| Summary: | First. sending invalid pointer to 'struct tm' to strftime causes crash. Second, DoS because of stack exhaustion in glibc regcomp which occurs because of unverified pattern being sent. | ||
|---|---|---|---|
| Product: | Busybox | Reporter: | Asmita <aasmita> |
| Component: | Other | Assignee: | unassigned |
| Status: | NEW --- | ||
| Severity: | normal | CC: | aasmita, busybox-cvs |
| Priority: | P5 | ||
| Version: | 1.36.x | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Host: | Target: | ||
| Build: | |||
| Attachments: |
contains crash patterns, and the screenshot of gdb output
crash_pattern_strftime crash pattern regcomp |
||
Created attachment 9706 [details]
contains crash patterns, and the screenshot of gdb output
Created attachment 9709 [details]
crash_pattern_strftime
Created attachment 9712 [details]
crash pattern regcomp
|
This was identified while testing awk applet of BusyBox v1.36.1. 1. There is no error handling when 'awk' applet receives a command with wrong pattern like 'BEGIN{strftime("", "3333333333333333333")}', where the 'struct tm' is NULL, and format specifier is not correct, and overall arg passed to strftime is not correct. It leads to segmentation fault. 2. The pattern being passed to regcomp() is not being verified. As pattern like : '/1((((((..12208 times/1' in regcomp() causes denial of service (DoS) by stack exhaustion. Triggers deep recursion that causes stack exhaustion. The crash pattern and corresponding segfault screenshot are attached.