16108 – Use after free at setvareq function, ash.c file

Bug 16108 - Use after free at setvareq function, ash.c file

Summary: Use after free at setvareq function, ash.c file

Status:	NEW

Alias:	None

Product:	Busybox
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	1.37.x
Hardware:	All Linux

Importance:	P5 normal
Target Milestone:	---
Assignee:	unassigned

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-06-14 10:00 UTC by Marcin
Modified:	2024-06-14 10:00 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcin 2024-06-14 10:00:47 UTC

Static analyses tool shows an issue in ash.c file, rmaliases function.
The issue is Use after free (USE_AFTER_FREE).
The detailed information is provided below.

2412static struct var *
2413setvareq(char *s, int flags)
2414{
2415        struct var *vp, **vpp;
2416
2417        vpp = hashvar(s);
2418        flags |= (VEXPORT & (((unsigned) (1 - aflag)) - 1));
2419        vpp = findvar(vpp, s);
1. alias: Assigning: vp = *vpp. Now both point to the same storage.
2420        vp = *vpp;
2. Condition vp, taking true branch.
2421        if (vp) {
3. Condition (vp->flags & (2 /* 2 | 0 */)) == 2, taking false branch.
2422                if ((vp->flags & (VREADONLY|VDYNAMIC)) == VREADONLY) {
2423                        const char *n;
2424
2425                        if (flags & VNOSAVE)
2426                                free(s);
2427                        n = vp->var_text;
2428                        exitstatus = 1;
2429                        ash_msg_and_raise_error("%.*s: is read only", strchrnul(n, '=') - n, n);
2430                }
2431
4. Condition flags & 0x80, taking false branch.
2432                if (flags & VNOSET)
2433                        goto out;
2434
5. Condition vp->var_func, taking true branch.
6. Condition !(flags & 0x40), taking true branch.
2435                if (vp->var_func && !(flags & VNOFUNC))
2436                        vp->var_func(var_end(s));
2437
7. Condition !(vp->flags & (24 /* 8 | 0x10 */)), taking true branch.
2438                if (!(vp->flags & (VTEXTFIXED|VSTACK)))
2439                        free((char*)vp->var_text);
2440
8. Condition ((flags & (39 /* ((1 | 2) | 4) | 0x20 */)) | (vp->flags & 4)) == 0x20, taking true branch.
2441                if (((flags & (VEXPORT|VREADONLY|VSTRFIXED|VUNSET)) | (vp->flags & VSTRFIXED)) == VUNSET) {
2442                        *vpp = vp->next;
9. freed_arg: free frees vp.
2443                        free(vp);
2444 out_free:
10. Condition (flags & (280 /* (8 | 0x10) | 0x100 */)) == 0x100, taking true branch.
2445                        if ((flags & (VTEXTFIXED|VSTACK|VNOSAVE)) == VNOSAVE)
2446                                free(s);
11. Jumping to label out.
2447                        goto out;
2448                }
2449
2450                flags |= vp->flags & ~(VTEXTFIXED|VSTACK|VNOSAVE|VUNSET);
2451#if ENABLE_ASH_RANDOM_SUPPORT || BASH_EPOCH_VARS
2452                if (flags & VUNSET)
2453                        flags &= ~VDYNAMIC;
2454#endif
2455        } else {
2456                /* variable s is not found */
2457                if (flags & VNOSET)
2458                        goto out;
2459                if ((flags & (VEXPORT|VREADONLY|VSTRFIXED|VUNSET)) == VUNSET)
2460                        goto out_free;
2461                vp = ckzalloc(sizeof(*vp));
2462                vp->next = *vpp;
2463                /*vp->func = NULL; - ckzalloc did it */
2464                *vpp = vp;
2465        }
2466        if (!(flags & (VTEXTFIXED|VSTACK|VNOSAVE)))
2467                s = ckstrdup(s);
2468        vp->var_text = s;
2469        vp->flags = flags;
2470
2471 out:
CID 5896517: (#1 of 1): Use after free (USE_AFTER_FREE)
12. use_after_free: Using freed pointer vp.
2472        return vp;
2473}