Created attachment 9664 [details] POC file Hi, busybox developers, We found a use-after-free vulnerability in awk applet of busybox v1.36.1. The affected component is awk.c:3009, in evaluate function. Following is the reproduction process, and we put the poc file in the attachment. [1.] Environment Ubuntu 18.04, 64 bit BusyBox 1.36.1 Clang 6.0.0 [2.] Compilation 2.1 Modify the Makefile: HOSTCC=clang -fsanitize=address HOSTCXX=clang++ -fsanitize=address CC=clang CFLAGS=-fsanitize=address CPPFLAGS=-fsanitize=address LDFLAGS="-Wl,--allow-multiple-definition" 2.2 Modify the Config.in file, switch the following configs to y: DEBUG: y DEBUG_PESSIMIZE: y FEATURE_CLEAN_UP: y DEBUG_SANITIZE: y 2.3 Commands for compilation: export ASAN_OPTIONS=detect_leaks=0 make defconfig make install [3.] Reproduction export ASAN_OPTIONS="abort_on_error=1 symbolize=0" ./busybox_unstripped awk -f $poc ./awk_t1_input [ASAN report]: ==13571==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000118520 at pc 0x000000e4a94f bp 0x7ffd6848ae30 sp 0x7ffd6848ae28 READ of size 4 at 0x606000118520 thread T0 #0 0xe4a94e (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe4a94e) #1 0xe54597 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe54597) #2 0xe409ce (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe409ce) #3 0x50ac81 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50ac81) #4 0x50dbaf (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50dbaf) #5 0x51036d (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x51036d) #6 0x50db58 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50db58) #7 0x50c3fd (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50c3fd) #8 0x7f592e27cc86 (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #9 0x41e459 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x41e459) 0x606000118520 is located 0 bytes inside of 64-byte region [0x606000118520,0x606000118560) freed by thread T0 here: #0 0x4dc500 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x4dc500) #1 0xe7f4ca (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe7f4ca) #2 0xe4a878 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe4a878) #3 0xe54597 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe54597) #4 0x50ac81 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50ac81) previously allocated by thread T0 here: #0 0x4dc6d0 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x4dc6d0) #1 0x519df2 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x519df2) #2 0xe4a878 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe4a878) #3 0xe54597 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe54597) #4 0x50ac81 (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0x50ac81) SUMMARY: AddressSanitizer: heap-use-after-free (/home/zclin/afl-vul-score/llvm_mode/research/path-collect-all-new-0524/path-collect-all-new/busybox/reproduce/busybox-1_36_1/fuzz_check/awk/busybox_unstripped+0xe4a94e) [line number]: addr2line -e ./busybox_unstripped 0xe4a94e .../busybox-1_36_1/editors/awk.c:3009 Best wishes, Zclin
Created attachment 9670 [details] awk_t1_input file
Seems to be the duplicate of bug #15871, just the "use" part happens in a different place. The result of OC_REPLACE may be a TEMPVAR0 via L.v res = setvar_i(((opinfo & OPCLSMASK) == OC_BINARY) ? res : L.v, ...);
This was fixed with commit 0256e00a9d077588bd3a39f5a1ef7e2eaa2911e4 (HEAD) Author: Denys Vlasenko <vda.linux@googlemail.com> Date: Tue May 30 16:42:18 2023 +0200 awk: fix precedence of = relative to == https://git.busybox.net/busybox/commit/editors/awk.c?id=0256e00a9d077588bd3a39f5a1ef7e2eaa2911e4