Bug 2126720 (CVE-2022-3715)
| Summary: | CVE-2022-3715 bash: a heap-buffer-overflow in valid_parameter_transform | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | admiller, carnil, information, kasal, kdudka, kesha.plovec02, kvolny, kyoshida, security-response-team, svashisht |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | bash 5.1.8 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the bash package, where a heap-buffer overflow can occur in valid_parameter_transform. This issue may lead to memory problems.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-01-25 11:22:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2141572, 2141573, 2141574, 2141575, 2141576, 2141577 | ||
| Bug Blocks: | 2124192, 2138088 | ||
|
Description
Marian Rehak
2022-09-14 10:22:35 UTC
Created bash tracking bugs for this issue: Affects: fedora-all [bug 2141577] Marian, Is there any specific information you can share on this CVE? Is this reported and fixed upstream? I'm asking since the information gathered from first comment is not enough to track the problem in other downstreams using bash to determine which versions are affected. Is it about this issue? https://lists.gnu.org/archive/html/bug-bash/2022-08/msg00147.html Description of problem:
I was fuzzing bash with AFL++ and found heap-buffer-overflow in valid_parameter_transform function.
Version-Release number of selected component (if applicable):
bash-5.1.16-3
How reproducible:
Always.
Steps to Reproduce:
1. Build bash with asan
2. Run with AFL++ crafted input (in attachment)
Actual results:
ASAN report:
==3430898==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000018b1 at pc 0x563102ad26cf bp 0x7ffc38fef8d0 sp 0x7ffc38fef8c8
READ of size 1 at 0x6020000018b1 thread T0
#0 0x563102ad26ce in valid_parameter_transform /root/rpmbuild/BUILD/bash-5.1/subst.c:7919:7
#1 0x563102ad26ce in parameter_brace_transform /root/rpmbuild/BUILD/bash-5.1/subst.c:7965:7
#2 0x563102ab1bfc in parameter_brace_expand /root/rpmbuild/BUILD/bash-5.1/subst.c:9306:15
#3 0x563102ab1bfc in param_expand /root/rpmbuild/BUILD/bash-5.1/subst.c:9765:15
#4 0x563102a95295 in expand_word_internal /root/rpmbuild/BUILD/bash-5.1/subst.c:10334:12
#5 0x563102a93c3a in expand_word_internal /root/rpmbuild/BUILD/bash-5.1/subst.c:10518:15
#6 0x563102af2ffb in shell_expand_word_list /root/rpmbuild/BUILD/bash-5.1/subst.c:11895:18
#7 0x563102af2ffb in expand_word_list_internal /root/rpmbuild/BUILD/bash-5.1/subst.c:12019:14
#8 0x5631029c357a in expand_words /root/rpmbuild/BUILD/bash-5.1/subst.c:11362:11
#9 0x5631029c357a in execute_simple_command /root/rpmbuild/BUILD/bash-5.1/execute_cmd.c:4393:15
#10 0x5631029b3972 in execute_command_internal /root/rpmbuild/BUILD/bash-5.1/execute_cmd.c:858:4
#11 0x5631029adf52 in execute_command /root/rpmbuild/BUILD/bash-5.1/execute_cmd.c:399:12
#12 0x56310293ec72 in reader_loop /root/rpmbuild/BUILD/bash-5.1/eval.c:171:8
#13 0x563102937925 in main /root/rpmbuild/BUILD/bash-5.1/shell.c:821:3
#14 0x7ff11dbeed8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#15 0x7ff11dbeee3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#16 0x56310286e6c4 in _start (/root/rpmbuild/BUILD/bash-5.1/bash+0x14d6c4) (BuildId: 3f6aa27b1f7ac560)
0x6020000018b1 is located 0 bytes to the right of 1-byte region [0x6020000018b0,0x6020000018b1)
allocated by thread T0 here:
#0 0x5631028f150e in malloc (/root/rpmbuild/BUILD/bash-5.1/bash+0x1d050e) (BuildId: 3f6aa27b1f7ac560)
#1 0x563102b8eaee in xmalloc /root/rpmbuild/BUILD/bash-5.1/xmalloc.c:114:10
#2 0x563102b8eaee in substring /root/rpmbuild/BUILD/bash-5.1/stringlib.c:135:20
Additional info:
I also prepared a patch with a possible fix.
