Bug 9286

Summary: Heap overflow on rmescapes
Product: Busybox Reporter: Franco Costantini <franco.costantini20>
Component: OtherAssignee: unassigned
Status: RESOLVED FIXED    
Severity: normal CC: busybox-cvs
Priority: P5    
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:
Attachments: test case
config file

Description Franco Costantini 2016-09-20 16:47:20 UTC 
Created attachment 6716 [details]
test case

Hello, we recently found an invalid memory access parsing and executing fuzzed bash code in Busybox 1.25.0.
We tested this issue on Ubuntu 14.04.5 (x86_64) but other configurations could be affected. Please find attached the full .config file.

Technical details about the issue are:

==25142== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60060000e4b5 at pc 0x4b9a2b bp 0x7ffc87913170 sp 0x7ffc87913168
WRITE of size 1 at 0x60060000e4b5 thread T0

gdb backtrace is as follows:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGABRT, Aborted.
0x00007ffff47b6c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#0  0x00007ffff47b6c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff47ba028 in __GI_abort () at abort.c:89
#2  0x00007ffff4e66829 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#3  0x00007ffff4e5d3ec in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#4  0x00007ffff4e64012 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#5  0x00007ffff4e63121 in __asan_report_error () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#6  0x00007ffff4e5d797 in __asan_report_store1 () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#7  0x00000000004b9a2b in rmescapes (str=0x60360000fe48 "wh%s%#x\201x0d\210%#x\201[u1\201", flag=flag@entry=19) at shell/ash.c:5661
#8  0x00000000004bf8cb in preglob (flag=17, pattern=<optimized out>) at shell/ash.c:5680
#9  expandmeta (str=0x60360000fe80) at shell/ash.c:7177
#10 expandarg (arg=arg@entry=0x60360000fde0, arglist=arglist@entry=0x7fffffffe240, flag=<optimized out>) at shell/ash.c:7240
#11 0x00000000004c8ed9 in evalcommand (cmd=0x60360000fe28, flags=0) at shell/ash.c:9275
#12 0x00000000004c4cb8 in evaltree (n=0x60360000fe28, flags=flags@entry=0) at shell/ash.c:8440
#13 0x00000000004c5d99 in cmdloop (top=top@entry=1) at shell/ash.c:12178
#14 0x00000000004cb1cb in ash_main (argc=<optimized out>, argv=0x7fffffffed60) at shell/ash.c:13255
#15 0x0000000000408951 in run_applet_no_and_exit (applet_no=applet_no@entry=271, argv=argv@entry=0x7fffffffed60) at libbb/appletlib.c:879
#16 0x0000000000408efc in run_applet_and_exit (name=name@entry=0x7fffffffef2e "sh", argv=argv@entry=0x7fffffffed60) at libbb/appletlib.c:893
#17 0x0000000000408ed6 in busybox_main (argv=0x7fffffffed60) at libbb/appletlib.c:840
#18 run_applet_and_exit (name=name@entry=0x7fffffffef1b "busybox_unstripped", argv=argv@entry=0x7fffffffed58) at libbb/appletlib.c:888
#19 0x0000000000408fcd in main (argc=<optimized out>, argv=0x7fffffffed58) at libbb/appletlib.c:971

This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.
Comment 1 Franco Costantini 2016-09-20 16:47:38 UTC 
Created attachment 6721 [details]
config file
Comment 2 Denys Vlasenko 2016-09-25 18:56:16 UTC 
Bug in handling embedded NUL in $'string'
Fixed in git, thanks!