Bug 2126720 (CVE-2022-3715) - CVE-2022-3715 bash: a heap-buffer-overflow in valid_parameter_transform
Summary: CVE-2022-3715 bash: a heap-buffer-overflow in valid_parameter_transform
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-3715
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2141576 2141572 2141573 2141574 2141575 2141577
Blocks: 2124192 2138088
TreeView+ depends on / blocked
 
Reported: 2022-09-14 10:22 UTC by Marian Rehak
Modified: 2023-01-26 07:52 UTC (History)
10 users (show)

Fixed In Version: bash 5.1.8
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the bash package, where a heap-buffer overflow can occur in valid_parameter_transform. This issue may lead to memory problems.
Clone Of:
Environment:
Last Closed: 2023-01-25 11:22:14 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:0340 0 None None None 2023-01-23 15:22:08 UTC

Description Marian Rehak 2022-09-14 10:22:35 UTC
A heap-buffer-overflow in valid_parameter_transform function.

Comment 1 Marian Rehak 2022-09-14 13:33:57 UTC
Reference:

https://bugzilla.redhat.com/show_bug.cgi?id=2122331

Comment 3 Marian Rehak 2022-11-10 07:25:19 UTC
Created bash tracking bugs for this issue:

Affects: fedora-all [bug 2141577]

Comment 5 Salvatore Bonaccorso 2022-11-11 07:41:42 UTC
Marian,

Is there any specific information you can share on this CVE? Is this reported and fixed upstream? I'm asking since the information gathered from first comment is not enough to track the problem in other downstreams using bash to determine which versions are affected.

Comment 6 Salvatore Bonaccorso 2022-11-11 07:43:49 UTC
Is it about this issue? 

https://lists.gnu.org/archive/html/bug-bash/2022-08/msg00147.html

Comment 7 Marian Rehak 2022-11-21 05:47:03 UTC
Description of problem:
I was fuzzing bash with AFL++ and found heap-buffer-overflow in valid_parameter_transform function.

Version-Release number of selected component (if applicable):

bash-5.1.16-3

How reproducible:
Always.

Steps to Reproduce:
1. Build bash with asan
2. Run with AFL++ crafted input (in attachment)

Actual results:
ASAN report:
==3430898==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000018b1 at pc 0x563102ad26cf bp 0x7ffc38fef8d0 sp 0x7ffc38fef8c8
READ of size 1 at 0x6020000018b1 thread T0
    #0 0x563102ad26ce in valid_parameter_transform /root/rpmbuild/BUILD/bash-5.1/subst.c:7919:7
    #1 0x563102ad26ce in parameter_brace_transform /root/rpmbuild/BUILD/bash-5.1/subst.c:7965:7
    #2 0x563102ab1bfc in parameter_brace_expand /root/rpmbuild/BUILD/bash-5.1/subst.c:9306:15
    #3 0x563102ab1bfc in param_expand /root/rpmbuild/BUILD/bash-5.1/subst.c:9765:15
    #4 0x563102a95295 in expand_word_internal /root/rpmbuild/BUILD/bash-5.1/subst.c:10334:12
    #5 0x563102a93c3a in expand_word_internal /root/rpmbuild/BUILD/bash-5.1/subst.c:10518:15
    #6 0x563102af2ffb in shell_expand_word_list /root/rpmbuild/BUILD/bash-5.1/subst.c:11895:18
    #7 0x563102af2ffb in expand_word_list_internal /root/rpmbuild/BUILD/bash-5.1/subst.c:12019:14
    #8 0x5631029c357a in expand_words /root/rpmbuild/BUILD/bash-5.1/subst.c:11362:11
    #9 0x5631029c357a in execute_simple_command /root/rpmbuild/BUILD/bash-5.1/execute_cmd.c:4393:15
    #10 0x5631029b3972 in execute_command_internal /root/rpmbuild/BUILD/bash-5.1/execute_cmd.c:858:4
    #11 0x5631029adf52 in execute_command /root/rpmbuild/BUILD/bash-5.1/execute_cmd.c:399:12
    #12 0x56310293ec72 in reader_loop /root/rpmbuild/BUILD/bash-5.1/eval.c:171:8
    #13 0x563102937925 in main /root/rpmbuild/BUILD/bash-5.1/shell.c:821:3
    #14 0x7ff11dbeed8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
    #15 0x7ff11dbeee3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
    #16 0x56310286e6c4 in _start (/root/rpmbuild/BUILD/bash-5.1/bash+0x14d6c4) (BuildId: 3f6aa27b1f7ac560)

