Created attachment 9391 [details]
poc

1.
Busybox bc Calculator bc_vec_npush Function Uaf Vulnerability
busybox-master\busybox\miscutils\bc.c
In line 1105，UAF Caused by the Memory Referenced by v

1102
1103 static size_t bc_vec_npush(BcVec *v, size_t n, const void *da     ta)
1104 {
1105         size_t len = v->len;
1106         if (len + n > v->cap) bc_vec_grow(v, n);
1107         memmove(v->v + (v->size * len), data, v->size * n);
1108         v->len = len + n;
1109         return len;
1110 }
1111

2 
Affected versions Busybox 1.33 to Busybox 1.35
The latest version is affected.


3 asan report

busybox_unstripped bc id:000083,sig:06,src:001758+001745,time:662304425,execs:76703360,op:splice,rep:2
bc 1.36.0.git
Adapted from https://github.com/gavinhoward/bc
Original code (c) 2018 Gavin D. Howard and contributors
1
4
49
4
4
=================================================================
==1231022==ERROR: AddressSanitizer: heap-use-after-free on address 0x623000000108 at pc 0x55b9a94ac5f9 bp 0x7ffc33fe5990 sp 0x7ffc33fe5980
READ of size 8 at 0x623000000108 thread T0
    #0 0x55b9a94ac5f8 in bc_vec_npush miscutils/bc.c:1148

0x623000000108 is located 8 bytes inside of 6912-byte region [0x623000000100,0x623000001c00)
freed by thread T0 here:
    #0 0x7f78a30a7ffe in __interceptor_realloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dffe)
    #1 0x55b9a9488f7e in xrealloc libbb/xfuncs_printf.c:61
    #2 0x55b9a9ab5d3f  (busybox-master/busybox_unstripped+0xed0d3f)

previously allocated by thread T0 here:
    #0 0x7f78a30a7bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x55b9a9488f30 in xmalloc libbb/xfuncs_printf.c:50

SUMMARY: AddressSanitizer: heap-use-after-free miscutils/bc.c:1148 in bc_vec_npush
Shadow bytes around the buggy address:
  0x0c467fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c467fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c467fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c467fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c467fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c467fff8020: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c467fff8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c467fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c467fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c467fff8060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c467fff8070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1231022==ABORTING