| Summary: | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function(different CVE-2021-42378) | ||
|---|---|---|---|
| Product: | Busybox | Reporter: | Taolaw <magicgoogol> |
| Component: | Standard Compliance | Assignee: | unassigned |
| Status: | NEW --- | ||
| Severity: | major | CC: | busybox-cvs |
| Priority: | P5 | ||
| Version: | 1.35.x | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Host: | Target: | ||
| Build: | |||
| Attachments: | poc | ||
Created attachment 9296 [details] poc Discoverer: Taolaw@Vlab of Vecentek command: ./busybox_unstripped awk -f crash1 1.txt ================================================================= ==732311==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000018e0 at pc 0x560da89371db bp 0x7ffdf8e698b0 sp 0x7ffdf8e698a0 READ of size 4 at 0x6060000018e0 thread T0 #0 0x560da89371da in getvar_i editors/awk.c:1011 0x6060000018e0 is located 0 bytes inside of 64-byte region [0x6060000018e0,0x606000001920) freed by thread T0 here: #0 0x7f5a00e9440f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122 #1 0x560da8941305 in nvfree editors/awk.c:1840 #2 0x560da8bdddff (/home/test/fuzz/busybox-ASAN/busybox_unstripped+0x1044dff) previously allocated by thread T0 here: #0 0x7f5a00e94808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 #1 0x560da84344a5 in xmalloc libbb/xfuncs_printf.c:50 #2 0x560da8bdddff (/home/test/fuzz/busybox-ASAN/busybox_unstripped+0x1044dff) SUMMARY: AddressSanitizer: heap-use-after-free editors/awk.c:1011 in getvar_i Shadow bytes around the buggy address: 0x0c0c7fff82c0: 00 00 04 fa fa fa fa fa 00 00 00 00 00 00 02 fa 0x0c0c7fff82d0: fa fa fa fa 00 00 00 00 00 00 02 fa fa fa fa fa 0x0c0c7fff82e0: 00 00 00 00 00 00 02 fa fa fa fa fa 00 00 00 00 0x0c0c7fff82f0: 00 00 00 03 fa fa fa fa 00 00 00 00 00 00 00 04 0x0c0c7fff8300: fa fa fa fa 00 00 00 00 00 00 00 04 fa fa fa fa =>0x0c0c7fff8310: 00 00 00 00 00 00 00 00 fa fa fa fa[fd]fd fd fd 0x0c0c7fff8320: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd 0x0c0c7fff8330: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa 0x0c0c7fff8340: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd 0x0c0c7fff8350: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff8360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==732311==ABORTING