Created attachment 9661 [details] POC file Hi, busybox developers, We found a use-after-free vulnerability in awk applet of busybox v1.36.1. The affected component is xfuncs_printf.c:344 in xasprintf function. Following is the reproduction process, and we put the poc file in the attachment. [1.] Environment Ubuntu 18.04, 64 bit BusyBox 1.36.1 Clang 6.0.0 [2.] Compilation 2.1 Modify the Makefile: HOSTCC=clang -fsanitize=address HOSTCXX=clang++ -fsanitize=address CC=clang CFLAGS=-fsanitize=address CPPFLAGS=-fsanitize=address LDFLAGS="-Wl,--allow-multiple-definition" 2.2 Modify the Config.in file, switch the following configs to y: DEBUG: y DEBUG_PESSIMIZE: y FEATURE_CLEAN_UP: y DEBUG_SANITIZE: y 2.3 Commands for compilation: export ASAN_OPTIONS=detect_leaks=0 make defconfig make install [3.] Reproduction export ASAN_OPTIONS="abort_on_error=1 symbolize=0" ./busybox_unstripped awk -f $poc ./awk_t1_input [ASAN report]: ==14637==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000238d0 at pc 0x0000004486a7 bp 0x7ffe741090c0 sp 0x7ffe74108870 READ of size 2 at 0x6020000238d0 thread T0 #0 0x4486a6 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x4486a6) #1 0x493375 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x493375) #2 0x51ad9e (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x51ad9e) #3 0xe52f5f (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe52f5f) #4 0xe4886f (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe4886f) #5 0xe54597 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe54597) #6 0xe409ce (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe409ce) #7 0x50ac81 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50ac81) #8 0x50dbaf (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50dbaf) #9 0x51036d (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x51036d) #10 0x50db58 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50db58) #11 0x50c3fd (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50c3fd) #12 0x7f2f3c665c86 (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #13 0x41e459 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x41e459) 0x6020000238d0 is located 0 bytes inside of 5-byte region [0x6020000238d0,0x6020000238d5) freed by thread T0 here: #0 0x4dc500 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x4dc500) #1 0xe5b37f (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe5b37f) #2 0xe83b9d (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe83b9d) #3 0xe522b1 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe522b1) #4 0xe48b79 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe48b79) #5 0xe4886f (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe4886f) #6 0xe54597 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe54597) #7 0x50ac81 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50ac81) previously allocated by thread T0 here: #0 0x4dc6d0 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x4dc6d0) #1 0x7f2f3c6cc5bf (/lib/x86_64-linux-gnu/libc.so.6+0x885bf) SUMMARY: AddressSanitizer: heap-use-after-free (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x4486a6) [line number]: addr2line -e ./busybox_unstripped 0x51ad9e .../busybox-1_36_1/libbb/xfuncs_printf.c:344 Best wishes, Zclin
Created attachment 9667 [details] awk_t1_input file
The relevant part of input that triggers the problem seems to be lines 17 and 18.
So, the bug is triggered by lines 17 and 18 in the input, b/c the END rule is mangled by the fuzzer to have weird code where collected languages are processed. Line 128 of the mangled awk program is: macros[i] = "CL_" langs[i], gsub( "[^A-Za-z0-9_]", "X", macros[i] ) and all awks reject that use of comma as a syntax error, but busybox awk accepts it. As far as I can tell, this bug can be reproduced with something like: $ awk 'BEGIN { v = "abc", gsub("b", "X", v); print v }' aXc (use asan/valgrind to taste).