| Summary: | ash: Add ifsfree to varunset and varvalue function to fix a buffer over-read | ||
|---|---|---|---|
| Product: | Busybox | Reporter: | algore3698 |
| Component: | Other | Assignee: | unassigned |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | busybox-cvs |
| Priority: | P5 | ||
| Version: | 1.35.x | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Host: | Target: | ||
| Build: | |||
Hello, Has any progress been made on this? Fixed in git |
Due to a logic error in the ifsbreakup function in ash.c when a heredoc and normal command is run one after the other by means of a semi-colon, when the second command drops into ifsbreakup the command will be evaluated with the ifslastp/ifsfirst struct that was set when the heredoc was evaluated. This results in a buffer over-read that can leak the program's heap, stack, and arena addresses which can be used to beat ASLR. Steps to Reproduce: First bug: cmd args: ~/exampleDir/example> busybox ash $ M='AAAAAAAAAAAAAAAAA' <note: 17 A's> $ q00(){ $ <<000;echo $ ${D?$M$M$M$M$M$M} <note: 6 $M's> $ 000 $ } $ q00 <note: After the q00 is typed in the leak should be echo'd out; this works with ash, busybox ash, and dash and all options.> Patch: Adding the following to ash.c will fix the bug. ================================ --- a/shell/ash.c +++ b/shell/ash.c @@ -7030,6 +7030,7 @@ msg = umsg; } } +ifsfree(); ash_msg_and_raise_error("%.*s: %s%s", (int)(end - var - 1), var, msg, tail); } @@ -7445,6 +7446,7 @@ if (discard) return -1; +ifsfree(); raise_error_syntax("bad substitution"); } ================================