[Bug 15649] New: [busybox 1.36.1] global-buffer-overflow in od

bugzilla at busybox.net bugzilla at busybox.net
Wed Jun 21 14:26:43 UTC 2023 

https://bugs.busybox.net/show_bug.cgi?id=15649

            Bug ID: 15649
           Summary: [busybox 1.36.1] global-buffer-overflow in od
           Product: Busybox
           Version: unspecified
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Other
          Assignee: unassigned at busybox.net
          Reporter: f.busse at imperial.ac.uk
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

Passing "-An" as argument results in an out-of-bound access in od:

$ /tmp/root/busybox-1.36.1/bin/busybox od -An
coreutils/od_bloaty.c:1236:45: runtime error: index 3 out of bounds for type
'char [3]'
coreutils/od_bloaty.c:1236:45: runtime error: load of address 0x55e512d67703
with insufficient space for an object of type 'const char'
0x55e512d67703: note: pointer points here
 00  75 6f 78 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00
              ^ 
=================================================================
==457==ERROR: AddressSanitizer: global-buffer-overflow on address
0x55e512d67703 at pc 0x55e512cfd867 bp 0x7ffc45c79130 sp 0x7ffc45c79120
READ of size 1 at 0x55e512d67703 thread T0
    #0 0x55e512cfd866 in od_main coreutils/od_bloaty.c:1236

0x55e512d67703 is located 61 bytes to the left of global variable 'doxn'
defined in 'coreutils/od_bloaty.c:1221:21' (0x55e512d67740) of size 5
  'doxn' is ascii string 'doxn'
0x55e512d67703 is located 0 bytes to the right of global variable
'doxn_address_base_char' defined in 'coreutils/od_bloaty.c:1222:21'
(0x55e512d67700) of size 3
SUMMARY: AddressSanitizer: global-buffer-overflow coreutils/od_bloaty.c:1236 in
od_main
Shadow bytes around the buggy address:
  0x0abd225a4e90: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0abd225a4ea0: 04 f9 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
  0x0abd225a4eb0: 00 00 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
  0x0abd225a4ec0: 04 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
  0x0abd225a4ed0: 00 00 00 f9 f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9
=>0x0abd225a4ee0:[03]f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
  0x0abd225a4ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
  0x0abd225a4f00: f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 00 01 f9 f9
  0x0abd225a4f10: f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 00 00 01 f9
  0x0abd225a4f20: f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 00 00 01 f9
  0x0abd225a4f30: f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 02 f9 f9 f9

(found by KLEE)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the busybox-cvs mailing list