0x6020000018b1 is located 0 bytes to the right of 1-byte region [0x6020000018b0,0x6020000018b1)
allocated by thread T0 here:
    #0 0x5631028f150e in malloc (/root/rpmbuild/BUILD/bash-5.1/bash+0x1d050e) (BuildId: 3f6aa27b1f7ac560)
    #1 0x563102b8eaee in xmalloc /root/rpmbuild/BUILD/bash-5.1/xmalloc.c:114:10
    #2 0x563102b8eaee in substring /root/rpmbuild/BUILD/bash-5.1/stringlib.c:135:20


Additional info:
I also prepared a patch with a possible fix.

diff -uprN bash-5.1-orig/subst.c bash-5.1/subst.c
--- bash-5.1-orig/subst.c	2022-08-29 18:56:11.071802865 +0000
+++ bash-5.1/subst.c	2022-08-29 18:56:48.187435415 +0000
@@ -7916,7 +7916,7 @@ static int
 valid_parameter_transform (xform)
      char *xform;
 {
-  if (xform[1])
+  if (xform[0] && xform[1])
     return 0;
 
   /* check for valid values of xform[0] */

Comment 8 Karel Volný 2022-11-22 13:38:43 UTC
(In reply to Marian Rehak from comment #7)
> Steps to Reproduce:
> 1. Build bash with asan

you mean with -fsanitize=address right?

so the problem cannot be reproduced with standard bash packages?
maybe, would valgrind be of any help here?

