Bug 9266

Summary: SIGSEGV on readtoken
Product: Busybox Reporter: Franco Costantini <franco.costantini20>
Component: OtherAssignee: unassigned
Status: RESOLVED FIXED    
Severity: normal CC: busybox-cvs
Priority: P5    
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:
Attachments: test case
config file

Description Franco Costantini 2016-09-19 16:21:37 UTC 
Created attachment 6676 [details]
test case

Hello, we recently found an invalid memory access parsing and executing fuzzed bash code in Busybox 1.25.0.
We tested this issue on Ubuntu 14.04.5 (x86_64) but other configurations could be affected. Please find attached the full .config file.

gdb backtrace is as follows:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
readtoken1 (c=123, syntax=0, eofmark=0x0, striptabs=0) at shell/ash.c:11153
11153	{
#0  readtoken1 (c=123, syntax=0, eofmark=0x0, striptabs=0) at shell/ash.c:11153
#1  0x00000000004c3238 in readtoken () at shell/ash.c:11953
#2  0x00000000004c4560 in pipeline () at shell/ash.c:10642
#3  0x00000000004c1409 in andor () at shell/ash.c:10612
#4  list (nlflag=nlflag@entry=0) at shell/ash.c:10565
#5  0x00000000004c3ef2 in parse_command () at shell/ash.c:11052
#6  0x00000000004c4583 in pipeline () at shell/ash.c:10647
#7  0x00000000004c1409 in andor () at shell/ash.c:10612
#8  list (nlflag=nlflag@entry=0) at shell/ash.c:10565
#9  0x00000000004c3ef2 in parse_command () at shell/ash.c:11052
#10 0x00000000004c4583 in pipeline () at shell/ash.c:10647
#11 0x00000000004c1409 in andor () at shell/ash.c:10612
#12 list (nlflag=nlflag@entry=0) at shell/ash.c:10565
#13 0x00000000004c3ef2 in parse_command () at shell/ash.c:11052
#14 0x00000000004c4583 in pipeline () at shell/ash.c:10647
#15 0x00000000004c1409 in andor () at shell/ash.c:10612
#16 list (nlflag=nlflag@entry=0) at shell/ash.c:10565
#17 0x00000000004c3ef2 in parse_command () at shell/ash.c:11052
#18 0x00000000004c4583 in pipeline () at shell/ash.c:10647
#19 0x00000000004c1409 in andor () at shell/ash.c:10612
#20 list (nlflag=nlflag@entry=0) at shell/ash.c:10565
#21 0x00000000004c3ef2 in parse_command () at shell/ash.c:11052
#22 0x00000000004c4583 in pipeline () at shell/ash.c:10647
#23 0x00000000004c1409 in andor () at shell/ash.c:10612
#24 list (nlflag=nlflag@entry=0) at shell/ash.c:10565

This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.
Comment 1 Franco Costantini 2016-09-19 16:21:55 UTC 
Created attachment 6681 [details]
config file
Comment 2 Denys Vlasenko 2016-09-25 19:48:41 UTC 
Won't fix this - stack exhaustion while parsing 64000 nested {}s