| Summary: | ash: segmentation fault in trapcmd: `trap '' 255` | ||
|---|---|---|---|
| Product: | Busybox | Reporter: | Fernando Muñoz <fernando> |
| Component: | Other | Assignee: | unassigned |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | busybox-cvs |
| Priority: | P5 | ||
| Version: | 1.24.x | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Host: | Target: | ||
| Build: | |||
| Attachments: |
crashing test
config minimized test case config |
||
|
Description
Fernando Muñoz
2016-02-09 16:01:57 UTC
please attach the config file you used to all of your bug reports Created attachment 6316 [details]
config
Config file
Created attachment 6321 [details]
minimized test case
Added minimized test case and debugging stacktrace:
(gdb) set follow-fork-mode child
(gdb) run sh bb1.sh
Starting program: /root/bash/busybox-1.24.1/busybox_unstripped sh bb1.sh
bb1.sh: trap: line 1: -0: invalid signal specification
bb1.sh: set: line 5: illegal option -o 0000000
[New process 10688]
Segmentation fault
Program received signal SIGPIPE, Broken pipe.
[Switching to process 10688]
0xb7fdcc38 in __kernel_vsyscall ()
(gdb) bt
#0 0xb7fdcc38 in __kernel_vsyscall ()
#1 0xb7e9b183 in __write_nocancel () at ../sysdeps/unix/syscall-template.S:81
#2 0x08084544 in safe_write (fd=fd@entry=4, buf=buf@entry=0x84a72bc, count=count@entry=35) at libbb/safe_write.c:17
#3 0x08083e8f in full_write (fd=fd@entry=4, buf=0x84a72bc, len=35) at libbb/full_write.c:25
#4 0x0822e119 in expandhere (fd=4, arg=0x84a7294) at shell/ash.c:7267
#5 openhere (redir=<optimized out>, redir=<optimized out>) at shell/ash.c:5091
#6 openredirect (redir=<optimized out>) at shell/ash.c:5151
#7 redirect (redir=<optimized out>, redir@entry=0x84a7234, flags=flags@entry=3) at shell/ash.c:5323
#8 0x0822f95d in redirectsafe (redir=0x84a7234, flags=flags@entry=3) at shell/ash.c:5470
#9 0x08236afa in evalcommand (cmd=0x84a725c, flags=0) at shell/ash.c:9278
#10 0x08216838 in evaltree (n=0x84a725c, flags=0) at shell/ash.c:8428
#11 0x0823c9f2 in cmdloop (top=<optimized out>) at shell/ash.c:12143
#12 ash_main (argc=2, argv=0xbffff448) at shell/ash.c:13219
#13 0x0807641b in run_applet_no_and_exit (applet_no=269, argv=argv@entry=0xbffff448) at libbb/appletlib.c:774
#14 0x08076cef in run_applet_and_exit (name=0xbffff5f1 "sh", argv=argv@entry=0xbffff448) at libbb/appletlib.c:781
#15 0x080773f5 in busybox_main (argv=0xbffff448) at libbb/appletlib.c:730
#16 run_applet_and_exit (name=<optimized out>, argv=argv@entry=0xbffff444) at libbb/appletlib.c:783
#17 0x08078177 in main (argc=3, argv=0xbffff444) at libbb/appletlib.c:838
Comment on attachment 6321 [details]
minimized test case
simple test case is to just pass a really large signal # to trap:
$ ./busybox_unstripped sh -c 'trap '' 255'
shell/ash.c:12555:42: runtime error: index 255 out of bounds for type 'char *[65]'
=================================================================
==2199==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x617000010548 at pc 0x000000412581 bp 0x7fffb7868350 sp 0x7fffb7868340
READ of size 8 at 0x617000010548 thread T0
#0 0x412580 in trapcmd shell/ash.c:12555
Created attachment 6326 [details]
config
minimized config to reproduce (really just enable ash)
*** Bug 8666 has been marked as a duplicate of this bug. *** *** Bug 8671 has been marked as a duplicate of this bug. *** The place where it happens:
char *trap[NSIG];
...
signo = get_signum(*ap);
...
free(trap[signo]);
This was fixed by not allowing get_signum() to return >= NSIG:
int FAST_FUNC get_signum(const char *name)
{
unsigned i;
i = bb_strtou(name, NULL, 10);
if (!errno && i < NSIG) /* for shells, we allow 0 too */
^^^^^^^^
return i;
|