[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Segmentation fault (nullpointer dereference)
From: |
floyd |
Subject: |
Segmentation fault (nullpointer dereference) |
Date: |
Tue, 14 Mar 2017 15:41:36 +0100 |
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 |
Configuration Information [Automatically generated, do not change]:
Machine: arm
OS: linux-gnueabihf
Compiler: gcc
Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='arm'
-DCONF_OSTYPE='linux-gnueabihf'
-DCONF_MACHTYPE='arm-unknown-linux-gnueabihf' -DCONF_VENDOR='unknown'
-DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL -DHAVE_CONFIG_H
-I. -I../. -I.././include -I.././lib -D_FORTIFY_SOURCE=2 -g -O2
-fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -Wall
uname output: Linux odroid-004 3.8.13.28 #1 SMP PREEMPT Mon Dec 1
17:16:28 BRST 2014 armv7l armv7l armv7l GNU/Linux
Machine Type: arm-unknown-linux-gnueabihf
Bash Version: 4.3
Patch Level: 11
Release Status: release
Description:
Actually also works on Bash-4.4 patch 12, x86, etc.
The following bash commands crash the bash:
<&-<${}
<&"-"<"$[~]"
<&"-"<"${}"
<&"-"<"${$0}"
<&"-"<$(())
But they are all triggered by the same bug. These were found by using
AFL: http://lcamtuf.coredump.cx/afl/
Repeat-By:
Just type in the above commands. If it doesn't work you can also try
echo -ne '<&-<${}'|bash
Fix:
Check for null pointer here:
Program received signal SIGSEGV, Segmentation fault.
0x000912a8 in buffered_getchar () at input.c:565
565 return (bufstream_getc (buffers[bash_input.location.buffered_fd]));
(gdb) bt
#0 0x000912a8 in buffered_getchar () at input.c:565
#1 0x0002f87c in yy_getc () at /usr/homes/chet/src/bash/src/parse.y:1390
#2 0x000302cc in shell_getc (remove_quoted_newline=1) at
/usr/homes/chet/src/bash/src/parse.y:2299
#3 0x0002e928 in read_token (command=0) at
/usr/homes/chet/src/bash/src/parse.y:3115
#4 0x00029d2c in yylex () at /usr/homes/chet/src/bash/src/parse.y:2675
#5 0x000262cc in yyparse () at y.tab.c:1834
#6 0x00025efc in parse_command () at eval.c:261
#7 0x00025de8 in read_command () at eval.c:305
#8 0x00025a70 in reader_loop () at eval.c:149
#9 0x0002298c in main (argc=1, argv=0xbefff824, env=0xbefff82c) at
shell.c:792
(gdb) p bash_input.location.buffered_fd
$1 = 0
(gdb) p buffers
$2 = (BUFFERED_STREAM **) 0x174808
(gdb) x/10x 0x174808
0x174808: 0x00000000 0x00000000 0x00000000 0x00000000
0x174818: 0x00000000 0x00000000 0x00000000 0x00000000
0x174828: 0x00000000 0x00000000
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Segmentation fault (nullpointer dereference),
floyd <=