[prev in list] [next in list] [prev in thread] [next in thread] 

List:       busybox
Subject:    [PATCH] ash: another use-after-free in bash pattern substitution
From:       Karsten Sperling <ksperling () apple ! com>
Date:       2023-03-15 0:19:14
Message-ID: 74D96B8E-C0A5-41E9-9008-1DF8CA3D0B07 () apple ! com
[Download RAW message or body]

Re-sending this fix for a use-after-free in the bash pattern substitution code in \
ash, I'm not sure the mailing list software liked my original attachment.

Thanks, Karsten


["busybox-ash-another-uaf.patch.txt" (busybox-ash-another-uaf.patch.txt)]

diff --git a/shell/ash.c b/shell/ash.c
index 5f8c8ea19..38368f590 100644
--- a/shell/ash.c
+++ b/shell/ash.c
@@ -7374,6 +7374,8 @@ subevalvar(char *start, char *str, int strloc,
 				char *restart_detect = stackblock();
 				if (quotes && *loc == '\\') {
 					STPUTC(CTLESC, expdest);
+					if (stackblock() != restart_detect)
+						goto restart;
 					len++;
 				}
 				STPUTC(*loc, expdest);


> On 8/03/2023, at 4:23 PM, Karsten Sperling <ksperling@apple.com> wrote:
> 
> Hi,
> 
> This is a fix for a use-after-free issue in the bash pattern substitution code in \
> ash (related to STPUTC potentially causing the buffer to be reallocated). Most of \
> these were fixed in 1.36.0 however one unguarded STPUTC remained which is fixed in \
> the attached patch. 
> Thanks, Karsten
> 
> <busybox-ash-another-uaf.patch>



_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox


[prev in list] [next in list] [prev in thread] [next in thread]