[PATCH] awk: fix use after free (CVE-2022-30065)
Natanael Copa
ncopa at alpinelinux.org
Tue Jun 7 19:56:27 UTC 2022
fixes https://bugs.busybox.net/show_bug.cgi?id=14781
---
editors/awk.c | 6 ++++--
testsuite/awk.tests | 6 ++++++
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/editors/awk.c b/editors/awk.c
index 079d0bde5..be38289e4 100644
--- a/editors/awk.c
+++ b/editors/awk.c
@@ -2921,8 +2921,8 @@ static var *evaluate(node *op, var *res)
*/
if (opinfo & OF_RES2) {
R.v = evaluate(op->r.n, TMPVAR1);
- //TODO: L.v may be invalid now, set L.v to NULL to catch bugs?
- //L.v = NULL;
+ // L.v may be invalid now, set L.v to NULL to catch bugs
+ L.v = NULL;
if (opinfo & OF_STR2) {
R.s = getvar_s(R.v);
debug_printf_eval("R.s:'%s'\n", R.s);
@@ -3128,6 +3128,8 @@ static var *evaluate(node *op, var *res)
case XC( OC_MOVE ):
debug_printf_eval("MOVE\n");
+ if (L.v == NULL)
+ syntax_error(EMSG_POSSIBLE_ERROR);
/* if source is a temporary string, jusk relink it to dest */
if (R.v == TMPVAR1
&& !(R.v->type & VF_NUMBER)
diff --git a/testsuite/awk.tests b/testsuite/awk.tests
index 93e25d8c1..79e80176c 100755
--- a/testsuite/awk.tests
+++ b/testsuite/awk.tests
@@ -479,4 +479,10 @@ testing 'awk backslash+newline eaten with no trace' \
"Hello world\n" \
'' ''
+testing 'awk use-after-free (CVE-2022-30065)' \
+ "awk '\$3i\$3in\$9=\$r||\$9=i6/6-9f'" \
+ "" \
+ "awk: cmd. line:1: Possible syntax error" \
+ 'foo'
+
exit $FAILCOUNT
--
2.36.1
More information about the busybox
mailing list