[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Possibly Bash explot
From: |
Piotr Grzybowski |
Subject: |
Re: Possibly Bash explot |
Date: |
Fri, 22 Apr 2016 10:09:53 +0200 |
hi,
I cannot replicate this in anyway, I just created 1024 functions and then ran
unset -f in a while [ 1 ]; do done; loop on the very same bash version but on
earlier version of darwin, and everything seems fine.
Could you please provide the exact code that triggers the problem, together
with a description of how you are running it?
cheers,
pg
On 22 Apr 2016, at 01:12, Nikolay Kolev wrote:
> Basically, after doing a bunch of unset -f, I can crash Bash, version GNU
> bash, version 4.3.42(1)-release (x86_64-apple-darwin15.0.0), which could
> possibly be an attack vector. Here's the info from /var/log/system.log
>
> Apr 21 15:45:00 NikolayKolev-mac iTerm2[87962]:
> ReceiveMessageAndFileDescriptor
> Apr 21 15:45:00 NikolayKolev-mac iTerm2[87962]: calling recvmsg...
> Apr 21 15:45:00 NikolayKolev-mac iTerm2-Server[87965]: Installing SIGHUP
> handler.
> Apr 21 15:45:00 NikolayKolev-mac iTerm2-Server[87965]: Installing SIGCHLD
> handler.
> Apr 21 15:45:00 NikolayKolev-mac iTerm2-Server[87965]: Unblocking SIGCHLD.
> Apr 21 15:45:00 NikolayKolev-mac iTerm2-Server[87965]: Sending file
> descriptor and waiting on initial connection
> Apr 21 15:45:00 NikolayKolev-mac iTerm2-Server[87965]: send master fd and
> child pid 87966
> Apr 21 15:45:00 NikolayKolev-mac iTerm2-Server[87965]: All done. Waiting for
> client to disconnect or child to die.
> Apr 21 15:45:00 NikolayKolev-mac iTerm2-Server[87965]: Calling select...
> Apr 21 15:45:00 NikolayKolev-mac iTerm2[87962]: recvmsg returned 4, errno=n/a
> Apr 21 15:45:00 NikolayKolev-mac iTerm2[87962]: recvmsg returned 4
> Apr 21 15:45:00 NikolayKolev-mac iTerm2[87962]: Got a fd
> Apr 21 15:45:00 NikolayKolev-mac iTerm2[87962]: Return 4
> Apr 21 15:45:00 NikolayKolev-mac login[87966]: USER_PROCESS: 87966 ttys000
> Apr 21 15:45:07 NikolayKolev-mac -bash[87967]: -bash(87967,0x7fff79c34000)
> malloc: *** error for object 0x7: pointer being freed was not allocated
> *** set a breakpoint in malloc_error_break to debug
> Apr 21 15:45:07 NikolayKolev-mac diagnosticd[71728]: error evaluating process
> info - pid: 87967, punique: 187665
> Apr 21 15:45:07 NikolayKolev-mac login[87966]: DEAD_PROCESS: 87966 ttys000
> Apr 21 15:45:07 NikolayKolev-mac iTerm2-Server[87965]: select returned -1,
> error = Interrupted system call
> Apr 21 15:45:07 NikolayKolev-mac iTerm2-Server[87965]: Calling select...
> Apr 21 15:45:07 NikolayKolev-mac iTerm2-Server[87965]: select returned 1,
> error = Interrupted system call
> Apr 21 15:45:07 NikolayKolev-mac iTerm2-Server[87965]: select returned. child
> dead=2, connection closed=0
> Apr 21 15:45:07 NikolayKolev-mac iTerm2-Server[87965]: Connection closed.
> Apr 21 15:45:07 NikolayKolev-mac iTerm2-Server[87965]: Unlink
> /var/tmp/iTerm2.socket.87965
> Apr 21 15:45:07 NikolayKolev-mac iTerm2[87962]: File descriptor server exited
> with status 0
> Apr 21 15:45:07 NikolayKolev-mac ReportCrash[87670]: Saved crash report for
> bash[87967] version 0 to
> /Users/NikolayKolev/Library/Logs/DiagnosticReports/bash_2016-04-21-154507_NikolayKolev-mac.crash