[PATCH] awk: fix use after free (CVE-2022-30065)

Natanael Copa ncopa at alpinelinux.org
Tue Jun 7 19:56:27 UTC 2022


fixes https://bugs.busybox.net/show_bug.cgi?id=14781
---
 editors/awk.c       | 6 ++++--
 testsuite/awk.tests | 6 ++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/editors/awk.c b/editors/awk.c
index 079d0bde5..be38289e4 100644
--- a/editors/awk.c
+++ b/editors/awk.c
@@ -2921,8 +2921,8 @@ static var *evaluate(node *op, var *res)
 		 */
 		if (opinfo & OF_RES2) {
 			R.v = evaluate(op->r.n, TMPVAR1);
-			//TODO: L.v may be invalid now, set L.v to NULL to catch bugs?
-			//L.v = NULL;
+			// L.v may be invalid now, set L.v to NULL to catch bugs
+			L.v = NULL;
 			if (opinfo & OF_STR2) {
 				R.s = getvar_s(R.v);
 				debug_printf_eval("R.s:'%s'\n", R.s);
@@ -3128,6 +3128,8 @@ static var *evaluate(node *op, var *res)
 
 		case XC( OC_MOVE ):
 			debug_printf_eval("MOVE\n");
+			if (L.v == NULL)
+				syntax_error(EMSG_POSSIBLE_ERROR);
 			/* if source is a temporary string, jusk relink it to dest */
 			if (R.v == TMPVAR1
 			 && !(R.v->type & VF_NUMBER)
diff --git a/testsuite/awk.tests b/testsuite/awk.tests
index 93e25d8c1..79e80176c 100755
--- a/testsuite/awk.tests
+++ b/testsuite/awk.tests
@@ -479,4 +479,10 @@ testing 'awk backslash+newline eaten with no trace' \
 	"Hello world\n" \
 	'' ''
 
+testing 'awk use-after-free (CVE-2022-30065)' \
+	"awk '\$3i\$3in\$9=\$r||\$9=i6/6-9f'" \
+	"" \
+	"awk: cmd. line:1: Possible syntax error" \
+	'foo'
+
 exit $FAILCOUNT
-- 
2.36.1



More information about the busybox mailing list