Bug 9246

Summary: SIGSEGV on readtoken
Product: Busybox Reporter: Franco Costantini <franco.costantini20>
Component: OtherAssignee: unassigned
Status: RESOLVED WONTFIX    
Severity: normal CC: busybox-cvs
Priority: P5    
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:
Attachments: gzipped test case
.config file

Description Franco Costantini 2016-09-13 12:48:12 UTC 
Created attachment 6656 [details]
gzipped test case

Hello, we recently found an invalid memory access parsing and executing fuzzed bash code in Busybox 1.25.0.
We tested this issue on Ubuntu 14.04.5 (x86_64) but other configurations could be affected. Please find attached the full .config file

gdb backtrace is as follows:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004c2a04 in memcpy (__len=63284, __src=0x60a4000027a8, __dest=0x7fffff7f4cc0) at /usr/include/x86_64-linux-gnu/bits/string3.h:51
51	  return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
#0  0x00000000004c2a04 in memcpy (__len=63284, __src=0x60a4000027a8, __dest=0x7fffff7f4cc0) at /usr/include/x86_64-linux-gnu/bits/string3.h:51
#1  readtoken1 (c=<optimized out>, syntax=<optimized out>, eofmark=<optimized out>, striptabs=<optimized out>) at shell/ash.c:11646
#2  0x00000000004c3222 in readtoken () at shell/ash.c:11945
#3  0x00000000004c13c3 in peektoken () at shell/ash.c:12003
#4  list (nlflag=nlflag@entry=1) at shell/ash.c:10546
#5  0x00000000004c4738 in parsecmd (interact=<optimized out>) at shell/ash.c:12021
#6  0x00000000004c5cdb in cmdloop (top=top@entry=1) at shell/ash.c:12160
#7  0x00000000004cb1cb in ash_main (argc=<optimized out>, argv=0x7fffffffed60) at shell/ash.c:13255
#8  0x0000000000408951 in run_applet_no_and_exit (applet_no=applet_no@entry=271, argv=argv@entry=0x7fffffffed60) at libbb/appletlib.c:879
#9  0x0000000000408efc in run_applet_and_exit (name=name@entry=0x7fffffffef2d "sh", argv=argv@entry=0x7fffffffed60) at libbb/appletlib.c:893
#10 0x0000000000408ed6 in busybox_main (argv=0x7fffffffed60) at libbb/appletlib.c:840
#11 run_applet_and_exit (name=name@entry=0x7fffffffef1a "busybox_unstripped", argv=argv@entry=0x7fffffffed58) at libbb/appletlib.c:888
#12 0x0000000000408fcd in main (argc=<optimized out>, argv=0x7fffffffed58) at libbb/appletlib.c:971

This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.
Comment 1 Franco Costantini 2016-09-13 12:48:31 UTC 
Created attachment 6661 [details]
.config file
Comment 2 Denys Vlasenko 2016-09-17 18:56:05 UTC 
echo "..<100kbytes>..`true` $(true) `true` ..."

allocates 100kb for every command subst. With about
a hundred command substitutions stack overflows.
With larger prepended string, SEGV happens sooner.

I think while this is a deficiency, it is not likely to to impact
practical scripts. Adding FIXME in the source where it happens.
Won't fix now.