From e63d7cdfdac78c6fd27e9e63150335767592b85e Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Fri, 17 Jun 2022 17:45:34 +0200 Subject: awk: fix use after free (CVE-2022-30065) fixes https://bugs.busybox.net/show_bug.cgi?id=14781 function old new delta evaluate 3343 3357 +14 Signed-off-by: Natanael Copa Signed-off-by: Denys Vlasenko --- editors/awk.c | 3 +++ testsuite/awk.tests | 6 ++++++ 2 files changed, 9 insertions(+) --- a/editors/awk.c +++ b/editors/awk.c @@ -3114,6 +3114,9 @@ static var *evaluate(node *op, var *res) case XC( OC_MOVE ): debug_printf_eval("MOVE\n"); + /* make sure that we never return a temp var */ + if (L.v == TMPVAR0) + L.v = res; /* if source is a temporary string, jusk relink it to dest */ if (R.v == TMPVAR1 && !(R.v->type & VF_NUMBER) --- a/testsuite/awk.tests +++ b/testsuite/awk.tests @@ -469,4 +469,10 @@ testing 'awk printf %% prints one %' \ "%\n" \ '' '' +testing 'awk assign while test' \ + "awk '\$1==\$1=\"foo\" {print \$1}'" \ + "foo\n" \ + "" \ + "foo" + exit $FAILCOUNT