[PATCH] awk: fix use after free (CVE-2022-30065)

Natanael Copa ncopa at alpinelinux.org
Tue Jun 14 06:48:11 UTC 2022


Hi!

Is there anything else I can do to help fix CVE-2022-30065? I have
created a testcase for the testsuite and proposed a fix, but I'm not
that familiar with awk code so I would appreciate some help with this
before pushing it to thousands (millions?) of users.

Thanks!

On Tue,  7 Jun 2022 21:56:27 +0200
Natanael Copa <ncopa at alpinelinux.org> wrote:

> fixes https://bugs.busybox.net/show_bug.cgi?id=14781
> ---
>  editors/awk.c       | 6 ++++--
>  testsuite/awk.tests | 6 ++++++
>  2 files changed, 10 insertions(+), 2 deletions(-)
> 
> diff --git a/editors/awk.c b/editors/awk.c
> index 079d0bde5..be38289e4 100644
> --- a/editors/awk.c
> +++ b/editors/awk.c
> @@ -2921,8 +2921,8 @@ static var *evaluate(node *op, var *res)
>  		 */
>  		if (opinfo & OF_RES2) {
>  			R.v = evaluate(op->r.n, TMPVAR1);
> -			//TODO: L.v may be invalid now, set L.v to NULL to catch bugs?
> -			//L.v = NULL;
> +			// L.v may be invalid now, set L.v to NULL to catch bugs
> +			L.v = NULL;
>  			if (opinfo & OF_STR2) {
>  				R.s = getvar_s(R.v);
>  				debug_printf_eval("R.s:'%s'\n", R.s);
> @@ -3128,6 +3128,8 @@ static var *evaluate(node *op, var *res)
>  
>  		case XC( OC_MOVE ):
>  			debug_printf_eval("MOVE\n");
> +			if (L.v == NULL)
> +				syntax_error(EMSG_POSSIBLE_ERROR);
>  			/* if source is a temporary string, jusk relink it to dest */
>  			if (R.v == TMPVAR1
>  			 && !(R.v->type & VF_NUMBER)
> diff --git a/testsuite/awk.tests b/testsuite/awk.tests
> index 93e25d8c1..79e80176c 100755
> --- a/testsuite/awk.tests
> +++ b/testsuite/awk.tests
> @@ -479,4 +479,10 @@ testing 'awk backslash+newline eaten with no trace' \
>  	"Hello world\n" \
>  	'' ''
>  
> +testing 'awk use-after-free (CVE-2022-30065)' \
> +	"awk '\$3i\$3in\$9=\$r||\$9=i6/6-9f'" \
> +	"" \
> +	"awk: cmd. line:1: Possible syntax error" \
> +	'foo'
> +
>  exit $FAILCOUNT



More information about the busybox mailing list