bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Segmentation fault (nullpointer dereference)


From: floyd
Subject: Segmentation fault (nullpointer dereference)
Date: Tue, 14 Mar 2017 15:41:36 +0100
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.8.0

Configuration Information [Automatically generated, do not change]:
Machine: arm
OS: linux-gnueabihf
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='arm'
-DCONF_OSTYPE='linux-gnueabihf'
-DCONF_MACHTYPE='arm-unknown-linux-gnueabihf' -DCONF_VENDOR='unknown'
-DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL -DHAVE_CONFIG_H
  -I.  -I../. -I.././include -I.././lib  -D_FORTIFY_SOURCE=2 -g -O2
-fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -Wall
uname output: Linux odroid-004 3.8.13.28 #1 SMP PREEMPT Mon Dec 1
17:16:28 BRST 2014 armv7l armv7l armv7l GNU/Linux
Machine Type: arm-unknown-linux-gnueabihf

Bash Version: 4.3
Patch Level: 11
Release Status: release

Description:
Actually also works on Bash-4.4 patch 12, x86, etc.
The following bash commands crash the bash:
<&-<${}
<&"-"<"$[~]"
<&"-"<"${}"
<&"-"<"${$0}"
<&"-"<$(())
But they are all triggered by the same bug. These were found by using
AFL: http://lcamtuf.coredump.cx/afl/

Repeat-By:
        Just type in the above commands. If it doesn't work you can also try
echo -ne '<&-<${}'|bash
Fix:
        Check for null pointer here:
Program received signal SIGSEGV, Segmentation fault.
0x000912a8 in buffered_getchar () at input.c:565
565   return (bufstream_getc (buffers[bash_input.location.buffered_fd]));
(gdb) bt
#0  0x000912a8 in buffered_getchar () at input.c:565
#1  0x0002f87c in yy_getc () at /usr/homes/chet/src/bash/src/parse.y:1390
#2  0x000302cc in shell_getc (remove_quoted_newline=1) at
/usr/homes/chet/src/bash/src/parse.y:2299
#3  0x0002e928 in read_token (command=0) at
/usr/homes/chet/src/bash/src/parse.y:3115
#4  0x00029d2c in yylex () at /usr/homes/chet/src/bash/src/parse.y:2675
#5  0x000262cc in yyparse () at y.tab.c:1834
#6  0x00025efc in parse_command () at eval.c:261
#7  0x00025de8 in read_command () at eval.c:305
#8  0x00025a70 in reader_loop () at eval.c:149
#9  0x0002298c in main (argc=1, argv=0xbefff824, env=0xbefff82c) at
shell.c:792
(gdb) p bash_input.location.buffered_fd
$1 = 0
(gdb) p buffers
$2 = (BUFFERED_STREAM **) 0x174808
(gdb) x/10x 0x174808
0x174808:   0x00000000  0x00000000  0x00000000  0x00000000
0x174818:   0x00000000  0x00000000  0x00000000  0x00000000
0x174828:   0x00000000  0x00000000



reply via email to

[Prev in Thread] Current Thread [Next in Thread]