Bug 9266 - SIGSEGV on readtoken
Summary: SIGSEGV on readtoken
Status: RESOLVED FIXED
Alias: None
Product: Busybox
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: All Linux
: P5 normal
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-19 16:21 UTC by Franco Costantini
Modified: 2016-09-25 19:48 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:

Attachments
test case (62.65 KB, text/plain)
2016-09-19 16:21 UTC, Franco Costantini 		Details
config file (25.52 KB, application/xml)
2016-09-19 16:21 UTC, Franco Costantini 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Franco Costantini 2016-09-19 16:21:37 UTC 
Created attachment 6676 [details]
test case

Hello, we recently found an invalid memory access parsing and executing fuzzed bash code in Busybox 1.25.0.
We tested this issue on Ubuntu 14.04.5 (x86_64) but other configurations could be affected. Please find attached the full .config file.

gdb backtrace is as follows:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
readtoken1 (c=123, syntax=0, eofmark=0x0, striptabs=0) at shell/ash.c:11153
11153	{
#0  readtoken1 (c=123, syntax=0, eofmark=0x0, striptabs=0) at shell/ash.c:11153
#1  0x00000000004c3238 in readtoken () at shell/ash.c:11953
#2  0x00000000004c4560 in pipeline () at shell/ash.c:10642
#3  0x00000000004c1409 in andor () at shell/ash.c:10612
#4  list (nlflag=nlflag@entry=0) at shell/ash.c:10565
#5  0x00000000004c3ef2 in parse_command () at shell/ash.c:11052
#6  0x00000000004c4583 in pipeline () at shell/ash.c:10647
#7  0x00000000004c1409 in andor () at shell/ash.c:10612
#8  list (nlflag=nlflag@entry=0) at shell/ash.c:10565
#9  0x00000000004c3ef2 in parse_command () at shell/ash.c:11052
#10 0x00000000004c4583 in pipeline () at shell/ash.c:10647
#11 0x00000000004c1409 in andor () at shell/ash.c:10612
#12 list (nlflag=nlflag@entry=0) at shell/ash.c:10565
#13 0x00000000004c3ef2 in parse_command () at shell/ash.c:11052
#14 0x00000000004c4583 in pipeline () at shell/ash.c:10647
#15 0x00000000004c1409 in andor () at shell/ash.c:10612
#16 list (nlflag=nlflag@entry=0) at shell/ash.c:10565
#17 0x00000000004c3ef2 in parse_command () at shell/ash.c:11052
#18 0x00000000004c4583 in pipeline () at shell/ash.c:10647
#19 0x00000000004c1409 in andor () at shell/ash.c:10612
#20 list (nlflag=nlflag@entry=0) at shell/ash.c:10565
#21 0x00000000004c3ef2 in parse_command () at shell/ash.c:11052
#22 0x00000000004c4583 in pipeline () at shell/ash.c:10647
#23 0x00000000004c1409 in andor () at shell/ash.c:10612
#24 list (nlflag=nlflag@entry=0) at shell/ash.c:10565

This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.
Comment 1 Franco Costantini 2016-09-19 16:21:55 UTC 
Created attachment 6681 [details]
config file
Comment 2 Denys Vlasenko 2016-09-25 19:48:41 UTC 
Won't fix this - stack exhaustion while parsing 64000 nested {}s