Bug 9281

Summary: Heap overflow on readtoken
Product: Busybox Reporter: Franco Costantini <franco.costantini20>
Component: OtherAssignee: unassigned
Status: NEW ---    
Severity: normal CC: busybox-cvs
Priority: P5    
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:
Attachments: test case
config file

Description Franco Costantini 2016-09-20 16:45:15 UTC 
Created attachment 6706 [details]
test case

Hi, we recently found an invalid memory access parsing and executing fuzzed bash code in Busybox 1.25.0.
We tested this issue on Ubuntu 14.04.5 (x86_64) but other configurations could be affected. Please find attached the full .config file.

Technical details about the issue are:

==24933== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60420001f3ff at pc 0x4bc409 bp 0x7ffdeb7356d0 sp 0x7ffdeb7356c8
READ of size 1 at 0x60420001f3ff thread T0

gdb backtrace is as follows:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGABRT, Aborted.
0x00007ffff47b6c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#0  0x00007ffff47b6c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff47ba028 in __GI_abort () at abort.c:89
#2  0x00007ffff4e66829 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#3  0x00007ffff4e5d3ec in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#4  0x00007ffff4e64012 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#5  0x00007ffff4e63121 in __asan_report_error () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#6  0x00007ffff4e5d6a4 in __asan_report_load1 () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#7  0x00000000004bc409 in pgetc () at shell/ash.c:9851
#8  0x00000000004c3084 in xxreadtoken () at shell/ash.c:11816
#9  0x00000000004c3222 in readtoken () at shell/ash.c:11945
#10 0x00000000004c3f5e in simplecmd () at shell/ash.c:10787
#11 parse_command () at shell/ash.c:11059
#12 0x00000000004c4583 in pipeline () at shell/ash.c:10647
#13 0x00000000004c1409 in andor () at shell/ash.c:10612
#14 list (nlflag=nlflag@entry=1) at shell/ash.c:10565
#15 0x00000000004c4738 in parsecmd (interact=<optimized out>) at shell/ash.c:12021
#16 0x00000000004c5cdb in cmdloop (top=top@entry=1) at shell/ash.c:12160
#17 0x00000000004cb1cb in ash_main (argc=<optimized out>, argv=0x7fffffffed60) at shell/ash.c:13255
#18 0x0000000000408951 in run_applet_no_and_exit (applet_no=applet_no@entry=271, argv=argv@entry=0x7fffffffed60) at libbb/appletlib.c:879
#19 0x0000000000408efc in run_applet_and_exit (name=name@entry=0x7fffffffef2d "sh", argv=argv@entry=0x7fffffffed60) at libbb/appletlib.c:893
#20 0x0000000000408ed6 in busybox_main (argv=0x7fffffffed60) at libbb/appletlib.c:840
#21 run_applet_and_exit (name=name@entry=0x7fffffffef1a "busybox_unstripped", argv=argv@entry=0x7fffffffed58) at libbb/appletlib.c:888
#22 0x0000000000408fcd in main (argc=<optimized out>, argv=0x7fffffffed58) at libbb/appletlib.c:971

This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.
Comment 1 Franco Costantini 2016-09-20 16:45:27 UTC 
Created attachment 6711 [details]
config file
Comment 2 Denys Vlasenko 2016-09-25 20:11:16 UTC 
Can't reproduce.