The analysis started by fetching content from the BusyBox bug tracker URL provided in the references. This revealed an ASAN stack trace and a patch for the vulnerability (CVE-2022-48174).
dynamic-stack-buffer-overflow in the evaluate_string function in shell/math.c. It also showed that evaluate_string was called by ash_arith in shell/ash.c at line 6030.ash.c:6030.evaluate_string in . Specifically, it changed the size for . The line removed by this patch, , represents the vulnerable code that inadequately allocated space, leading to the overflow.shell/math.callocanumstackvar_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));d417193cf) as the final fix, which further modified the allocation in evaluate_string to alloca(expr_len * sizeof(numstack[0])), confirming the allocation size was the core issue.Based on this, evaluate_string is identified as the function containing the direct memory corruption vulnerability (insufficient alloca). ash_arith is identified as the function in ash.c that processes the potentially malicious input (the arithmetic expression from the shell) and calls evaluate_string, thereby triggering the vulnerability. Both functions would appear in a runtime profile during exploitation.
KEV Misses 88% of Exploited CVEs- Get the report