Bug 9241

Summary: Stack exhaustion in evaltree
Product: Busybox Reporter: Franco Costantini <franco.costantini20>
Component: OtherAssignee: unassigned
Status: RESOLVED WONTFIX    
Severity: normal CC: busybox-cvs
Priority: P5    
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:
Attachments: gzipped test case
.config file

Description Franco Costantini 2016-09-13 12:43:42 UTC 
Hello, we recently found a stack exhaustion parsing and executing fuzzed bash code in Busybox 1.25.0.
We tested this issue on Ubuntu 14.04.5 (x86_64) but other configurations could be affected. Please find attached the full .config file

gdb backtrace is as follows:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004c48fc in evaltree (n=0x603400615988, flags=0) at shell/ash.c:8341
8341	{
#0  0x00000000004c48fc in evaltree (n=0x603400615988, flags=0) at shell/ash.c:8341
#1  0x00000000004c4c52 in evaltree (n=0x603400615a10, flags=0) at shell/ash.c:8429
#2  0x00000000004c4c52 in evaltree (n=0x603400615628, flags=0) at shell/ash.c:8429
#3  0x00000000004c4c52 in evaltree (n=0x6034006156b0, flags=0) at shell/ash.c:8429
#4  0x00000000004c4c52 in evaltree (n=0x603400615738, flags=0) at shell/ash.c:8429
#5  0x00000000004c4c52 in evaltree (n=0x6034006157c0, flags=0) at shell/ash.c:8429
#6  0x00000000004c4c52 in evaltree (n=0x6034006153d0, flags=0) at shell/ash.c:8429
#7  0x00000000004c4c52 in evaltree (n=0x603400615458, flags=0) at shell/ash.c:8429
#8  0x00000000004c4c52 in evaltree (n=0x6034006154e0, flags=0) at shell/ash.c:8429
#9  0x00000000004c4c52 in evaltree (n=0x603400615568, flags=0) at shell/ash.c:8429
#10 0x00000000004c4c52 in evaltree (n=0x603400615178, flags=0) at shell/ash.c:8429
#11 0x00000000004c4c52 in evaltree (n=0x603400615200, flags=0) at shell/ash.c:8429
#12 0x00000000004c4c52 in evaltree (n=0x603400615288, flags=0) at shell/ash.c:8429
#13 0x00000000004c4c52 in evaltree (n=0x603400614ea8, flags=0) at shell/ash.c:8429
#14 0x00000000004c4c52 in evaltree (n=0x603400614f30, flags=0) at shell/ash.c:8429
#15 0x00000000004c4c52 in evaltree (n=0x603400614fb8, flags=0) at shell/ash.c:8429
#16 0x00000000004c4c52 in evaltree (n=0x603400615040, flags=0) at shell/ash.c:8429
#17 0x00000000004c4c52 in evaltree (n=0x603400614c50, flags=0) at shell/ash.c:8429
#18 0x00000000004c4c52 in evaltree (n=0x603400614cd8, flags=0) at shell/ash.c:8429
#19 0x00000000004c4c52 in evaltree (n=0x603400614d60, flags=0) at shell/ash.c:8429
#20 0x00000000004c4c52 in evaltree (n=0x603400614de8, flags=0) at shell/ash.c:8429
#21 0x00000000004c4c52 in evaltree (n=0x6034006149f8, flags=0) at shell/ash.c:8429
#22 0x00000000004c4c52 in evaltree (n=0x603400614a80, flags=0) at shell/ash.c:8429
#23 0x00000000004c4c52 in evaltree (n=0x603400614b10, flags=0) at shell/ash.c:8429
#24 0x00000000004c4c52 in evaltree (n=0x603400614728, flags=0) at shell/ash.c:8429

This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.
Comment 1 Franco Costantini 2016-09-13 12:45:38 UTC 
Created attachment 6646 [details]
gzipped test case
Comment 2 Franco Costantini 2016-09-13 12:46:00 UTC 
Created attachment 6651 [details]
.config file
Comment 3 Denys Vlasenko 2016-09-20 21:07:57 UTC 
609210 byte long line in a script.

Even though this particular form can be fixed, by stopping at semicolons too, not only at end of line (hush does that and survives), it's easy to construct other similar border cases (e.g. echo "10mb long line").

Won't fix.