Due to a logic error in the ifsbreakup function in ash.c when a heredoc and normal command is run one after the other by means of a semi-colon, when the second command drops into ifsbreakup the command will be evaluated with the ifslastp/ifsfirst struct that was set when the heredoc was evaluated. This results in a buffer over-read that can leak the program's heap, stack, and arena addresses which can be used to beat ASLR.
Steps to Reproduce: First bug: cmd args: ~/exampleDir/example> busybox ash $ M='AAAAAAAAAAAAAAAAA' <note: 17 A's> $ q00(){ $ <<000;echo $ ${D?$M$M$M$M$M$M} <note: 6 $M's> $ 000 $ } $ q00 <note: After the q00 is typed in the leak should be echo'd out; this works with ash, busybox ash, and dash and all options.> Patch: Adding the following to ash.c will fix the bug. ================================ --- a/shell/ash.c +++ b/shell/ash.c @@ -7030,6 +7030,7 @@ msg = umsg; } } +ifsfree(); ash_msg_and_raise_error("%.*s: %s%s", (int)(end - var - 1), var, msg, tail); } @@ -7445,6 +7446,7 @@ if (discard) return -1; +ifsfree(); raise_error_syntax("bad substitution"); } ================================ _______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox