Bug 8721 - AddressSanitizer: READ of size 1 in path_advance shell/ash.c:2391
Summary: AddressSanitizer: READ of size 1 in path_advance shell/ash.c:2391
Status: RESOLVED FIXED
Alias: None
Product: Busybox
Classification: Unclassified
Component: Other (show other bugs)
Version: 1.24.x
Hardware: All Linux
: P5 normal
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-25 20:57 UTC by Fernando Muñoz
Modified: 2018-11-17 15:39 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:

Attachments
minimized test case (13 bytes, application/x-shellscript)
2016-02-25 20:57 UTC, Fernando Muñoz 		Details
config used (32.33 KB, text/plain)
2016-02-25 20:57 UTC, Fernando Muñoz 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Fernando Muñoz 2016-02-25 20:57:09 UTC 
Created attachment 6356 [details]
minimized test case

test@kali:/root/fuzzshell$ ./busybox_unstripped sh min2.sh
=================================================================
==14108==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4f00256 at pc 0x08078d6a bp 0xbfffe8d8 sp 0xbfffe8cc
READ of size 1 at 0xb4f00256 thread T0
    #0 0x8078d69 in path_advance shell/ash.c:2391

0xb4f00256 is located 0 bytes to the right of 6-byte region [0xb4f00250,0xb4f00256)
allocated by thread T0 here:
    #0 0xb7afa25e in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x9225e)
    #1 0x811d83f in xmalloc libbb/xfuncs_printf.c:47

SUMMARY: AddressSanitizer: heap-buffer-overflow shell/ash.c:2391 path_advance
Shadow bytes around the buggy address:
Comment 1 Fernando Muñoz 2016-02-25 20:57:41 UTC 
Created attachment 6361 [details]
config used
Comment 2 Denys Vlasenko 2018-11-17 15:39:20 UTC 
Fixed in git:

commit e6a63bf683f47027d36dc21b62b2f5cc3eb30a30
Author: Ron Yorston <rmy@pobox.com>
Date:   Mon Nov 12 21:10:54 2018 +0000

    ash: ensure variables are fully initialised when unset