8661 – ash: segmentation fault in trapcmd: `trap '' 255`

Bug 8661 - ash: segmentation fault in trapcmd: `trap '' 255`

Summary: ash: segmentation fault in trapcmd: `trap '' 255`

Status:	RESOLVED FIXED

Alias:	None

Product:	Busybox
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	1.24.x
Hardware:	All Linux

Importance:	P5 normal
Target Milestone:	---
Assignee:	unassigned

URL:
Keywords:

Duplicates (2):	8666 8671 (view as bug list)
Depends on:
Blocks:

Reported:	2016-02-09 16:01 UTC by Fernando Muñoz
Modified:	2018-08-06 11:44 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:

Attachments
crashing test (164 bytes, application/x-shellscript) 2016-02-09 16:01 UTC, Fernando Muñoz	Details
config (25.19 KB, text/plain) 2016-02-11 21:46 UTC, Fernando Muñoz	Details
minimized test case (164 bytes, application/x-shellscript) 2016-02-11 21:49 UTC, Fernando Muñoz	Details
config (32.33 KB, text/plain) 2016-02-13 03:29 UTC, Mike Frysinger	Details
Show Obsolete (3) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Fernando Muñoz 2016-02-09 16:01:57 UTC

Created attachment 6301 [details]
crashing test

Current config:  https://paste.kde.org/pbsgwk4ob

https://paste.kde.org/pbsgwk4ob


(gdb) run sh fuzzed.sh 
Starting program: /root/fuzzshell/busybox_unstripped sh fuzzed.sh
fuzzed.sh: trap: line 1: -1: invalid signal specification
fuzzed.sh: set: line 5: illegal option -o history
Segmentation fault
[Inferior 1 (process 14135) exited with code 0213]
(gdb) set follow-fork-mode 
child   parent  
(gdb) set follow-fork-mode child
(gdb) run sh fuzzed.sh 
Starting program: /root/fuzzshell/busybox_unstripped sh fuzzed.sh
fuzzed.sh: trap: line 1: -1: invalid signal specification
fuzzed.sh: set: line 5: illegal option -o history
[New process 14155]
Segmentation fault

Program received signal SIGPIPE, Broken pipe.
[Switching to process 14155]
0xb7fdcc38 in __kernel_vsyscall ()
(gdb) bt
#0  0xb7fdcc38 in __kernel_vsyscall ()
#1  0xb7e9ceb3 in __write_nocancel () at ../sysdeps/unix/syscall-template.S:81
#2  0x0804f2dc in safe_write ()
#3  0x00000000 in ?? ()

Valgrind:
==14419== Invalid read of size 4
==14419==    at 0x808B556: listvars (in /root/fuzzshell/busybox_unstripped)
==14419==  Address 0x2d206d76 is not stack'd, malloc'd or (recently) free'd

Comment 1 Mike Frysinger 2016-02-11 16:08:20 UTC

please attach the config file you used to all of your bug reports

Comment 2 Fernando Muñoz 2016-02-11 21:46:59 UTC

Created attachment 6316 [details]
config

Config file

Comment 3 Fernando Muñoz 2016-02-11 21:49:47 UTC

Created attachment 6321 [details]
minimized test case

Added minimized test case and debugging stacktrace:

(gdb) set follow-fork-mode child
(gdb) run sh bb1.sh 
Starting program: /root/bash/busybox-1.24.1/busybox_unstripped sh bb1.sh
bb1.sh: trap: line 1: -0: invalid signal specification
bb1.sh: set: line 5: illegal option -o 0000000
[New process 10688]
Segmentation fault

Program received signal SIGPIPE, Broken pipe.
[Switching to process 10688]
0xb7fdcc38 in __kernel_vsyscall ()
(gdb) bt
#0  0xb7fdcc38 in __kernel_vsyscall ()
#1  0xb7e9b183 in __write_nocancel () at ../sysdeps/unix/syscall-template.S:81
#2  0x08084544 in safe_write (fd=fd@entry=4, buf=buf@entry=0x84a72bc, count=count@entry=35) at libbb/safe_write.c:17
#3  0x08083e8f in full_write (fd=fd@entry=4, buf=0x84a72bc, len=35) at libbb/full_write.c:25
#4  0x0822e119 in expandhere (fd=4, arg=0x84a7294) at shell/ash.c:7267
#5  openhere (redir=<optimized out>, redir=<optimized out>) at shell/ash.c:5091
#6  openredirect (redir=<optimized out>) at shell/ash.c:5151
#7  redirect (redir=<optimized out>, redir@entry=0x84a7234, flags=flags@entry=3) at shell/ash.c:5323
#8  0x0822f95d in redirectsafe (redir=0x84a7234, flags=flags@entry=3) at shell/ash.c:5470
#9  0x08236afa in evalcommand (cmd=0x84a725c, flags=0) at shell/ash.c:9278
#10 0x08216838 in evaltree (n=0x84a725c, flags=0) at shell/ash.c:8428
#11 0x0823c9f2 in cmdloop (top=<optimized out>) at shell/ash.c:12143
#12 ash_main (argc=2, argv=0xbffff448) at shell/ash.c:13219
#13 0x0807641b in run_applet_no_and_exit (applet_no=269, argv=argv@entry=0xbffff448) at libbb/appletlib.c:774
#14 0x08076cef in run_applet_and_exit (name=0xbffff5f1 "sh", argv=argv@entry=0xbffff448) at libbb/appletlib.c:781
#15 0x080773f5 in busybox_main (argv=0xbffff448) at libbb/appletlib.c:730
#16 run_applet_and_exit (name=<optimized out>, argv=argv@entry=0xbffff444) at libbb/appletlib.c:783
#17 0x08078177 in main (argc=3, argv=0xbffff444) at libbb/appletlib.c:838

Comment 4 Mike Frysinger 2016-02-13 03:28:25 UTC

Comment on attachment 6321 [details]
minimized test case

simple test case is to just pass a really large signal # to trap:
$ ./busybox_unstripped sh -c 'trap '' 255'
shell/ash.c:12555:42: runtime error: index 255 out of bounds for type 'char *[65]'
=================================================================
==2199==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x617000010548 at pc 0x000000412581 bp 0x7fffb7868350 sp 0x7fffb7868340
READ of size 8 at 0x617000010548 thread T0
    #0 0x412580 in trapcmd shell/ash.c:12555

Comment 5 Mike Frysinger 2016-02-13 03:29:17 UTC

Created attachment 6326 [details]
config

minimized config to reproduce (really just enable ash)

Comment 6 Mike Frysinger 2016-02-13 03:31:21 UTC

*** Bug 8666 has been marked as a duplicate of this bug. ***

Comment 7 Mike Frysinger 2016-02-13 03:31:51 UTC

*** Bug 8671 has been marked as a duplicate of this bug. ***

Comment 8 Denys Vlasenko 2018-08-06 11:44:19 UTC

The place where it happens:
        char *trap[NSIG];
...
                signo = get_signum(*ap);
...
                free(trap[signo]);

This was fixed by not allowing get_signum() to return >= NSIG:

int FAST_FUNC get_signum(const char *name)
{
        unsigned i;

        i = bb_strtou(name, NULL, 10);
        if (!errno && i < NSIG) /* for shells, we allow 0 too */
                      ^^^^^^^^
                return i;