bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using systemd-249's libnss_systemd.so.2 triggers a crash in bash-5.1


From: Julien Moutinho
Subject: Re: Using systemd-249's libnss_systemd.so.2 triggers a crash in bash-5.1's malloc.c
Date: Mon, 4 Oct 2021 23:28:55 +0200

On Okt 04 2021, Chet Ramey wrote:
> I suspect this is a buffer overflow introduced between systemd-247 and
> systemd-249. It's not caught when building bash without the bash malloc
> because the default libc malloc probably doesn't do the bounds checking
> the bash malloc does, even without malloc debugging turned on.

Chet, thanks for you detailed analysis,
I've opened an issue to get some inputs from systemd's devs:
https://github.com/systemd/systemd/issues/20931

Le lun. 04 oct. 2021 22h44 +0200, Andreas Schwab a écrit :
> If it's a buffer overflow, then valgrind should be able to catch it
> (when bash is configured --without-bash-malloc).  valgrind's bounds
> checking is much more advanced than what a checking malloc can do.

Andreas, just to confirm that so far I'm unable to get a crash or error
when using --without-bash-malloc, even in valgrind (but I'm a newbie at 
valgrind).

# systemd-run --pipe -p DynamicUser=1 -E LD_LIBRARY_PATH=$(nix-store -q $(which 
systemctl))/lib -pBindReadOnlyPaths={/etc,/nix,/run} -p RootDirectory=/run/bash 
-- $(readlink $(which valgrind)) --trace-children=yes -- $(readlink -e 
bash5-without-bash-malloc/bin/bash) --norc -c $(readlink $(which id))
> Running as unit: run-u3128.service
> ==669426== Memcheck, a memory error detector
> ==669426== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
> ==669426== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
> ==669426== Command: 
> /nix/store/2kw8gj9lm1kn6zbpw5nf68h7msm1y716-bash-5.1-p8/bin/bash --norc -c 
> /nix/store/j93py7g2fd0qmxq5q2mhnvc6ziijkjb8-coreutils-8.32/bin/id
> ==669426== 
> ==669426== Memcheck, a memory error detector
> ==669426== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
> ==669426== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
> ==669426== Command: 
> /nix/store/j93py7g2fd0qmxq5q2mhnvc6ziijkjb8-coreutils-8.32/bin/id
> ==669426== 
> ==669426== 
> ==669426== HEAP SUMMARY:
> ==669426==     in use at exit: 3,550 bytes in 10 blocks
> ==669426==   total heap usage: 903 allocs, 893 frees, 5,165,001 bytes 
> allocated
> ==669426== 
> ==669426== LEAK SUMMARY:
> ==669426==    definitely lost: 0 bytes in 0 blocks
> ==669426==    indirectly lost: 0 bytes in 0 blocks
> ==669426==      possibly lost: 0 bytes in 0 blocks
> ==669426==    still reachable: 3,446 bytes in 9 blocks
> ==669426==         suppressed: 104 bytes in 1 blocks
> ==669426== Rerun with --leak-check=full to see details of leaked memory
> ==669426== 
> ==669426== For lists of detected and suppressed errors, rerun with: -s
> ==669426== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

# systemd-run --pipe -p DynamicUser=1 -E LD_LIBRARY_PATH=$(nix-store -q $(which 
systemctl))/lib -pBindReadOnlyPaths={/etc,/nix,/run} -p RootDirectory=/run/bash 
-- $(readlink -e bash5-without-bash-malloc/bin/bash) --norc -c $(readlink 
$(which id))
> Running as unit: run-u3109.service
> uid=62878(run-u3109) gid=62878(run-u3109) groups=62878(run-u3109)



reply via email to

[Prev in Thread] Current Thread [Next in Thread]