.
2438                if (!(vp->flags & (VTEXTFIXED|VSTACK)))
2439                        free((char*)vp->var_text);
2440
8. Condition ((flags & (39 /* ((1 | 2) | 4) | 0x20 */)) | (vp->flags & 4)) ==
0x20, taking true branch.
2441                if (((flags & (VEXPORT|VREADONLY|VSTRFIXED|VUNSET)) |
(vp->flags & VSTRFIXED)) == VUNSET) {
2442                        *vpp = vp->next;
9. freed_arg: free frees vp.
2443                        free(vp);
2444 out_free:
10. Condition (flags & (280 /* (8 | 0x10) | 0x100 */)) == 0x100, taking true
branch.
2445                        if ((flags & (VTEXTFIXED|VSTACK|VNOSAVE)) ==
VNOSAVE)
2446                                free(s);
11. Jumping to label out.
2447                        goto out;
2448                }
2449
2450                flags |= vp->flags & ~(VTEXTFIXED|VSTACK|VNOSAVE|VUNSET);
2451#if ENABLE_ASH_RANDOM_SUPPORT || BASH_EPOCH_VARS
2452                if (flags & VUNSET)
2453                        flags &= ~VDYNAMIC;
2454#endif
2455        } else {
2456                /* variable s is not found */
2457                if (flags & VNOSET)
2458                        goto out;
2459                if ((flags & (VEXPORT|VREADONLY|VSTRFIXED|VUNSET)) ==
VUNSET)
2460                        goto out_free;
2461                vp = ckzalloc(sizeof(*vp));
2462                vp->next = *vpp;
2463                /*vp->func = NULL; - ckzalloc did it */
2464                *vpp = vp;
2465        }
2466        if (!(flags & (VTEXTFIXED|VSTACK|VNOSAVE)))
2467                s = ckstrdup(s);
2468        vp->var_text = s;
2469        vp->flags = flags;
2470
2471 out:
CID 5896517: (#1 of 1): Use after free (USE_AFTER_FREE)
12. use_after_free: Using freed pointer vp.
2472        return vp;
2473}

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list