[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Integer Overflow in braces

From: Pasha K
Subject: Integer Overflow in braces
Date: Sat, 15 Aug 2015 20:53:55 -0700

Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64' -DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-unknown-linux-gnu' -D
CONF_VENDOR='unknown' -DLOCALEDIR='/usr/local/share/locale' -DPACKAGE='bash' -DSHELL -DHAVE_CONFIG_H   -I.  -I. -I./include -I./lib   
-g -O2
uname output: Linux work 3.18.19-1-tresor #1 SMP PREEMPT Wed Aug 5 08:03:47 UTC 2015 x86_64 GNU/Linux
Machine Type: x86_64-unknown-linux-gnu
Bash Version: 4.3
Patch Level: 42
Release Status: release

Integer Overflow can be achieved resulting in a segmentation fault from braces.c when using {..}. 

(gdb) r -c "for x in {1..9223372036854775805}; do echo overflow; done"
Starting program: /home/pasha/bash/bash -c "for x in {1..9223372036854775805}; do echo overflow; done"

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff771b4f8 in __memset_avx2 () from /usr/lib/libc.so.6
(gdb) i r
rax            0xdfdfdfdf 3755991007
rbx            0x1 1
rcx            0xffffffffffff8248 -32184
rdx            0xfffffffffffffff0 -16
rsi            0x700248 7340616
rdi            0x708000 7372800
rbp            0x1 0x1
rsp            0x7fffffffe3f8 0x7fffffffe3f8
r8             0x1 1
r9             0x70759b 7370139
r10            0x0 0
r11            0x1999999999999999 1844674407370955161
r12            0x0 0
r13            0x0 0
r14            0x700258 7340632
r15            0xfffffffffffffff0 -16
rip            0x7ffff771b4f8 0x7ffff771b4f8 <__memset_avx2+392>
eflags         0x10287 [ CF PF SF IF RF ]
cs             0x33 51
ss             0x2b 43
ds             0x0 0
es             0x0 0
fs             0x0 0
gs             0x0 0
(gdb) x/50x $rip
0x7ffff771b4f8 <__memset_avx2+392>: 0x8948aaf3 0xd02948f0 0xc377f8c5 0x00000000
0x7ffff771b508: 0x00000000 0x00000000 0x54415541 0x55fd8949
0x7ffff771b518 <free_derivation+8>: 0xec834853 0x7f834808 0x8b480018 0x52741057
0x7ffff771b528 <free_derivation+24>: 0x3145ed31 0x001f0fe4 0x2a048d48 0x8510488b
0x7ffff771b538 <free_derivation+40>: 0x48317ec9 0x4840588b 0x2874db85 0x00388348
0x7ffff771b548 <free_derivation+56>: 0xc1487674 0x486411cb 0x30251c33 0x48000000
0x7ffff771b558 <free_derivation+72>: 0x71e8df89 0x48fffd12 0x0349ef89 0xd3ff107d
0x7ffff771b568 <free_derivation+88>: 0x10558b49 0x01c48349 0x68c58348 0x1865394d
0x7ffff771b578 <free_derivation+104>: 0x8548b677 0x482f74d2 0xe8187a8b 0xffed3f18
0x7ffff771b588 <free_derivation+120>: 0x18458b49 0x40148d48 0x90048d48 0x10558b49
0x7ffff771b598 <free_derivation+136>: 0xc2048d48 0xb8788b48 0xed3efbe8 0x7d8b49ff
0x7ffff771b5a8 <free_derivation+152>: 0x3ef2e810 0x8348ffed 0x894c08c4 0x415d5bef
0x7ffff771b5b8 <free_derivation+168>: 0xe95d415c 0xffed3ee0
(gdb) disas $rip-40,$rip
Dump of assembler code from 0x7ffff771b4d0 to 0x7ffff771b4f8:
   0x00007ffff771b4d0 <__memset_avx2+352>: mov    %esi,%eax
   0x00007ffff771b4d2 <__memset_avx2+354>: vmovdqu %ymm0,-0x80(%rsi)
   0x00007ffff771b4d7 <__memset_avx2+359>: vmovdqu %ymm0,-0x60(%rsi)
   0x00007ffff771b4dc <__memset_avx2+364>: vmovdqu %ymm0,-0x40(%rsi)
   0x00007ffff771b4e1 <__memset_avx2+369>: vmovdqu %ymm0,-0x20(%rsi)
   0x00007ffff771b4e6 <__memset_avx2+374>: sub    %rdx,%rax
   0x00007ffff771b4e9 <__memset_avx2+377>: vzeroupper 
   0x00007ffff771b4ec <__memset_avx2+380>: retq   
   0x00007ffff771b4ed <__memset_avx2+381>: nopl   (%rax)
   0x00007ffff771b4f0 <__memset_avx2+384>: sub    $0xffffffffffffff80,%rcx
   0x00007ffff771b4f4 <__memset_avx2+388>: vmovd  %xmm0,%eax
End of assembler dump.

$ $(which bash) --version
GNU bash, version 4.3.42(1)-release (x86_64-unknown-linux-gnu)

        $(which bash) -c "for x in {1..9223372036854775805}; do echo overflow; done"

    Make sure your overflow checks are done right after input is taken instead of before writing to memory.

Thank you,
Pasha Kravtsov

reply via email to

[Prev in Thread] Current Thread [Next in Thread]