Bug 15865

Summary: [busybox 1.36.1] use-after-free in awk
Product: Busybox Reporter: zclin <zclin21>
Component: OtherAssignee: unassigned
Status: NEW ---    
Severity: normal CC: busybox-cvs, uwe
Priority: P5    
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:
Attachments: POC file
awk_t1_input file

Description zclin 2023-11-23 04:17:53 UTC 
Created attachment 9661 [details]
POC file

Hi, busybox developers,
We found a use-after-free vulnerability in awk applet of busybox v1.36.1. The affected component is xfuncs_printf.c:344 in xasprintf function. Following is the reproduction process, and we put the poc file in the attachment.
[1.] Environment
Ubuntu 18.04, 64 bit
BusyBox 1.36.1
Clang 6.0.0

[2.] Compilation
2.1 Modify the Makefile:
HOSTCC=clang -fsanitize=address
HOSTCXX=clang++ -fsanitize=address
CC=clang
CFLAGS=-fsanitize=address
CPPFLAGS=-fsanitize=address
LDFLAGS="-Wl,--allow-multiple-definition"
2.2 Modify the Config.in file, switch the following configs to y:
DEBUG: y
DEBUG_PESSIMIZE: y
FEATURE_CLEAN_UP: y
DEBUG_SANITIZE: y
2.3 Commands for compilation:
export ASAN_OPTIONS=detect_leaks=0
make defconfig
make install

[3.] Reproduction
export ASAN_OPTIONS="abort_on_error=1 symbolize=0"
./busybox_unstripped awk -f $poc ./awk_t1_input
[ASAN report]:
==14637==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000238d0 at pc 0x0000004486a7 bp 0x7ffe741090c0 sp 0x7ffe74108870
READ of size 2 at 0x6020000238d0 thread T0
    #0 0x4486a6  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x4486a6)
    #1 0x493375  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x493375)
    #2 0x51ad9e  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x51ad9e)
    #3 0xe52f5f  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe52f5f)
    #4 0xe4886f  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe4886f)
    #5 0xe54597  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe54597)
    #6 0xe409ce  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe409ce)
    #7 0x50ac81  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50ac81)
    #8 0x50dbaf  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50dbaf)
    #9 0x51036d  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x51036d)
    #10 0x50db58  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50db58)
    #11 0x50c3fd  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50c3fd)
    #12 0x7f2f3c665c86  (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #13 0x41e459  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x41e459)

0x6020000238d0 is located 0 bytes inside of 5-byte region [0x6020000238d0,0x6020000238d5)
freed by thread T0 here:
    #0 0x4dc500  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x4dc500)
    #1 0xe5b37f  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe5b37f)
    #2 0xe83b9d  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe83b9d)
    #3 0xe522b1  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe522b1)
    #4 0xe48b79  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe48b79)
    #5 0xe4886f  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe4886f)
    #6 0xe54597  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe54597)
    #7 0x50ac81  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50ac81)

previously allocated by thread T0 here:
    #0 0x4dc6d0  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x4dc6d0)
    #1 0x7f2f3c6cc5bf  (/lib/x86_64-linux-gnu/libc.so.6+0x885bf)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x4486a6) 

[line number]:

addr2line -e ./busybox_unstripped 0x51ad9e
.../busybox-1_36_1/libbb/xfuncs_printf.c:344

Best wishes,
Zclin
Comment 1 zclin 2023-11-23 04:35:41 UTC 
Created attachment 9667 [details]
awk_t1_input file
Comment 2 Valery Ushakov 2024-01-25 01:21:25 UTC 
The relevant part of input that triggers the problem seems to be lines 17 and 18.
Comment 3 Valery Ushakov 2024-01-31 01:44:49 UTC 
So, the bug is triggered by lines 17 and 18 in the input, b/c the END
rule is mangled by the fuzzer to have weird code where collected
languages are processed.  Line 128 of the mangled awk program is:

  macros[i] = "CL_" langs[i], gsub( "[^A-Za-z0-9_]", "X", macros[i] )

and all awks reject that use of comma as a syntax error, but busybox awk
accepts it.

As far as I can tell, this bug can be reproduced with something like:

  $ awk 'BEGIN { v = "abc", gsub("b", "X", v); print v }'
  aXc

(use asan/valgrind to taste).