Created attachment 9652 [details]
Busybox Memory Leaks

A memory corruption issue exists in BusyBox through version v1.37 in which malcrafted tar file headers trigger a left shift operation of negative value at getOctal() in get_header_tar.c.

As a result, and depending on the input, memory leaks and/or crashes occur.

VALGRIND OUTPUT
  valgrind --leak-check=full ./busybox tar -xvf input.tar -O
  ...
  ==926823== 256 (184 direct, 72 indirect) bytes in 1 blocks are definitely lost in loss record 2 of 2
  ==926823==    at 0x48407B4: malloc (vg_replace_malloc.c:381)
  ==926823==    by 0x1196F2: xmalloc (in /home/andres/misc/framework/repos/busybox.old/busybox.full)
  ==926823==    by 0xB7: ???
  ==926823==    by 0x119726: xzalloc (in /home/andres/misc/framework/repos/busybox.old/busybox.full)
  ==926823== 

ASAN OUPUT
archival/libarchive/get_header_tar.c:58:9: runtime error: left shift of negative value -1
=================================================================
==2240392==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 184 byte(s) in 1 object(s) allocated from:
    #0 0x7ffff78d85bf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x555555c103e3  (/home/andres/misc/framework/repos/busybox/busybox+0x6bc3e3) (BuildId: a68871b52750d3e6001195b071395ec9ad84ec1f)

Indirect leak of 72 byte(s) in 1 object(s) allocated from:
    #0 0x7ffff78d85bf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x555555c103e3  (/home/andres/misc/framework/repos/busybox/busybox+0x6bc3e3) (BuildId: a68871b52750d3e6001195b071395ec9ad84ec1f)

SUMMARY: AddressSanitizer: 256 byte(s) leaked in 2 allocation(s).

IMPACT: Availability is impacted.
Further exploitation has not been confirmed.

PoC [See attached file]

https://github.com/CarlosAndresRamirez/PoCs/blob/main/busybox-v1.37_2023-11-04/busybox-tar-PoC-01.tar


---
Carlos Andres Ramirez
Security Engineer
https://carlos.engineer/