bug-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

null ptr deref / segfault in bash 4.4.0(1)-beta

From: Brian Carpenter
Subject: null ptr deref / segfault in bash 4.4.0(1)-beta
Date: Fri, 18 Sep 2015 19:06:08 -0500
While fuzzing bash 4.4.0(1)-beta compiled from the devel branch, I came across another script which triggers a null ptr dereference and a segfault. This script seems to crash these other versions of bash as well:

4.2.37(1)-release on x86_64 Debian, 4.3.39(1)-release on x86_64 Red Hat

hexdump -v -C test00
00000000  5f 3d 28 7b 24 5b 3c 28  30 26 5f 3d 28 5d 29 0a  |_=({$[<(0&_=(]).|
00000010  30 29                                             |0)|
00000012

Valgrind: 
valgrind -q ~/bash/bash test00
test00: command substitution: line 2: unexpected EOF while looking for matching `)'
TRACE: pid 547: parse_string: longjmp executed: code = 2
==547== Invalid read of size 1
==547==    at 0x46E899: rewind_input_string (parse.y:1581)
==547==    by 0x46E899: yyparse (parse.y:1160)
==547==    by 0x430B3E: parse_command (eval.c:241)
==547==    by 0x430B3E: read_command (eval.c:285)
==547==    by 0x431654: reader_loop (eval.c:148)
==547==    by 0x429BDA: main (shell.c:767)
==547==  Address 0xfe is not stack'd, malloc'd or (recently) free'd
==547== 
==547== 
==547== Process terminating with default action of signal 11 (SIGSEGV)
==547==  Access not within mapped region at address 0xFE
==547==    at 0x46E899: rewind_input_string (parse.y:1581)
==547==    by 0x46E899: yyparse (parse.y:1160)
==547==    by 0x430B3E: parse_command (eval.c:241)
==547==    by 0x430B3E: read_command (eval.c:285)
==547==    by 0x431654: reader_loop (eval.c:148)
==547==    by 0x429BDA: main (shell.c:767)
==547==  If you believe this happened as a result of a stack
==547==  overflow in your program's main thread (unlikely but
==547==  possible), you can try to increase the size of the
==547==  main thread stack using the --main-stacksize= flag.
==547==  The main thread stack size used in this run was 8388608.
Segmentation fault

GDB:
Starting program: /home/geeknik/bash/bash test00
test00: command substitution: line 2: unexpected EOF while looking for matching `)'
TRACE: pid 15908: parse_string: longjmp executed: code = 2

Program received signal SIGSEGV, Segmentation fault.
yyparse () at ./parse.y:1581
1581     xchars++;
(gdb) bt
#0  yyparse () at ./parse.y:1581
#1  0x0000000000430b3f in read_command ()
#2  0x0000000000431655 in reader_loop ()
#3  0x0000000000429bdb in main () at shell.c:767
(gdb) i r
rax            0x0 0
rbx            0x2 2
rcx            0xffffff89 4294967177
rdx            0x0 0
rsi            0xff 255
rdi            0x0 0
rbp            0x95 0x95
rsp            0x7fffffffd220 0x7fffffffd220
r8             0x29 41
r9             0x0 0
r10            0x7fffffffd290 140737488343696
r11            0x0 0
r12            0x0 0
r13            0x7fffffffd290 140737488343696
r14            0xbaad48 12234056
r15            0x7fffffffd292 140737488343698
rip            0x46e899 0x46e899 <yyparse+33017>
eflags         0x10246 [ PF ZF IF RF ]
cs             0x33 51
ss             0x2b 43
ds             0x0 0
es             0x0 0
fs             0x0 0
gs             0x0 0

Regards,

Brian 'geeknik' Carpenter

Attachment: test00
Description: Binary data

reply via email to
[Prev in Thread] Current Thread [Next in Thread]