bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 4-byte script triggers null ptr deref and segfault


From: Greg Wooledge
Subject: Re: 4-byte script triggers null ptr deref and segfault
Date: Thu, 17 Sep 2015 13:20:17 -0400
User-agent: Mutt/1.4.2.3i

On Thu, Sep 17, 2015 at 11:50:44AM -0500, Brian Carpenter wrote:
> While fuzzing GNU bash version 4.3.42(1)-release
> (x86_64-unknown-linux-gnu) with AFL(http://lcamtuf.coredump.cx/afl), I
> stumbled upon a 4-byte 'script' that triggers a null ptr deref and causes a
> segfault.
> 
> https://savannah.gnu.org/support/index.php?108885

Well, that's an annoying web-to-mail interface.  It didn't include the
full bug report?

The web page says the hexdump of the attached script is 3b21 2620
which I would normally interpret as `;!& '.

But the attached script itself is actually `!; &'.  Apparently the
hex dump tool in question is doing some sort of 16-bit grouping with
little endian byte swapping.

After getting the correct content into the script, I can reproduce
this on HP-UX in 4.3.39:

imadev:~$ printf '!; &' > x
imadev:~$ bash x
Segmentation fault (core dumped)



reply via email to

[Prev in Thread] Current Thread [Next in Thread]