[Bug 9246] New: SIGSEGV on readtoken

bugzilla at busybox.net bugzilla at busybox.net
Tue Sep 13 12:48:12 UTC 2016 

https://bugs.busybox.net/show_bug.cgi?id=9246

            Bug ID: 9246
           Summary: SIGSEGV on readtoken
           Product: Busybox
           Version: unspecified
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Other
          Assignee: unassigned at busybox.net
          Reporter: franco.costantini20 at gmail.com
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

Created attachment 6656
  --> https://bugs.busybox.net/attachment.cgi?id=6656&action=edit
gzipped test case

Hello, we recently found an invalid memory access parsing and executing fuzzed
bash code in Busybox 1.25.0.
We tested this issue on Ubuntu 14.04.5 (x86_64) but other configurations could
be affected. Please find attached the full .config file

gdb backtrace is as follows:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004c2a04 in memcpy (__len=63284, __src=0x60a4000027a8,
__dest=0x7fffff7f4cc0) at /usr/include/x86_64-linux-gnu/bits/string3.h:51
51        return __builtin___memcpy_chk (__dest, __src, __len, __bos0
(__dest));
#0  0x00000000004c2a04 in memcpy (__len=63284, __src=0x60a4000027a8,
__dest=0x7fffff7f4cc0) at /usr/include/x86_64-linux-gnu/bits/string3.h:51
#1  readtoken1 (c=<optimized out>, syntax=<optimized out>, eofmark=<optimized
out>, striptabs=<optimized out>) at shell/ash.c:11646
#2  0x00000000004c3222 in readtoken () at shell/ash.c:11945
#3  0x00000000004c13c3 in peektoken () at shell/ash.c:12003
#4  list (nlflag=nlflag at entry=1) at shell/ash.c:10546
#5  0x00000000004c4738 in parsecmd (interact=<optimized out>) at
shell/ash.c:12021
#6  0x00000000004c5cdb in cmdloop (top=top at entry=1) at shell/ash.c:12160
#7  0x00000000004cb1cb in ash_main (argc=<optimized out>, argv=0x7fffffffed60)
at shell/ash.c:13255
#8  0x0000000000408951 in run_applet_no_and_exit
(applet_no=applet_no at entry=271, argv=argv at entry=0x7fffffffed60) at
libbb/appletlib.c:879
#9  0x0000000000408efc in run_applet_and_exit (name=name at entry=0x7fffffffef2d
"sh", argv=argv at entry=0x7fffffffed60) at libbb/appletlib.c:893
#10 0x0000000000408ed6 in busybox_main (argv=0x7fffffffed60) at
libbb/appletlib.c:840
#11 run_applet_and_exit (name=name at entry=0x7fffffffef1a "busybox_unstripped",
argv=argv at entry=0x7fffffffed58) at libbb/appletlib.c:888
#12 0x0000000000408fcd in main (argc=<optimized out>, argv=0x7fffffffed58) at
libbb/appletlib.c:971

This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the busybox-cvs mailing list