Bug 9276

Summary: Heap overflow on redirect
Product: Busybox Reporter: Franco Costantini <franco.costantini20>
Component: OtherAssignee: unassigned
Status: RESOLVED FIXED    
Severity: normal CC: busybox-cvs
Priority: P5    
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:
Attachments: test case
config file

Description Franco Costantini 2016-09-20 16:43:35 UTC 
Created attachment 6696 [details]
test case

Hello, we recently found an invalid memory access parsing and executing fuzzed bash code in Busybox 1.25.0.
We tested this issue on Ubuntu 14.04.5 (x86_64) but other configurations could be affected. Please find attached the full .config file.
Technical details about the issue are:

==24867== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60360000ffb0 at pc 0x4c04be bp 0x7ffe43425f20 sp 0x7ffe43425f18
READ of size 8 at 0x60360000ffb0 thread T0

gdb backtrace is as follows:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGABRT, Aborted.
0x00007ffff47b6c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#0  0x00007ffff47b6c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff47ba028 in __GI_abort () at abort.c:89
#2  0x00007ffff4e66829 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#3  0x00007ffff4e5d3ec in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#4  0x00007ffff4e64012 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#5  0x00007ffff4e63121 in __asan_report_error () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#6  0x00007ffff4e5d734 in __asan_report_load8 () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#7  0x00000000004c04be in openredirect (redir=0x60360000ff90) at shell/ash.c:5104
#8  redirect (redir=redir@entry=0x60360000ff90, flags=flags@entry=3) at shell/ash.c:5322
#9  0x00000000004c0e3d in redirectsafe (redir=0x60360000ff90, flags=flags@entry=3) at shell/ash.c:5469
#10 0x00000000004c911b in evalcommand (cmd=0x60340000fd30, flags=0) at shell/ash.c:9294
#11 0x00000000004c4cb8 in evaltree (n=0x60340000fd30, flags=flags@entry=0) at shell/ash.c:8440
#12 0x00000000004c5d99 in cmdloop (top=top@entry=1) at shell/ash.c:12178
#13 0x00000000004cb1cb in ash_main (argc=<optimized out>, argv=0x7fffffffed60) at shell/ash.c:13255
#14 0x0000000000408951 in run_applet_no_and_exit (applet_no=applet_no@entry=271, argv=argv@entry=0x7fffffffed60) at libbb/appletlib.c:879
#15 0x0000000000408efc in run_applet_and_exit (name=name@entry=0x7fffffffef2e "sh", argv=argv@entry=0x7fffffffed60) at libbb/appletlib.c:893
#16 0x0000000000408ed6 in busybox_main (argv=0x7fffffffed60) at libbb/appletlib.c:840
#17 run_applet_and_exit (name=name@entry=0x7fffffffef1b "busybox_unstripped", argv=argv@entry=0x7fffffffed58) at libbb/appletlib.c:888
#18 0x0000000000408fcd in main (argc=<optimized out>, argv=0x7fffffffed58) at libbb/appletlib.c:971

This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.
Comment 1 Franco Costantini 2016-09-20 16:43:54 UTC 
Created attachment 6701 [details]
config file
Comment 2 Denys Vlasenko 2016-09-25 19:24:46 UTC 
Indeed, it is an access past the end of allocated memory.
Fixed in git, thanks!