[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

BASH recursion segfault, FUNCNEST doesn't help

From: Gergely
Subject: BASH recursion segfault, FUNCNEST doesn't help
Date: Wed, 01 Jun 2022 20:49:12 +0000


I stumbled upon a recursion overflow crash in BASH. It affects both my
Debian machine (this report), as well as the latest stable built from

There's a slim chance this might be exploitable.

Gergely Kalman

Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -Wall
uname output: Linux test 5.17.0-2-amd64 #1 SMP PREEMPT Debian 5.17.6-1
(2022-05-14) x86_64 GNU/Linux
Machine Type: x86_64-pc-linux-gnu

Bash Version: 5.1
Patch Level: 16
Release Status: release

     A file repeatedly sourcing itself crashes bash with a segfault.

     I did not have time to investigate, but it is alarming to me that
bash with some depths can survive the recursion, only to crash when I
try to run programs. This suggests to me that there's a very slim chance
of exploitability, but really I saw no point in investigating as at this
point the attacker can pretty much already run code...

     As suggested in the previous report like this
FUNCNEST doesn't help, somewhat unsurprisingly.

     Basic code to reproduce:

     echo '. a' > a; bash -c '. a'

     With FUNCNEST:

     export FUNCNEST=1000; echo '. a' > a; bash -c 'echo $FUNCNEST; . a'

     Code to test with N depth:

     if [ $1 -eq 0 ]
         echo done
     #    id
     #    ls
     #    whoami
         source a $(($1-1))



     bash -c '. a 4280' results in crashing after 'id' is ran, but
before 'ls'. It doesn't seem to matter where I call these programs, bash
crashes all the same, whether I am in the deepest level or the top.

     Varying the parameter I can also crash in various places, like:
bash, libtinfo, or libc:

     [438676.042819] bash[408615]: segfault at 7ffedc6aaff8 ip
000055bfc89a7966 sp 00007ffedc6ab000 error 6 in bash[55bfc899e000+bb000]
     [438679.191182] bash[408618]: segfault at 7ffd851ffff0 ip
00007fc71696dabf sp 00007ffd851fffe0 error 6 in
     [438681.979822] bash[408619]: segfault at 7fff8f8a7ff8 ip
00007f80a488d0fb sp 00007fff8f8a8000 error 6 in
     [438684.104766] bash[408620]: segfault at 7fff416f6eb0 ip
0000555b17112963 sp 00007fff416f6e70 error 6 in bash[555b17106000+bb000]
     [438685.969473] bash[408621]: segfault at 7fffd9e1d418 ip
00007f7d49d7ba76 sp 00007fffd9e1d410 error 6 in

     Place a limit on the depth of source-able files, like FUNCNEST.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]