7856 – ash: null pointer dereference

Bug 7856 - ash: null pointer dereference

Summary: ash: null pointer dereference

Status:	RESOLVED TEST-REQUEST

Alias:	None

Product:	Busybox
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	1.24.x
Hardware:	PC Linux

Importance:	P5 critical
Target Milestone:	---
Assignee:	unassigned

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-02-02 23:56 UTC by Brian 'geeknik' Carpenter
Modified:	2016-02-13 03:36 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:

Attachments
Testcase that crashes busybox ash (79 bytes, application/x-gzip) 2015-02-02 23:56 UTC, Brian 'geeknik' Carpenter	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Brian 'geeknik' Carpenter 2015-02-02 23:56:32 UTC

Created attachment 5840 [details]
Testcase that crashes busybox ash

I'm fuzzing busybox with american fuzzy lop (http://lcamtuf.coredump.cx/afl) and I found a test case which causes ash to segfault, most likely because of a null ptr deref.

Compilation steps on Debian 7 x64:
1) edited the Makefile to point to afl-gcc and afl-gxx instead of the system defaults for binary instrumention.
2) make menuconfig (defaults only, nothing extra selected or toggled)
3) make

BusyBox v1.24.0.git (2015-02-02 16:46:08 CST)

GDB output:
Program received signal SIGSEGV, Segmentation fault.
[Switching to process 49119]
id:000000,sig:11,src:000258,op:havoc,rep:16: line 1: ++: not found
[----------------------------------registers-----------------------------------]
RAX: 0x1
RBX: 0xb17310 --> 0xb17340 --> 0x0
RCX: 0x0
RDX: 0x0
RSI: 0x7fffffffd7f0 --> 0x0
RDI: 0xd ('\r')
RBP: 0x0
RSP: 0x7fffffffd9f0 --> 0x0
RIP: 0x51c424 (mov    rsi,QWORD PTR [rcx+0x18])
R8 : 0x7fffffffd8a0 --> 0x1
R9 : 0xbd87
R10: 0x8
R11: 0x202
R12: 0xb17550 --> 0x100000000
R13: 0xb17010 --> 0x10000bd87
R14: 0x0
R15: 0x8
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x51c414:    mov    r15d,DWORD PTR [rsp+0x24]
   0x51c419:    mov    rbx,QWORD PTR [rip+0x5fa6e8]        # 0xb16b08
   0x51c420:    mov    DWORD PTR [rbx+0x28],r15d
=> 0x51c424:    mov    rsi,QWORD PTR [rcx+0x18]
   0x51c428:    mov    rdi,QWORD PTR [rcx+0x10]
   0x51c42c:    call   0x7c2448
   0x51c431:    mov    rsi,QWORD PTR [rbx+0x10]
   0x51c435:    mov    rdx,QWORD PTR [rip+0x5f4284]        # 0xb106c0
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd9f0 --> 0x0
0008| 0x7fffffffd9f8 --> 0x7b4755 (add    rsp,0x8)
0016| 0x7fffffffda00 --> 0xffffffff007b3422
0024| 0x7fffffffda08 --> 0x300000000
0032| 0x7fffffffda10 --> 0x800000007
0040| 0x7fffffffda18 --> 0xb17400 --> 0x2b2b ('++')
0048| 0x7fffffffda20 --> 0x4f9bb2 (mov    rdx,QWORD PTR [rsp])
0056| 0x7fffffffda28 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000051c424 in ?? ()
gdb-peda$ bt
#0  0x000000000051c424 in ?? ()
#1  0x0000000000000000 in ?? ()

Valgrind output:
==5301== Invalid read of size 8
==5301==    at 0x51C424: ??? (in /home/geeknik/busybox/busybox)
==5301==    by 0x543D3B7: ???
==5301==    by 0x7B4754: ??? (in /home/geeknik/busybox/busybox)
==5301==    by 0xFFFFFFFF007B3421: ???
==5301==    by 0x2FFFFFFFF: ???
==5301==    by 0x400000002: ???
==5301==    by 0x543D46F: ???
==5301==    by 0x4F9BB1: ??? (in /home/geeknik/busybox/busybox)
==5301==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==5301== 
==5301== 
==5301== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==5301==  Access not within mapped region at address 0x18
==5301==    at 0x51C424: ??? (in /home/geeknik/busybox/busybox)
==5301==    by 0x543D3B7: ???
==5301==    by 0x7B4754: ??? (in /home/geeknik/busybox/busybox)
==5301==    by 0xFFFFFFFF007B3421: ???
==5301==    by 0x2FFFFFFFF: ???
==5301==    by 0x400000002: ???
==5301==    by 0x543D46F: ???
==5301==    by 0x4F9BB1: ??? (in /home/geeknik/busybox/busybox)
==5301==  If you believe this happened as a result of a stack
==5301==  overflow in your program's main thread (unlikely but
==5301==  possible), you can try to increase the size of the
==5301==  main thread stack using the --main-stacksize= flag.
==5301==  The main thread stack size used in this run was 8388608.
id:000000,sig:11,src:000258,op:havoc,rep:16: line 1: ++: not found
==2822== Invalid read of size 1
==2822==    at 0x7C3503: ??? (in /home/geeknik/busybox/busybox)
==2822==    by 0x543D447: ???
==2822==    by 0x543D447: ???
==2822==    by 0x543D447: ???
==2822==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==2822== 
==2822== 
==2822== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==2822==  Access not within mapped region at address 0x0
==2822==    at 0x7C3503: ??? (in /home/geeknik/busybox/busybox)
==2822==    by 0x543D447: ???
==2822==    by 0x543D447: ???
==2822==    by 0x543D447: ???
==2822==  If you believe this happened as a result of a stack
==2822==  overflow in your program's main thread (unlikely but
==2822==  possible), you can try to increase the size of the
==2822==  main thread stack using the --main-stacksize= flag.
==2822==  The main thread stack size used in this run was 8388608.
Segmentation fault

The testcase is only 15 bytes and the command line used was "./busybox ash test" and here we are.

Hexdump of testcase: 
0000000 2b2b 3c3c 0061 293b 1c28 3e20 2f24 0061
000000f

I believe the same crash happens with busybox sh as well. Wasn't sure if I needed to open a 2nd bug for that

Comment 1 Mike Frysinger 2016-02-13 03:35:59 UTC

this doesn't crash for me using current git (43e56639c6739953d5a6686823bcd0d25).  please sync up, enable CONFIG_DEBUG_SANITIZE=y, and then attach the .config file that you're testing with.