Re: Possibly Bash explot

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Possibly Bash explot

From:	Piotr Grzybowski
Subject:	Re: Possibly Bash explot
Date:	Fri, 22 Apr 2016 10:09:53 +0200

hi,

 I cannot replicate this in anyway, I just created 1024 functions and then ran 
unset -f in a while [ 1 ]; do done; loop on the very same bash version but on 
earlier version of darwin, and everything seems fine.
 Could you please provide the exact code that triggers the problem, together 
with a description of how you are running it?

cheers,
pg


On 22 Apr 2016, at 01:12, Nikolay Kolev wrote:

> Basically, after doing a bunch of unset -f, I can crash Bash, version GNU 
> bash, version 4.3.42(1)-release (x86_64-apple-darwin15.0.0), which could 
> possibly be an attack vector. Here's the info from /var/log/system.log
> 
> Apr 21 15:45:00 NikolayKolev-mac iTerm2[87962]: 
> ReceiveMessageAndFileDescriptor
> Apr 21 15:45:00 NikolayKolev-mac iTerm2[87962]: calling recvmsg...
> Apr 21 15:45:00 NikolayKolev-mac iTerm2-Server[87965]: Installing SIGHUP 
> handler.
> Apr 21 15:45:00 NikolayKolev-mac iTerm2-Server[87965]: Installing SIGCHLD 
> handler.
> Apr 21 15:45:00 NikolayKolev-mac iTerm2-Server[87965]: Unblocking SIGCHLD.
> Apr 21 15:45:00 NikolayKolev-mac iTerm2-Server[87965]: Sending file 
> descriptor and waiting on initial connection
> Apr 21 15:45:00 NikolayKolev-mac iTerm2-Server[87965]: send master fd and 
> child pid 87966
> Apr 21 15:45:00 NikolayKolev-mac iTerm2-Server[87965]: All done. Waiting for 
> client to disconnect or child to die.
> Apr 21 15:45:00 NikolayKolev-mac iTerm2-Server[87965]: Calling select...
> Apr 21 15:45:00 NikolayKolev-mac iTerm2[87962]: recvmsg returned 4, errno=n/a
> Apr 21 15:45:00 NikolayKolev-mac iTerm2[87962]: recvmsg returned 4
> Apr 21 15:45:00 NikolayKolev-mac iTerm2[87962]: Got a fd
> Apr 21 15:45:00 NikolayKolev-mac iTerm2[87962]: Return 4
> Apr 21 15:45:00 NikolayKolev-mac login[87966]: USER_PROCESS: 87966 ttys000
> Apr 21 15:45:07 NikolayKolev-mac -bash[87967]: -bash(87967,0x7fff79c34000) 
> malloc: *** error for object 0x7: pointer being freed was not allocated
>       *** set a breakpoint in malloc_error_break to debug
> Apr 21 15:45:07 NikolayKolev-mac diagnosticd[71728]: error evaluating process 
> info - pid: 87967, punique: 187665
> Apr 21 15:45:07 NikolayKolev-mac login[87966]: DEAD_PROCESS: 87966 ttys000
> Apr 21 15:45:07 NikolayKolev-mac iTerm2-Server[87965]: select returned -1, 
> error = Interrupted system call
> Apr 21 15:45:07 NikolayKolev-mac iTerm2-Server[87965]: Calling select...
> Apr 21 15:45:07 NikolayKolev-mac iTerm2-Server[87965]: select returned 1, 
> error = Interrupted system call
> Apr 21 15:45:07 NikolayKolev-mac iTerm2-Server[87965]: select returned. child 
> dead=2, connection closed=0
> Apr 21 15:45:07 NikolayKolev-mac iTerm2-Server[87965]: Connection closed.
> Apr 21 15:45:07 NikolayKolev-mac iTerm2-Server[87965]: Unlink 
> /var/tmp/iTerm2.socket.87965
> Apr 21 15:45:07 NikolayKolev-mac iTerm2[87962]: File descriptor server exited 
> with status 0
> Apr 21 15:45:07 NikolayKolev-mac ReportCrash[87670]: Saved crash report for 
> bash[87967] version 0 to 
> /Users/NikolayKolev/Library/Logs/DiagnosticReports/bash_2016-04-21-154507_NikolayKolev-mac.crash

[Prev in Thread]

Current Thread

[Next in Thread]

Possibly Bash explot, Nikolay Kolev, 2016/04/22
- Re: Possibly Bash explot, Piotr Grzybowski <=
- Re: Possibly Bash explot, Chet Ramey, 2016/04/22
  - Re: Possibly Bash explot, Nikolay Kolev, 2016/04/22

Prev by Date: Possibly Bash explot
Next by Date: Re: history separates >| and 2>&1 tokens when recalled with !*
Previous by thread: Possibly Bash explot
Next by thread: Re: Possibly Bash explot
Index(es):
- Date
- Thread