[PATCH] awk: fix use after free (CVE-2022-30065)
Natanael Copa
ncopa at alpinelinux.org
Tue Jun 14 06:48:11 UTC 2022
Hi!
Is there anything else I can do to help fix CVE-2022-30065? I have
created a testcase for the testsuite and proposed a fix, but I'm not
that familiar with awk code so I would appreciate some help with this
before pushing it to thousands (millions?) of users.
Thanks!
On Tue, 7 Jun 2022 21:56:27 +0200
Natanael Copa <ncopa at alpinelinux.org> wrote:
> fixes https://bugs.busybox.net/show_bug.cgi?id=14781
> ---
> editors/awk.c | 6 ++++--
> testsuite/awk.tests | 6 ++++++
> 2 files changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/editors/awk.c b/editors/awk.c
> index 079d0bde5..be38289e4 100644
> --- a/editors/awk.c
> +++ b/editors/awk.c
> @@ -2921,8 +2921,8 @@ static var *evaluate(node *op, var *res)
> */
> if (opinfo & OF_RES2) {
> R.v = evaluate(op->r.n, TMPVAR1);
> - //TODO: L.v may be invalid now, set L.v to NULL to catch bugs?
> - //L.v = NULL;
> + // L.v may be invalid now, set L.v to NULL to catch bugs
> + L.v = NULL;
> if (opinfo & OF_STR2) {
> R.s = getvar_s(R.v);
> debug_printf_eval("R.s:'%s'\n", R.s);
> @@ -3128,6 +3128,8 @@ static var *evaluate(node *op, var *res)
>
> case XC( OC_MOVE ):
> debug_printf_eval("MOVE\n");
> + if (L.v == NULL)
> + syntax_error(EMSG_POSSIBLE_ERROR);
> /* if source is a temporary string, jusk relink it to dest */
> if (R.v == TMPVAR1
> && !(R.v->type & VF_NUMBER)
> diff --git a/testsuite/awk.tests b/testsuite/awk.tests
> index 93e25d8c1..79e80176c 100755
> --- a/testsuite/awk.tests
> +++ b/testsuite/awk.tests
> @@ -479,4 +479,10 @@ testing 'awk backslash+newline eaten with no trace' \
> "Hello world\n" \
> '' ''
>
> +testing 'awk use-after-free (CVE-2022-30065)' \
> + "awk '\$3i\$3in\$9=\$r||\$9=i6/6-9f'" \
> + "" \
> + "awk: cmd. line:1: Possible syntax error" \
> + 'foo'
> +
> exit $FAILCOUNT
More information about the busybox
mailing list