Created attachment 9679 [details] POC file Hi, busybox developers, We found a heap-buffer-overflow vulnerability in awk applet of busybox v1.36.1. The affected component is awk.c:1159 in next_token function . Following is the reproduction process, and we put the poc file in the attachment. [1.] Environment Ubuntu 18.04, 64 bit BusyBox 1.36.1 Clang 6.0.0 [2.] Compilation 2.1 Modify the Makefile: HOSTCC=clang -fsanitize=address HOSTCXX=clang++ -fsanitize=address CC=clang CFLAGS=-fsanitize=address CPPFLAGS=-fsanitize=address LDFLAGS="-Wl,--allow-multiple-definition" 2.2 Modify the Config.in file, switch the following configs to y: DEBUG: y DEBUG_PESSIMIZE: y FEATURE_CLEAN_UP: y DEBUG_SANITIZE: y 2.3 Commands for compilation: export ASAN_OPTIONS=detect_leaks=0 make defconfig make install [3.] Reproduction export ASAN_OPTIONS="abort_on_error=1 symbolize=0" ./busybox_unstripped awk -f $poc ./awk_t1_input [ASAN report]: ==10929==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000000ba5 at pc 0x000000e6691b bp 0x7fff4af4e230 sp 0x7fff4af4e228 READ of size 1 at 0x61a000000ba5 thread T0 #0 0xe6691a (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe6691a) #1 0xe6d817 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe6d817) #2 0xe7986d (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe7986d) #3 0xe75823 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe75823) #4 0xe6b167 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe6b167) #5 0xe46ab3 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe46ab3) #6 0xe3d914 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe3d914) #7 0x50ac81 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50ac81) #8 0x50dbaf (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50dbaf) #9 0x51036d (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x51036d) #10 0x50db58 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50db58) #11 0x50c3fd (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50c3fd) #12 0x7f1318f69c86 (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #13 0x41e459 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x41e459) 0x61a000000ba5 is located 0 bytes to the right of 1317-byte region [0x61a000000680,0x61a000000ba5) allocated by thread T0 here: #0 0x4dcb50 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x4dcb50) #1 0x519e6c (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x519e6c) #2 0x1015741 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x1015741) #3 0x50ac81 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50ac81) SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe6691a) [line number]: addr2line -e ./busybox_unstripped 0xe6691a .../busybox-1_36_1/editors/awk.c:1159 Best wishes, Zclin
Created attachment 9682 [details] awk_t1_input file
Created attachment 9697 [details] [PATCH] awk.c: fix CVE-2023-42366 (bug #15874)