Bug 9271 - SIGSEGV on pushfile
Summary: SIGSEGV on pushfile
Status: RESOLVED WONTFIX
Alias: None
Product: Busybox
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: All Linux
: P5 normal
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-19 16:23 UTC by Franco Costantini
Modified: 2016-09-25 20:27 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:

Attachments
Test case (22.70 KB, application/octet-stream)
2016-09-19 16:23 UTC, Franco Costantini 		Details
config file (25.52 KB, application/xml)
2016-09-19 16:23 UTC, Franco Costantini 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Franco Costantini 2016-09-19 16:23:05 UTC 
Created attachment 6686 [details]
Test case

We recently found an invalid memory access parsing and executing fuzzed bash code in Busybox 1.25.0.
We tested this issue on Ubuntu 14.04.5 (x86_64) but other configurations could be affected. Please find attached the full .config file.

gdb backtrace is as follows:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff4e6040c in malloc () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#0  0x00007ffff4e6040c in malloc () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#1  0x000000000040a977 in xmalloc (size=size@entry=88) at libbb/xfuncs_printf.c:47
#2  0x000000000040a9c3 in xzalloc (size=size@entry=88) at libbb/xfuncs_printf.c:68
#3  0x00000000004aff4a in pushfile () at shell/ash.c:9927
#4  0x00000000004b15fb in setinputstring (string=0x60920000b910 "") at shell/ash.c:10032
#5  0x00000000004c2be0 in readtoken1 (c=<optimized out>, syntax=<optimized out>, syntax@entry=1, eofmark=eofmark@entry=0x60360000ffa0 "y", striptabs=striptabs@entry=0) at shell/ash.c:11710
#6  0x00000000004c12d7 in parseheredoc () at shell/ash.c:12038
#7  0x00000000004c13ef in list (nlflag=3, nlflag@entry=1) at shell/ash.c:10556
#8  0x00000000004c4738 in parsecmd (interact=<optimized out>) at shell/ash.c:12021
#9  0x00000000004c5cdb in cmdloop (top=top@entry=1) at shell/ash.c:12160
#10 0x00000000004cb1cb in ash_main (argc=<optimized out>, argv=0x7fffffffed60) at shell/ash.c:13255
#11 0x0000000000408951 in run_applet_no_and_exit (applet_no=applet_no@entry=271, argv=argv@entry=0x7fffffffed60) at libbb/appletlib.c:879
#12 0x0000000000408efc in run_applet_and_exit (name=name@entry=0x7fffffffef2e "sh", argv=argv@entry=0x7fffffffed60) at libbb/appletlib.c:893
#13 0x0000000000408ed6 in busybox_main (argv=0x7fffffffed60) at libbb/appletlib.c:840
#14 run_applet_and_exit (name=name@entry=0x7fffffffef1b "busybox_unstripped", argv=argv@entry=0x7fffffffed58) at libbb/appletlib.c:888
#15 0x0000000000408fcd in main (argc=<optimized out>, argv=0x7fffffffed58) at libbb/appletlib.c:971

This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.
Comment 1 Franco Costantini 2016-09-19 16:23:18 UTC 
Created attachment 6691 [details]
config file
Comment 2 Denys Vlasenko 2016-09-25 20:27:47 UTC 
Won't fix this: this is stack overflow (8mbytes of stack)