[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Integer Overflow in braces

From: Dan Douglas
Subject: Re: Integer Overflow in braces
Date: Tue, 18 Aug 2015 07:54:48 -0500
User-agent: KMail/5.0.41 alpha1 (Linux/4.2.0-rc7; KDE/5.14.0; x86_64; ; )

On Monday, August 17, 2015 04:15:50 PM Eric Blake wrote:
> On 08/17/2015 09:58 AM, Pasha K wrote:
> > Hey Greg,
> > 
> > I wasn't particularly trying to actually generate that large amount of
> > strings in memory, I wa purposely trying to overflow the integer variable
> > "nelem"hoping to get Code Execution. This could potentially be a security
> > risk as shell shock was just more of a denial of service rather than
> > straight up code execution. However, just because I wasn't able to gain
> > control of the registers doesn't mean someone else with more skill can't.
> This is not a security risk.
> Shell shock was a security hole because the shell could be coerced into
> executing user-supplied code WITHOUT a way for a script to intervene.
> Any poorly-written shell script can do stupid things, including crashing
> bash because it overflows the heap by trying to allocate memory for such
> a stupidly large expansion.  But unless the problem can be triggered
> without a script (the way shell shock executed user code before even
> starting to parse a script), then you can't exploit the problem to gain
> any more access to the system than you already have by being able to run
> a script in the first place.
> Fix your script to not do stupid things, like trying an insanely-large
> brace expansion, or trying an 'eval' (or similar) on untrusted user
> input. But don't call it a bash security hole that bash allows you to
> write stupid scripts.

IMHO the issue of whether the integer is allowed to overflow is separate from 
the question of whether the resulting expansion is "too big". Code that does 
an `eval "blah{0..$n}"` is reasonably common and not necessarily stupid. 
Dan Douglas

Attachment: signature.asc
Description: This is a digitally signed message part.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]