Bug 15874

Summary: [busybox 1.36.1] heap-buffer-overflow in awk
Product: Busybox Reporter: zclin <zclin21>
Component: OtherAssignee: unassigned
Status: NEW ---    
Severity: normal CC: busybox-cvs, uwe
Priority: P5    
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:
Attachments: POC file
awk_t1_input file
[PATCH] awk.c: fix CVE-2023-42366 (bug #15874)

Description zclin 2023-11-23 04:52:41 UTC 
Created attachment 9679 [details]
POC file

Hi, busybox developers,
We found a heap-buffer-overflow vulnerability in awk applet of busybox v1.36.1. The affected component is awk.c:1159 in next_token function . Following is the reproduction process, and we put the poc file in the attachment.
[1.] Environment
Ubuntu 18.04, 64 bit
BusyBox 1.36.1
Clang 6.0.0

[2.] Compilation
2.1 Modify the Makefile:
HOSTCC=clang -fsanitize=address
HOSTCXX=clang++ -fsanitize=address
CC=clang
CFLAGS=-fsanitize=address
CPPFLAGS=-fsanitize=address
LDFLAGS="-Wl,--allow-multiple-definition"
2.2 Modify the Config.in file, switch the following configs to y:
DEBUG: y
DEBUG_PESSIMIZE: y
FEATURE_CLEAN_UP: y
DEBUG_SANITIZE: y
2.3 Commands for compilation:
export ASAN_OPTIONS=detect_leaks=0
make defconfig
make install

[3.] Reproduction
export ASAN_OPTIONS="abort_on_error=1 symbolize=0"
./busybox_unstripped awk -f $poc ./awk_t1_input
[ASAN report]:

==10929==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000000ba5 at pc 0x000000e6691b bp 0x7fff4af4e230 sp 0x7fff4af4e228
READ of size 1 at 0x61a000000ba5 thread T0
    #0 0xe6691a  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe6691a)
    #1 0xe6d817  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe6d817)
    #2 0xe7986d  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe7986d)
    #3 0xe75823  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe75823)
    #4 0xe6b167  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe6b167)
    #5 0xe46ab3  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe46ab3)
    #6 0xe3d914  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe3d914)
    #7 0x50ac81  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50ac81)
    #8 0x50dbaf  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50dbaf)
    #9 0x51036d  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x51036d)
    #10 0x50db58  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50db58)
    #11 0x50c3fd  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50c3fd)
    #12 0x7f1318f69c86  (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #13 0x41e459  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x41e459)

0x61a000000ba5 is located 0 bytes to the right of 1317-byte region [0x61a000000680,0x61a000000ba5)
allocated by thread T0 here:
    #0 0x4dcb50  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x4dcb50)
    #1 0x519e6c  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x519e6c)
    #2 0x1015741  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x1015741)
    #3 0x50ac81  (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50ac81)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe6691a)
 

[line number]:

addr2line -e ./busybox_unstripped 0xe6691a
.../busybox-1_36_1/editors/awk.c:1159

Best wishes,
Zclin
Comment 1 zclin 2023-11-23 04:52:56 UTC 
Created attachment 9682 [details]
awk_t1_input file
Comment 2 Valery Ushakov 2024-01-25 00:57:18 UTC 
Created attachment 9697 [details]
[PATCH] awk.c: fix CVE-2023-42366 (bug #15874)