Bug 9241 - Stack exhaustion in evaltree
Summary: Stack exhaustion in evaltree
Status: RESOLVED WONTFIX
Alias: None
Product: Busybox
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: All Linux
: P5 normal
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-13 12:43 UTC by Franco Costantini
Modified: 2016-09-20 21:07 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:

Attachments
gzipped test case (3.23 KB, application/gzip)
2016-09-13 12:45 UTC, Franco Costantini 		Details
.config file (25.52 KB, text/plain)
2016-09-13 12:46 UTC, Franco Costantini 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Franco Costantini 2016-09-13 12:43:42 UTC 
Hello, we recently found a stack exhaustion parsing and executing fuzzed bash code in Busybox 1.25.0.
We tested this issue on Ubuntu 14.04.5 (x86_64) but other configurations could be affected. Please find attached the full .config file

gdb backtrace is as follows:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004c48fc in evaltree (n=0x603400615988, flags=0) at shell/ash.c:8341
8341	{
#0  0x00000000004c48fc in evaltree (n=0x603400615988, flags=0) at shell/ash.c:8341
#1  0x00000000004c4c52 in evaltree (n=0x603400615a10, flags=0) at shell/ash.c:8429
#2  0x00000000004c4c52 in evaltree (n=0x603400615628, flags=0) at shell/ash.c:8429
#3  0x00000000004c4c52 in evaltree (n=0x6034006156b0, flags=0) at shell/ash.c:8429
#4  0x00000000004c4c52 in evaltree (n=0x603400615738, flags=0) at shell/ash.c:8429
#5  0x00000000004c4c52 in evaltree (n=0x6034006157c0, flags=0) at shell/ash.c:8429
#6  0x00000000004c4c52 in evaltree (n=0x6034006153d0, flags=0) at shell/ash.c:8429
#7  0x00000000004c4c52 in evaltree (n=0x603400615458, flags=0) at shell/ash.c:8429
#8  0x00000000004c4c52 in evaltree (n=0x6034006154e0, flags=0) at shell/ash.c:8429
#9  0x00000000004c4c52 in evaltree (n=0x603400615568, flags=0) at shell/ash.c:8429
#10 0x00000000004c4c52 in evaltree (n=0x603400615178, flags=0) at shell/ash.c:8429
#11 0x00000000004c4c52 in evaltree (n=0x603400615200, flags=0) at shell/ash.c:8429
#12 0x00000000004c4c52 in evaltree (n=0x603400615288, flags=0) at shell/ash.c:8429
#13 0x00000000004c4c52 in evaltree (n=0x603400614ea8, flags=0) at shell/ash.c:8429
#14 0x00000000004c4c52 in evaltree (n=0x603400614f30, flags=0) at shell/ash.c:8429
#15 0x00000000004c4c52 in evaltree (n=0x603400614fb8, flags=0) at shell/ash.c:8429
#16 0x00000000004c4c52 in evaltree (n=0x603400615040, flags=0) at shell/ash.c:8429
#17 0x00000000004c4c52 in evaltree (n=0x603400614c50, flags=0) at shell/ash.c:8429
#18 0x00000000004c4c52 in evaltree (n=0x603400614cd8, flags=0) at shell/ash.c:8429
#19 0x00000000004c4c52 in evaltree (n=0x603400614d60, flags=0) at shell/ash.c:8429
#20 0x00000000004c4c52 in evaltree (n=0x603400614de8, flags=0) at shell/ash.c:8429
#21 0x00000000004c4c52 in evaltree (n=0x6034006149f8, flags=0) at shell/ash.c:8429
#22 0x00000000004c4c52 in evaltree (n=0x603400614a80, flags=0) at shell/ash.c:8429
#23 0x00000000004c4c52 in evaltree (n=0x603400614b10, flags=0) at shell/ash.c:8429
#24 0x00000000004c4c52 in evaltree (n=0x603400614728, flags=0) at shell/ash.c:8429

This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.
Comment 1 Franco Costantini 2016-09-13 12:45:38 UTC 
Created attachment 6646 [details]
gzipped test case
Comment 2 Franco Costantini 2016-09-13 12:46:00 UTC 
Created attachment 6651 [details]
.config file
Comment 3 Denys Vlasenko 2016-09-20 21:07:57 UTC 
609210 byte long line in a script.

Even though this particular form can be fixed, by stopping at semicolons too, not only at end of line (hush does that and survives), it's easy to construct other similar border cases (e.g. echo "10mb long line").

Won't fix.