[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] `bind -x' inside `bind -x' bindings causes execution of random s

From: Koichi Murase
Subject: [PATCH] `bind -x' inside `bind -x' bindings causes execution of random strings
Date: Fri, 4 May 2018 00:27:29 +0900

Configuration Information [Automatically generated, do not change]:
Machine: i686
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='i686'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='i686-pc-linux-gnu'
-DLOCALEDIR='/home/murase/opt/bash-4.4.19/share/locale' -DPACKAGE=\
'bash' -DSHELL -DHAVE_CONFIG_H   -I.  -I. -I./include -I./lib   -O2
-march=native -Wno-parentheses -Wno-format-security
uname output: Linux padparadscha 4.13.13-100.fc25.i686 #1 SMP Wed Nov
15 18:24:19 UTC 2017 i686 i686 i386 GNU/Linux
Machine Type: i686-pc-linux-gnu

Bash Version: 4.4
Patch Level: 19
Release Status: release


  After calls of `bind -x' inside functions called via `bind -x',
random strings are executed as a command.

  This happens in the following way: When the binding is overwritten
using `bind -x' inside the function called through `bind -x' bindings,
the original string registered for the binding is deallocated although
it is still under evaluation. Then the memory block will be allocated
for other purposes and the content will be rewritten. Finally the new
data written to the memory block is evaluated.


  The following example is a minimal example that reproduces the problem.

  $ bash-4.4 --norc
  $ f1() { bind -x '"\C-t": f1'; }; f1

  After this, on typing `C-t', a random string is executed as a
command string and produces error messages like:

  bash-4.4: $'\317\003': command not found

  At least all the versions from Bash 4.0 to Bash 4.4 have the same
problem. I haven't checked for Bash 3.2 or older versions.


  Maybe the usage in the above example seems useless to some people,
but it's just a reduced example. In my complex scripts I do need to
rebind key bindings in `bind -x' functions. I attach a patch for devel
branch to allow safe `bind -x' inside the function called through
`bind -x' bindings.

  Also the execution of random memory contents can generally be a
security issue although I'm not sure if this problem can really be
used for attacks. Basically the content written to the deallocated
strings is not under control, but it's difficult to ensure that there
is no way for other user to control the content. So maybe it's better
to apply this fix also to older versions of Bash.

Best regards,

Attachment: 0001-fix-a-bug-that-random-commands-are-executed-after-bi.patch
Description: Binary data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]