Created attachment 9685 [details] POC file Hi, busybox developers, We found a use-after-free vulnerability in awk applet of busybox v1.36.1. The affected component is awk.c:1023 in getvar_i function. Following is the reproduction process, and we put the poc file in the attachment. [1.] Environment Ubuntu 18.04, 64 bit BusyBox 1.36.1 Clang 6.0.0 [2.] Compilation 2.1 Modify the Makefile: HOSTCC=clang -fsanitize=address HOSTCXX=clang++ -fsanitize=address CC=clang CFLAGS=-fsanitize=address CPPFLAGS=-fsanitize=address LDFLAGS="-Wl,--allow-multiple-definition" 2.2 Modify the Config.in file, switch the following configs to y: DEBUG: y DEBUG_PESSIMIZE: y FEATURE_CLEAN_UP: y DEBUG_SANITIZE: y 2.3 Commands for compilation: export ASAN_OPTIONS=detect_leaks=0 make defconfig make install [3.] Reproduction export ASAN_OPTIONS="abort_on_error=1 symbolize=0" ./busybox_unstripped awk -f $poc ./awk_t1_input [ASAN report]: ==13107==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000003260 at pc 0x000000e5b7b4 bp 0x7ffc4399b170 sp 0x7ffc4399b168 READ of size 4 at 0x606000003260 thread T0 #0 0xe5b7b3 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe5b7b3) #1 0xe641e2 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe641e2) #2 0xe5fcf2 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe5fcf2) #3 0xe497e3 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe497e3) #4 0xe4062d (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe4062d) #5 0x50ac81 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50ac81) #6 0x50dbaf (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50dbaf) #7 0x51036d (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x51036d) #8 0x50db58 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50db58) #9 0x50c3fd (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50c3fd) #10 0x7f9c0a88bc86 (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #11 0x41e459 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x41e459) 0x606000003260 is located 0 bytes inside of 64-byte region [0x606000003260,0x6060000032a0) freed by thread T0 here: #0 0x4dc500 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x4dc500) #1 0xe7f4ca (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe7f4ca) #2 0xe4886f (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe4886f) #3 0xe4062d (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe4062d) #4 0x50ac81 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50ac81) previously allocated by thread T0 here: #0 0x4dc6d0 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x4dc6d0) #1 0x519df2 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x519df2) #2 0xe4886f (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe4886f) #3 0xe4062d (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe4062d) #4 0x50ac81 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50ac81) SUMMARY: AddressSanitizer: heap-use-after-free (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe5b7b3) [line number]: addr2line -e ./busybox_unstripped 0xe5b7b3 .../busybox-1_36_1/editors/awk.c:1023 Best wishes, Zclin
Created attachment 9688 [details] awk_t1_input file
Seems to be the duplicate of bug #15871, just the "use" part happens in a different place. The result of OC_REPLACE may be a TEMPVAR0 via L.v res = setvar_i(((opinfo & OPCLSMASK) == OC_BINARY) ? res : L.v, ...);