Comment 9 Salvatore Bonaccorso 2022-11-24 15:06:02 UTC
(In reply to Marian Rehak from comment #7)
> Description of problem:
> I was fuzzing bash with AFL++ and found heap-buffer-overflow in
> valid_parameter_transform function.
> 
> Version-Release number of selected component (if applicable):
> 
> bash-5.1.16-3
> 
> How reproducible:
> Always.
> 
> Steps to Reproduce:
> 1. Build bash with asan
> 2. Run with AFL++ crafted input (in attachment)
> 
> Actual results:
> ASAN report:
> ==3430898==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x6020000018b1 at pc 0x563102ad26cf bp 0x7ffc38fef8d0 sp 0x7ffc38fef8c8
> READ of size 1 at 0x6020000018b1 thread T0
>     #0 0x563102ad26ce in valid_parameter_transform
> /root/rpmbuild/BUILD/bash-5.1/subst.c:7919:7
>     #1 0x563102ad26ce in parameter_brace_transform
> /root/rpmbuild/BUILD/bash-5.1/subst.c:7965:7
>     #2 0x563102ab1bfc in parameter_brace_expand
> /root/rpmbuild/BUILD/bash-5.1/subst.c:9306:15
>     #3 0x563102ab1bfc in param_expand
> /root/rpmbuild/BUILD/bash-5.1/subst.c:9765:15
>     #4 0x563102a95295 in expand_word_internal
> /root/rpmbuild/BUILD/bash-5.1/subst.c:10334:12
>     #5 0x563102a93c3a in expand_word_internal
> /root/rpmbuild/BUILD/bash-5.1/subst.c:10518:15
>     #6 0x563102af2ffb in shell_expand_word_list
> /root/rpmbuild/BUILD/bash-5.1/subst.c:11895:18
>     #7 0x563102af2ffb in expand_word_list_internal
> /root/rpmbuild/BUILD/bash-5.1/subst.c:12019:14
>     #8 0x5631029c357a in expand_words
> /root/rpmbuild/BUILD/bash-5.1/subst.c:11362:11
>     #9 0x5631029c357a in execute_simple_command
> /root/rpmbuild/BUILD/bash-5.1/execute_cmd.c:4393:15
>     #10 0x5631029b3972 in execute_command_internal
> /root/rpmbuild/BUILD/bash-5.1/execute_cmd.c:858:4
>     #11 0x5631029adf52 in execute_command
> /root/rpmbuild/BUILD/bash-5.1/execute_cmd.c:399:12
>     #12 0x56310293ec72 in reader_loop
> /root/rpmbuild/BUILD/bash-5.1/eval.c:171:8
>     #13 0x563102937925 in main /root/rpmbuild/BUILD/bash-5.1/shell.c:821:3
>     #14 0x7ff11dbeed8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId:
> 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
>     #15 0x7ff11dbeee3f in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId:
> 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
>     #16 0x56310286e6c4 in _start
> (/root/rpmbuild/BUILD/bash-5.1/bash+0x14d6c4) (BuildId: 3f6aa27b1f7ac560)
> 
> 0x6020000018b1 is located 0 bytes to the right of 1-byte region
> [0x6020000018b0,0x6020000018b1)
> allocated by thread T0 here:
>     #0 0x5631028f150e in malloc
> (/root/rpmbuild/BUILD/bash-5.1/bash+0x1d050e) (BuildId: 3f6aa27b1f7ac560)
>     #1 0x563102b8eaee in xmalloc
> /root/rpmbuild/BUILD/bash-5.1/xmalloc.c:114:10
>     #2 0x563102b8eaee in substring
> /root/rpmbuild/BUILD/bash-5.1/stringlib.c:135:20
> 
> 
> Additional info:
> I also prepared a patch with a possible fix.
> 
> diff -uprN bash-5.1-orig/subst.c bash-5.1/subst.c
> --- bash-5.1-orig/subst.c	2022-08-29 18:56:11.071802865 +0000
> +++ bash-5.1/subst.c	2022-08-29 18:56:48.187435415 +0000
> @@ -7916,7 +7916,7 @@ static int
>  valid_parameter_transform (xform)
>       char *xform;
>  {
> -  if (xform[1])
> +  if (xform[0] && xform[1])
>      return 0;
>  
>    /* check for valid values of xform[0] */


Thank you! So this matches the information from 
https://lists.gnu.org/archive/html/bug-bash/2022-08/msg00147.html

Comment 10 Kamil Dudka 2022-11-24 15:17:05 UTC
(In reply to Karel Volný from comment #8)
> maybe, would valgrind be of any help here?

Yes, I was able to reproduce it on el9 with valgrind and attachment #1908373 [details].

Comment 11 Karel Volný 2022-12-01 11:02:49 UTC
(In reply to Kamil Dudka from comment #10)
> (In reply to Karel Volný from comment #8)
> > maybe, would valgrind be of any help here?
> 
> Yes, I was able to reproduce it on el9 with valgrind and attachment #1908373 [details]
> [details].

looks I no longer have access to bug #2122331 ... please could anyone share the reproducer here? (or alternatively make sure the other bug is accessible by the usual RH internal roles?)

Comment 12 Kamil Dudka 2022-12-01 13:57:42 UTC
Karel, I have added you on the CC list of bug #2122331.  You should be able to access it now.

Comment 14 Nikita Ivanov 2023-01-17 07:21:44 UTC
Hi!

1. The attachment you refer to in this thread is not accessible by other maintainers. Is there any way to gain access to it in order to fix vulnerability in other distro?
2. At the same time, the patch you had suggested wasn't applied in upstream version of bash. Could you publish the final version of the patch which was accepted to upsteam?

Best regards,
Nikita Ivanov | C Developer in Cloudlinux, Inc.

Comment 15 errata-xmlrpc 2023-01-23 15:22:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0340 https://access.redhat.com/errata/RHSA-2023:0340

Comment 16 Product Security DevOps Team 2023-01-25 11:22:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3715

Comment 17 Marian Rehak 2023-01-26 07:52:04 UTC
Please refer to https://lists.gnu.org/archive/html/bug-bash/2022-08/msg00147.html


Note You need to log in before you can comment on or make changes to this bug.