8641 – busybox can't be used with ASAN enabled

Bug 8641 - busybox can't be used with ASAN enabled

Summary: busybox can't be used with ASAN enabled

Status:	RESOLVED INVALID

Alias:	None

Product:	Busybox
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	1.22.x
Hardware:	All Linux

Importance:	P5 normal
Target Milestone:	---
Assignee:	unassigned

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-02-03 03:58 UTC by Fernando Muñoz
Modified:	2016-02-13 03:15 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Fernando Muñoz 2016-02-03 03:58:13 UTC

I'm trying to compile busybox with AdressSanitizer enabled in order to fuzz it, however after compiling it can't start and it complains about a posible stack buffer overflow. I'm using Kali Linux and got the source from apt-get source.

root@kali:~/busybox-1.22.0# ./busybox_unstripped 
=================================================================
==20849==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbffff374 at pc 0x0807cdd9 bp 0xbffff2bc sp 0xbffff2b0
WRITE of size 4 at 0xbffff374 thread T0
    #0 0x807cdd8 in get_terminal_width_height libbb/xfuncs.c:269

Address 0xbffff374 is located in stack of thread T0==20849==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/asan/asan_thread.cc:231 "((ptr[0] == kCurrentStackFrameMagic)) != (0)" (0x0, 0x0)
    #0 0xb7b064ec  (/usr/lib/i386-linux-gnu/libasan.so.2+0x9a4ec)
    #1 0xb7b0b3b9 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/i386-linux-gnu/libasan.so.2+0x9f3b9)
    #2 0xb7b09195  (/usr/lib/i386-linux-gnu/libasan.so.2+0x9d195)
    #3 0xb7b034a6  (/usr/lib/i386-linux-gnu/libasan.so.2+0x974a6)
    #4 0xb7b03a89  (/usr/lib/i386-linux-gnu/libasan.so.2+0x97a89)
    #5 0xb7b053c7 in __asan_report_error (/usr/lib/i386-linux-gnu/libasan.so.2+0x993c7)
    #6 0xb7b06b95 in __asan_report_store4 (/usr/lib/i386-linux-gnu/libasan.so.2+0x9ab95)
    #7 0x807cdd8 in get_terminal_width_height libbb/xfuncs.c:269

Comment 1 Mike Frysinger 2016-02-03 06:11:14 UTC

please attach your full .config file and describe exactly how you're building busybox.  i did a minconfig w/gcc-5.3.0 and -fsanitize=address and it's running fine for me.

Comment 2 Fernando Muñoz 2016-02-03 06:56:35 UTC

My .config file https://paste.kde.org/pq4lr6xax

Steps:

apt-get build-dep busybox
apt-get source busybox
cd busybox-1.22.0
Replaced hardcoded "gcc" and "g++" values in Makefile (HOSTCC, HOSTCXX, CC) for afl-gcc and afl-g++ (gcc /g++ wrapper included in fuzzer) [1]
make defconfig
AFL_USE_ASAN=1 make

AFL_USE_ASAN environment var tells afl-gcc to enable AddressSanitizer. 

After that I just run the busybox_unstripped binary.

I just tried it on a 1.24.1 tarball and got the same error:
root@kali:~/bash/busybox-1.24.1# ./busybox_unstripped 
=================================================================
==18714==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbffff384 at pc 0x0807de43 bp 0xbffff2cc sp 0xbffff2c0
WRITE of size 4 at 0xbffff384 thread T0
    #0 0x807de42 in get_terminal_width_height libbb/xfuncs.c:270

Address 0xbffff384 is located in stack of thread T0==18714==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/asan/asan_thread.cc:231 "((ptr[0] == kCurrentStackFrameMagic)) != (0)" (0x0, 0x0)
    #0 0xb7b064ec  (/usr/lib/i386-linux-gnu/libasan.so.2+0x9a4ec)
    #1 0xb7b0b3b9 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/i386-linux-gnu/libasan.so.2+0x9f3b9)
    #2 0xb7b09195  (/usr/lib/i386-linux-gnu/libasan.so.2+0x9d195)
    #3 0xb7b034a6  (/usr/lib/i386-linux-gnu/libasan.so.2+0x974a6)
    #4 0xb7b03a89  (/usr/lib/i386-linux-gnu/libasan.so.2+0x97a89)
    #5 0xb7b053c7 in __asan_report_error (/usr/lib/i386-linux-gnu/libasan.so.2+0x993c7)
    #6 0xb7b06b95 in __asan_report_store4 (/usr/lib/i386-linux-gnu/libasan.so.2+0x9ab95)
    #7 0x807de42 in get_terminal_width_height libbb/xfuncs.c:270

Could be something about my terminal environment? I tried it on xterm and XFCE default terminal.

Line 270 says: *width = wh_helper(win.ws_col, 80, "COLUMNS", &err);

[1] http://lcamtuf.coredump.cx/afl/

Comment 3 Mike Frysinger 2016-02-03 17:36:31 UTC

you're using an old release and generally we do not care about old versions.  please grab the latest one from our website and build that instead.  if you still run into problems, show the steps there.

Comment 4 Fernando Muñoz 2016-02-03 22:02:10 UTC

Mike as I said earlier I tried with the last release and got the same issue, please check my last message:

root@kali:~/bash/busybox-1.24.1# ./busybox_unstripped 

Maybe I'm doing something wrong or the optimization and instrumentation added by afl-gcc breaks something?

Comment 5 Mike Frysinger 2016-02-09 11:36:11 UTC

sorry, i missed that.  please attach your config file here.

Comment 6 Fernando Muñoz 2016-02-09 14:04:23 UTC

This is my current .config

https://paste.kde.org/pbsgwk4ob

Comment 7 Mike Frysinger 2016-02-11 15:12:25 UTC

again, please *attach* the file to the bug report.  external sites often die or expire making these reports much less useful.

Comment 8 Mike Frysinger 2016-02-13 03:15:29 UTC

i can't reproduce this:
 - use current git (43e56639c6739953d5a6686823bcd0d256512ea5)
 - enable the new DEBUG_SANITIZE option
 - run `AFL_USE_ASAN=1 make CC=afl-gcc`
 - `./busybox_unstripped` works as expected

i'm using gcc-5.3.0, glibc-2.22, and afl-1.80b