[Bug 9246] New: SIGSEGV on readtoken
bugzilla at busybox.net
bugzilla at busybox.net
Tue Sep 13 12:48:12 UTC 2016
https://bugs.busybox.net/show_bug.cgi?id=9246
Bug ID: 9246
Summary: SIGSEGV on readtoken
Product: Busybox
Version: unspecified
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Other
Assignee: unassigned at busybox.net
Reporter: franco.costantini20 at gmail.com
CC: busybox-cvs at busybox.net
Target Milestone: ---
Created attachment 6656
--> https://bugs.busybox.net/attachment.cgi?id=6656&action=edit
gzipped test case
Hello, we recently found an invalid memory access parsing and executing fuzzed
bash code in Busybox 1.25.0.
We tested this issue on Ubuntu 14.04.5 (x86_64) but other configurations could
be affected. Please find attached the full .config file
gdb backtrace is as follows:
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00000000004c2a04 in memcpy (__len=63284, __src=0x60a4000027a8,
__dest=0x7fffff7f4cc0) at /usr/include/x86_64-linux-gnu/bits/string3.h:51
51 return __builtin___memcpy_chk (__dest, __src, __len, __bos0
(__dest));
#0 0x00000000004c2a04 in memcpy (__len=63284, __src=0x60a4000027a8,
__dest=0x7fffff7f4cc0) at /usr/include/x86_64-linux-gnu/bits/string3.h:51
#1 readtoken1 (c=<optimized out>, syntax=<optimized out>, eofmark=<optimized
out>, striptabs=<optimized out>) at shell/ash.c:11646
#2 0x00000000004c3222 in readtoken () at shell/ash.c:11945
#3 0x00000000004c13c3 in peektoken () at shell/ash.c:12003
#4 list (nlflag=nlflag at entry=1) at shell/ash.c:10546
#5 0x00000000004c4738 in parsecmd (interact=<optimized out>) at
shell/ash.c:12021
#6 0x00000000004c5cdb in cmdloop (top=top at entry=1) at shell/ash.c:12160
#7 0x00000000004cb1cb in ash_main (argc=<optimized out>, argv=0x7fffffffed60)
at shell/ash.c:13255
#8 0x0000000000408951 in run_applet_no_and_exit
(applet_no=applet_no at entry=271, argv=argv at entry=0x7fffffffed60) at
libbb/appletlib.c:879
#9 0x0000000000408efc in run_applet_and_exit (name=name at entry=0x7fffffffef2d
"sh", argv=argv at entry=0x7fffffffed60) at libbb/appletlib.c:893
#10 0x0000000000408ed6 in busybox_main (argv=0x7fffffffed60) at
libbb/appletlib.c:840
#11 run_applet_and_exit (name=name at entry=0x7fffffffef1a "busybox_unstripped",
argv=argv at entry=0x7fffffffed58) at libbb/appletlib.c:888
#12 0x0000000000408fcd in main (argc=<optimized out>, argv=0x7fffffffed58) at
libbb/appletlib.c:971
This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list