Bug 15216

Summary: There is a stack overflower in ash of busybox. Here is asan report.
Product: Busybox Reporter: focus <79167666>
Component: Standard ComplianceAssignee: unassigned
Status: RESOLVED FIXED    
Severity: normal CC: busybox-cvs
Priority: P5    
Version: 1.35.x   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Host: Target:
Build:
Attachments: ./busybox_unstripped < poc
shell: avoid segfault on ${0::0/0~09J}. Closes 15216

Description focus 2022-12-28 08:54:16 UTC 
Created attachment 9441 [details]
./busybox_unstripped  < poc

Discoverer: focu5@Vlab of Vecentek

> ./busybox_unstripped  < poc
=================================================================
==1034263==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7fffffffcdd8 at pc 0x000001352be8 bp 0x7fffffffcc50 sp 0x7fffffffcc48
WRITE of size 8 at 0x7fffffffcdd8 thread T0
    #0 0x1352be7 in evaluate_string /home/focus/Desktop/work/target/busybox/shell/math.c:639:21
    #1 0x114b813 in ash_arith /home/focus/Desktop/work/target/busybox/shell/ash.c:6030:11
    #2 0x113c7b7 in substr_atoi /home/focus/Desktop/work/target/busybox/shell/ash.c:6042:14
    #3 0x113c7b7 in subevalvar /home/focus/Desktop/work/target/busybox/shell/ash.c:7160:10
    #4 0x112c76a in evalvar /home/focus/Desktop/work/target/busybox/shell/ash.c:7665:6
    #5 0x1125a33 in argstr /home/focus/Desktop/work/target/busybox/shell/ash.c:6892:8
    #6 0x11172e9 in expandarg /home/focus/Desktop/work/target/busybox/shell/ash.c:8089:2
    #7 0x118136f in fill_arglist /home/focus/Desktop/work/target/busybox/shell/ash.c:8810:3
    #8 0x10f7bf2 in evalcommand /home/focus/Desktop/work/target/busybox/shell/ash.c:10337:8
    #9 0x10e8af8 in evaltree /home/focus/Desktop/work/target/busybox/shell/ash.c:9364:12
    #10 0x10403d0 in evalstring /home/focus/Desktop/work/target/busybox/shell/ash.c:13435:7
    #11 0x102cb24 in ash_main /home/focus/Desktop/work/target/busybox/shell/ash.c:14688:3
    #12 0x56f31b in run_applet_no_and_exit /home/focus/Desktop/work/target/busybox/libbb/appletlib.c:1004:23
    #13 0x57133c in run_applet_and_exit /home/focus/Desktop/work/target/busybox/libbb/appletlib.c:1022:4
    #14 0x571009 in main /home/focus/Desktop/work/target/busybox/libbb/appletlib.c:1182:13
    #15 0x7ffff7c43082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #16 0x4200dd in _start (/home/focus/Desktop/work/target/busybox/busybox_unstripped+0x4200dd)

Address 0x7fffffffcdd8 is located in stack of thread T0
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow /home/focus/Desktop/work/target/busybox/shell/math.c:639:21 in evaluate_string
Shadow bytes around the buggy address:
  0x10007fff7960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7980: 00 00 00 00 00 00 00 00 00 00 00 00 ca ca ca ca
  0x10007fff7990: 02 cb cb cb cb cb cb cb ca ca ca ca 00 01 cb cb
  0x10007fff79a0: cb cb cb cb ca ca ca ca 00 00 00 00 00 00 00 00
=>0x10007fff79b0: 00 00 00 00 00 00 00 00 cb cb cb[cb]f1 f1 f1 f1
  0x10007fff79c0: 00 f2 f2 f2 00 f3 f3 f3 00 00 00 00 00 00 00 00
  0x10007fff79d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff79e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff79f0: f1 f1 f1 f1 00 00 00 00 f3 f3 f3 f3 00 00 00 00
  0x10007fff7a00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f3 f3 f3
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1034263==ABORTING
Comment 1 Ron Yorston 2022-12-29 13:50:48 UTC 
Created attachment 9446 [details]
shell: avoid segfault on ${0::0/0~09J}. Closes 15216
Comment 2 Radoslav Kolev 2023-08-29 07:55:02 UTC 
This has been fixed by a different approach in https://git.busybox.net/busybox/commit/?id=d417193cf
Comment 3 captainaye@protonmail.com 2023-08-30 07:43:57 UTC 
This issue started being reported as CRITICAL by security tools such as snyk https://security.snyk.io/vuln/SNYK-DEBIANUNSTABLE-BUSYBOX-5853744
For what I see the fix is not released in any version yet. 
What are the plans for releasing it?
Comment 4 John Ata 2024-03-06 21:02:25 UTC 
I am still getting a segault on busybox 1.36.1 running the expression "echo ${0::0/0~09J}" on busybox ash built on Linux (e.g. Centos 7) with the following configuration MATH variables turned off and the other MATH variables turned on:

CONFIG_FEATURE_SH_MATH_64 is not set
CONFIG_FEATURE_SH_MATH_BASE is not set

It seems that perhaps the fix is not comprehensively complete.  If these MATH variables are turned on along with the other MATH variables, there is no problem.

We seem to be claiming that CVE-2022-48174 does not exist in 1.36.1 (fixed in 1.35). But this does not seem to be necessarily true.
Comment 5 John Ata 2024-03-06 21:49:18 UTC 
It seems that 1.36.1 did not have the patch that fixes the problem even though the bug was marked as resolved fixed. I suspect that the various symbol definitions just moved things on the stack to sometimes cause problems with the incorrect allocation size. So I wonder why the CVE was marked as fixed in 1.35.