diff -uprN bash-5.1-orig/subst.c bash-5.1/subst.c
--- bash-5.1-orig/subst.c 2022-08-29 18:56:11.071802865 +0000
+++ bash-5.1/subst.c 2022-08-29 18:56:48.187435415 +0000
@@ -7916,7 +7916,7 @@ static int
valid_parameter_transform (xform)
char *xform;
{
- if (xform[1])
+ if (xform[0] && xform[1])
return 0;
/* check for valid values of xform[0] */
(In reply to Marian Rehak from comment #7) > Steps to Reproduce: > 1. Build bash with asan you mean with -fsanitize=address right? so the problem cannot be reproduced with standard bash packages? maybe, would valgrind be of any help here? (In reply to Marian Rehak from comment #7) > Description of problem: > I was fuzzing bash with AFL++ and found heap-buffer-overflow in > valid_parameter_transform function. > > Version-Release number of selected component (if applicable): > > bash-5.1.16-3 > > How reproducible: > Always. > > Steps to Reproduce: > 1. Build bash with asan > 2. Run with AFL++ crafted input (in attachment) > > Actual results: > ASAN report: > ==3430898==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x6020000018b1 at pc 0x563102ad26cf bp 0x7ffc38fef8d0 sp 0x7ffc38fef8c8 > READ of size 1 at 0x6020000018b1 thread T0 > #0 0x563102ad26ce in valid_parameter_transform > /root/rpmbuild/BUILD/bash-5.1/subst.c:7919:7 > #1 0x563102ad26ce in parameter_brace_transform > /root/rpmbuild/BUILD/bash-5.1/subst.c:7965:7 > #2 0x563102ab1bfc in parameter_brace_expand > /root/rpmbuild/BUILD/bash-5.1/subst.c:9306:15 > #3 0x563102ab1bfc in param_expand > /root/rpmbuild/BUILD/bash-5.1/subst.c:9765:15 > #4 0x563102a95295 in expand_word_internal > /root/rpmbuild/BUILD/bash-5.1/subst.c:10334:12 > #5 0x563102a93c3a in expand_word_internal > /root/rpmbuild/BUILD/bash-5.1/subst.c:10518:15 > #6 0x563102af2ffb in shell_expand_word_list > /root/rpmbuild/BUILD/bash-5.1/subst.c:11895:18 > #7 0x563102af2ffb in expand_word_list_internal > /root/rpmbuild/BUILD/bash-5.1/subst.c:12019:14 > #8 0x5631029c357a in expand_words > /root/rpmbuild/BUILD/bash-5.1/subst.c:11362:11 > #9 0x5631029c357a in execute_simple_command > /root/rpmbuild/BUILD/bash-5.1/execute_cmd.c:4393:15 > #10 0x5631029b3972 in execute_command_internal > /root/rpmbuild/BUILD/bash-5.1/execute_cmd.c:858:4 > #11 0x5631029adf52 in execute_command > /root/rpmbuild/BUILD/bash-5.1/execute_cmd.c:399:12 > #12 0x56310293ec72 in reader_loop > /root/rpmbuild/BUILD/bash-5.1/eval.c:171:8 > #13 0x563102937925 in main /root/rpmbuild/BUILD/bash-5.1/shell.c:821:3 > #14 0x7ff11dbeed8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: > 69389d485a9793dbe873f0ea2c93e02efaa9aa3d) > #15 0x7ff11dbeee3f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: > 69389d485a9793dbe873f0ea2c93e02efaa9aa3d) > #16 0x56310286e6c4 in _start > (/root/rpmbuild/BUILD/bash-5.1/bash+0x14d6c4) (BuildId: 3f6aa27b1f7ac560) > > 0x6020000018b1 is located 0 bytes to the right of 1-byte region > [0x6020000018b0,0x6020000018b1) > allocated by thread T0 here: > #0 0x5631028f150e in malloc > (/root/rpmbuild/BUILD/bash-5.1/bash+0x1d050e) (BuildId: 3f6aa27b1f7ac560) > #1 0x563102b8eaee in xmalloc > /root/rpmbuild/BUILD/bash-5.1/xmalloc.c:114:10 > #2 0x563102b8eaee in substring > /root/rpmbuild/BUILD/bash-5.1/stringlib.c:135:20 > > > Additional info: > I also prepared a patch with a possible fix. > > diff -uprN bash-5.1-orig/subst.c bash-5.1/subst.c > --- bash-5.1-orig/subst.c 2022-08-29 18:56:11.071802865 +0000 > +++ bash-5.1/subst.c 2022-08-29 18:56:48.187435415 +0000 > @@ -7916,7 +7916,7 @@ static int > valid_parameter_transform (xform) > char *xform; > { > - if (xform[1]) > + if (xform[0] && xform[1]) > return 0; > > /* check for valid values of xform[0] */ Thank you! So this matches the information from https://lists.gnu.org/archive/html/bug-bash/2022-08/msg00147.html (In reply to Karel Volný from comment #8) > maybe, would valgrind be of any help here? Yes, I was able to reproduce it on el9 with valgrind and attachment #1908373 [details]. (In reply to Kamil Dudka from comment #10) > (In reply to Karel Volný from comment #8) > > maybe, would valgrind be of any help here? > > Yes, I was able to reproduce it on el9 with valgrind and attachment #1908373 [details] > [details]. looks I no longer have access to bug #2122331 ... please could anyone share the reproducer here? (or alternatively make sure the other bug is accessible by the usual RH internal roles?) Karel, I have added you on the CC list of bug #2122331. You should be able to access it now. Hi! 1. The attachment you refer to in this thread is not accessible by other maintainers. Is there any way to gain access to it in order to fix vulnerability in other distro? 2. At the same time, the patch you had suggested wasn't applied in upstream version of bash. Could you publish the final version of the patch which was accepted to upsteam? Best regards, Nikita Ivanov | C Developer in Cloudlinux, Inc. This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0340 https://access.redhat.com/errata/RHSA-2023:0340 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-3715 |