Applied, thank you!
On Mon, Jun 20, 2022 at 8:23 PM Alex Gorinson <algore3...@gmail.com> wrote:
>
> Due to a logic error in the ifsbreakup function in ash.c when a
> heredoc and normal command is run one after the other by means of a
> semi-colon, when the second command drops into ifsbreakup the command
> will be evaluated with the ifslastp/ifsfirst struct that was set when
> the heredoc was evaluated. This results in a buffer over-read that
> can leak the program's heap, stack, and arena addresses which can be
> used to beat ASLR.
>
> Steps to Reproduce:
> First bug:
> cmd args: ~/exampleDir/example> busybox ash
> $ M='AAAAAAAAAAAAAAAAA' <note: 17 A's>
> $ q00(){
> $ <<000;echo
> $ ${D?$M$M$M$M$M$M} <note: 6 $M's>
> $ 000
> $ }
> $ q00 <note: After the q00 is typed in the leak
> should be echo'd out; this works with ash, busybox ash, and dash and
> all options.>
>
> Patch:
> Adding the following to ash.c will fix the bug.
> ================================
> --- a/shell/ash.c
> +++ b/shell/ash.c
> @@ -7030,6 +7030,7 @@
> msg = umsg;
> }
> }
> +ifsfree();
> ash_msg_and_raise_error("%.*s: %s%s", (int)(end - var - 1), var, msg, tail);
> }
>
> @@ -7445,6 +7446,7 @@
> if (discard)
> return -1;
> +ifsfree();
> raise_error_syntax("bad substitution");
> }
> ================================
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
