Bug 15016

Created attachment 9366 [details]
poc

Busybox bc Calculator bc_error_at Function Uaf Vulnerability
busybox-master\busybox-1.33.1\miscutils\bc.c
In line 988, err_at is the global heap memory G.prs.lex_next_at.
When a value is assigned in the zxc_lex_next function, the UAF is caused after the incorrect branch is released.
miscutils/bc.c
981 static ERRORFUNC int bc_error_at(const char *msg)
 982 {
 983         const char *err_at = G.prs.lex_next_at;
 984         if (err_at) {
 985                 IF_ERROR_RETURN_POSSIBLE(return) bc_error_     fmt(
 986                         "%s at '%.*s'",
 987                         msg,
 988                         (int)(strchrnul(err_at, '\n') - er     r_at),
 989                         err_at
 990                 );
 991         }
 992         IF_ERROR_RETURN_POSSIBLE(return) bc_error_fmt("%s"     , msg);
 993 }
Freed Function is
libbb/xfuncs_printf.c
59 void* FAST_FUNC xrealloc(void *ptr, size_t size)
 60 {
 61         ptr = realloc(ptr, size);
 62         if (ptr == NULL && size != 0)
 63                 bb_die_memory_exhausted();
 64         return ptr;
 65 }
 66 #endif /* DMALLOC */

2 asan report
./busybox_unstripped bc out/default/crashes/id\:000000\,sig\:06\,src\:000554+000829\,time\:3480213\,execs\:390856\,op\:splice\,rep\:16 bc 1.33.1
bc 1.33.1
Adapted from https://github.com/gavinhoward/bc
Original code (c) 2018 Gavin D. Howard and contributors
=================================================================
==556554==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000002e0 at pc 0x7f0419528d4d bp 0x7ffd18813e60 sp 0x7ffd18813608
READ of size 2 at 0x6030000002e0 thread T0
    #0 0x7f0419528d4c  (/lib/x86_64-linux-gnu/libasan.so.5+0x73d4c)
    #1 0x564f7483d148 in bc_error_at miscutils/bc.c:988

0x6030000002e0 is located 0 bytes inside of 32-byte region [0x6030000002e0,0x603000000300)
freed by thread T0 here:
    #0 0x7f04195c2ffe in __interceptor_realloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dffe)
    #1 0x564f747fd10c in xrealloc libbb/xfuncs_printf.c:61

previously allocated by thread T0 here:
    #0 0x7f04195c2bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x564f747fd074 in xmalloc libbb/xfuncs_printf.c:50

SUMMARY: AddressSanitizer: heap-use-after-free (/lib/x86_64-linux-gnu/libasan.so.5+0x73d4c)
Shadow bytes around the buggy address:
  0x0c067fff8000: fa fa 00 00 07 fa fa fa 00 00 06 fa fa fa 00 00
  0x0c067fff8010: 07 fa fa fa 00 00 00 fa fa fa 00 00 06 fa fa fa
  0x0c067fff8020: 00 00 00 01 fa fa 00 00 00 02 fa fa 00 00 00 01
  0x0c067fff8030: fa fa 00 00 07 fa fa fa 00 00 04 fa fa fa 00 00
  0x0c067fff8040: 00 01 fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
=>0x0c067fff8050: 00 00 00 00 fa fa 00 00 00 00 fa fa[fd]fd fd fd
  0x0c067fff8060: fa fa 00 00 00 00 fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==556554==ABORTING