15652 – [busybox 1.36.1] heap-use-after-free in tsort

Bug 15652 - [busybox 1.36.1] heap-use-after-free in tsort

Summary: [busybox 1.36.1] heap-use-after-free in tsort

Status:	NEW

Alias:	None

Product:	Busybox
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	unspecified
Hardware:	All Linux

Importance:	P5 normal
Target Milestone:	---
Assignee:	unassigned

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-06-22 15:22 UTC by Frank Busse
Modified:	2023-06-22 15:22 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Frank Busse 2023-06-22 15:22:02 UTC

The following input causes a use-after-free:

$ printf '\x0f\n\xf0\n\xf0\n\x0f' | busybox-1.36.1/bin/busybox tsort

==2165==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000040 at pc 0x560d7ee21afd bp 0x7fff70e3f840 sp 0x7fff70e3f830
READ of size 4 at 0x603000000040 thread T0
    #0 0x560d7ee21afc in tsort_main coreutils/tsort.c:179

(found be KLEE)