Bug 9236

Summary: SEGV on evalvar
Product: Busybox Reporter: Franco Costantini <franco.costantini20>
Component: OtherAssignee: unassigned
Status: RESOLVED FIXED    
Severity: normal CC: busybox-cvs
Priority: P5    
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:
Attachments: test case
.config file

Description Franco Costantini 2016-09-13 12:14:19 UTC 
Created attachment 6636 [details]
test case

Hello, we recently found an invalid memory access parsing and executing fuzzed bash code in Busybox 1.25.0.
We tested this issue on Ubuntu 14.04.5 (x86_64) but other configurations could be affected. Please find attached the full .config file
Technical details about the issue are:

==24340== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x0000004c8428 sp 0x7ffd63e2a340 bp 0x7ffd63e2a3c0 T0)
AddressSanitizer can not provide additional info.
    #0 0x4c8427 (/home/franco/testing/progs/busybox-1.25.0/busybox_unstripped+0x4c8427)

gdb backtrace is as follows:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004c8428 in evalvar (p=0x2 <error: Cannot access memory at address 0x2>, p@entry=0x60360000fe85 "`\210", flags=flags@entry=257, var_str_list=var_str_list@entry=0x60340000fe68) at shell/ash.c:6835
6835				unsigned char c = *p++;
#0  0x00000000004c8428 in evalvar (p=0x2 <error: Cannot access memory at address 0x2>, p@entry=0x60360000fe85 "`\210", flags=flags@entry=257, var_str_list=var_str_list@entry=0x60340000fe68) at shell/ash.c:6835
#1  0x00000000004bec00 in argstr (p=0x60360000fe85 "`\210", flags=1, flags@entry=3, var_str_list=0x60340000fe68) at shell/ash.c:6143
#2  0x00000000004bf26f in expandarg (arg=arg@entry=0x60360000fe88, arglist=arglist@entry=0x7fffffffe240, flag=3) at shell/ash.c:7223
#3  0x00000000004c8ed9 in evalcommand (cmd=0x60340000fe08, flags=0) at shell/ash.c:9275
#4  0x00000000004c4cb8 in evaltree (n=0x60340000fe08, flags=flags@entry=0) at shell/ash.c:8440
#5  0x00000000004c5d99 in cmdloop (top=top@entry=1) at shell/ash.c:12178
#6  0x00000000004cb1cb in ash_main (argc=<optimized out>, argv=0x7fffffffed60) at shell/ash.c:13255
#7  0x0000000000408951 in run_applet_no_and_exit (applet_no=applet_no@entry=271, argv=argv@entry=0x7fffffffed60) at libbb/appletlib.c:879
#8  0x0000000000408efc in run_applet_and_exit (name=name@entry=0x7fffffffef2d "sh", argv=argv@entry=0x7fffffffed60) at libbb/appletlib.c:893
#9  0x0000000000408ed6 in busybox_main (argv=0x7fffffffed60) at libbb/appletlib.c:840
#10 run_applet_and_exit (name=name@entry=0x7fffffffef1a "busybox_unstripped", argv=argv@entry=0x7fffffffed58) at libbb/appletlib.c:888
#11 0x0000000000408fcd in main (argc=<optimized out>, argv=0x7fffffffed58) at libbb/appletlib.c:971

This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.
Comment 1 Franco Costantini 2016-09-13 12:14:57 UTC 
Created attachment 6641 [details]
.config file
Comment 2 Denys Vlasenko 2016-09-20 15:05:05 UTC 
Fixed in git, thanks!