Bug 15096

Summary: Busybox bc Calculator zbc_parse_stmt_possibly_auto Function Stack Overflow
Product: Busybox Reporter: sohu0106 <sohu0106>
Component: Standard ComplianceAssignee: unassigned
Status: NEW ---    
Severity: normal CC: busybox-cvs
Priority: P5    
Version: 1.33.x   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:
Attachments: poc

Description sohu0106 2022-11-01 02:15:06 UTC 
Created attachment 9401 [details]
poc

1.
Busybox bc Calculator zbc_parse_stmt_possibly_auto Function Stack Overflow 
busybox-master\busybox-1.33.1\miscutils\bc.c
In line 4584,stack overflow by &G.prs

4579 #define zbc_parse_auto(...) (zbc_parse_auto(__VA_ARGS__) COMMA_SUCCE     SS)
4580
4581 #undef zbc_parse_stmt_possibly_auto
4582 static BC_STATUS zbc_parse_stmt_possibly_auto(bool auto_allowed)
4583 {
4584         BcParse *p = &G.prs;
4585         BcStatus s = BC_STATUS_SUCCESS;
4586
4587         dbg_lex_enter("%s:%d entered, p->lex:%d", __func__, __LINE__     , p->lex);
4588
4589         if (p->lex == XC_LEX_NLINE) {
4590                 dbg_lex_done("%s:%d done (seen XC_LEX_NLINE)", __fun     c__, __LINE__);
4591                 RETURN_STATUS(s);
4592         }


2 
Affected versions Busybox 1.33 



3 asan report

busybox-1.33.1/busybox_unstripped bc id\:000032\,sig\:11\,src\:000737\,time\:90108123\,execs\:9999153\,op\:havoc\,rep\:16



bc 1.33.1
Adapted from https://github.com/gavinhoward/bc
Original code (c) 2018 Gavin D. Howard and contributors
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1564774==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe0c9dffe8 (pc 0x55615737f984 bp 0x619000000580 sp 0x7ffe0c9dffe8 T0)
    #0 0x55615737f983 in zbc_parse_stmt_possibly_auto miscutils/bc.c:4584

SUMMARY: AddressSanitizer: stack-overflow miscutils/bc.c:4584 in zbc_parse_stmt_possibly_auto
==1564774==ABORTING