9286 – Heap overflow on rmescapes

Bug 9286 - Heap overflow on rmescapes

Summary: Heap overflow on rmescapes

Status:	RESOLVED FIXED

Alias:	None

Product:	Busybox
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	unspecified
Hardware:	All Linux

Importance:	P5 normal
Target Milestone:	---
Assignee:	unassigned

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-09-20 16:47 UTC by Franco Costantini
Modified:	2016-09-25 18:56 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:

Attachments
test case (52 bytes, text/plain) 2016-09-20 16:47 UTC, Franco Costantini	Details
config file (2.69 KB, text/plain) 2016-09-20 16:47 UTC, Franco Costantini	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Franco Costantini 2016-09-20 16:47:20 UTC

Created attachment 6716 [details]
test case

Hello, we recently found an invalid memory access parsing and executing fuzzed bash code in Busybox 1.25.0.
We tested this issue on Ubuntu 14.04.5 (x86_64) but other configurations could be affected. Please find attached the full .config file.

Technical details about the issue are:

==25142== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60060000e4b5 at pc 0x4b9a2b bp 0x7ffc87913170 sp 0x7ffc87913168
WRITE of size 1 at 0x60060000e4b5 thread T0

gdb backtrace is as follows:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGABRT, Aborted.
0x00007ffff47b6c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#0  0x00007ffff47b6c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff47ba028 in __GI_abort () at abort.c:89
#2  0x00007ffff4e66829 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#3  0x00007ffff4e5d3ec in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#4  0x00007ffff4e64012 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#5  0x00007ffff4e63121 in __asan_report_error () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#6  0x00007ffff4e5d797 in __asan_report_store1 () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#7  0x00000000004b9a2b in rmescapes (str=0x60360000fe48 "wh%s%#x\201x0d\210%#x\201[u1\201", flag=flag@entry=19) at shell/ash.c:5661
#8  0x00000000004bf8cb in preglob (flag=17, pattern=<optimized out>) at shell/ash.c:5680
#9  expandmeta (str=0x60360000fe80) at shell/ash.c:7177
#10 expandarg (arg=arg@entry=0x60360000fde0, arglist=arglist@entry=0x7fffffffe240, flag=<optimized out>) at shell/ash.c:7240
#11 0x00000000004c8ed9 in evalcommand (cmd=0x60360000fe28, flags=0) at shell/ash.c:9275
#12 0x00000000004c4cb8 in evaltree (n=0x60360000fe28, flags=flags@entry=0) at shell/ash.c:8440
#13 0x00000000004c5d99 in cmdloop (top=top@entry=1) at shell/ash.c:12178
#14 0x00000000004cb1cb in ash_main (argc=<optimized out>, argv=0x7fffffffed60) at shell/ash.c:13255
#15 0x0000000000408951 in run_applet_no_and_exit (applet_no=applet_no@entry=271, argv=argv@entry=0x7fffffffed60) at libbb/appletlib.c:879
#16 0x0000000000408efc in run_applet_and_exit (name=name@entry=0x7fffffffef2e "sh", argv=argv@entry=0x7fffffffed60) at libbb/appletlib.c:893
#17 0x0000000000408ed6 in busybox_main (argv=0x7fffffffed60) at libbb/appletlib.c:840
#18 run_applet_and_exit (name=name@entry=0x7fffffffef1b "busybox_unstripped", argv=argv@entry=0x7fffffffed58) at libbb/appletlib.c:888
#19 0x0000000000408fcd in main (argc=<optimized out>, argv=0x7fffffffed58) at libbb/appletlib.c:971

This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.

Comment 1 Franco Costantini 2016-09-20 16:47:38 UTC

Created attachment 6721 [details]
config file

Comment 2 Denys Vlasenko 2016-09-25 18:56:16 UTC

Bug in handling embedded NUL in $'string'
Fixed in git, thanks!