Integer overflow of i in string_extract

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Integer overflow of i in string_extract_verbatim

From:	Eric Li
Subject:	Integer overflow of i in string_extract_verbatim
Date:	Fri, 28 Apr 2023 18:25:45 -0400
User-agent:	Evolution 3.46.4 (3.46.4-1.fc37)

From: Eric Li <lixiaoyi13691419520@gmail.com>
To: bug-bash@gnu.org
Subject: Integer overflow of i in string_extract_verbatim

Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -g -Og
uname output: Linux fedora 6.2.12-200.fc37.x86_64 #1 SMP
PREEMPT_DYNAMIC Thu Apr 20 23:38:29 UTC 2023 x86_64 x86_64 x86_64
GNU/Linux
Machine Type: x86_64-pc-linux-gnu

Bash Version: 5.2
Patch Level: 15
Release Status: release

Description:
        Bash runs into segmentation fault when spawning a process with
        argc larger than 2GB. Can debug using GDB and observe that
        subst.c:1204 (string_extract_verbatim, "while (c =
string[i])")
        crashes because i = -2147483648. string[i] points to invalid
        memory.

Repeat-By:
        1. Put the following shell script to a.sh:

        A='aaaaaaaaaaaaaaaaaaaaaaaa'
        A="$A$A$A$A"
        A="$A$A$A$A"
        A="$A$A$A$A"
        A="$A$A$A$A"
        A="$A$A$A$A"
        A="$A$A$A$A"
        A="$A$A$A$A"
        A="$A$A$A$A"
        A="$A$A$A$A"
        A="$A$A$A$A"
        A="$A$A$A$A"
        set -o pipefail
        echo $A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A | wc
        echo $?
        echo done

        2. Run "./bash a.sh"
        3. See

        a.sh: line 15: ... Segmentation fault      (core dumped)

        4. Use the following command to debug with GDB

        gdb ./bash --ex 'set follow-fork-mode child' --ex 'r a.sh'

        5. See GDB output similar to following:

        Thread 2.1 "bash" received signal SIGSEGV, Segmentation fault.
        ... in string_extract_verbatim (...) at subst.c:1204
        1204      while (c = string[i])

        6. Using GDB, can see that i = -2147483648.

Fix:
        In string_extract_verbatim, change "int i" to "size_t i".
        Also need to change other places, including:
        * Argument sindex of string_extract_verbatim
        * Variable sindex of get_word_from_string
        * Variable sindex of get_word_from_string
        * Argument sindex of string_extract_single_quoted
        * ...

[Prev in Thread]

Current Thread

[Next in Thread]

Integer overflow of i in string_extract_verbatim, Eric Li <=

Prev by Date: Re: [PATCH] allow quoting completions w/o filename treatment
Next by Date: Re: heap-buffer-overflow in history_expand
Previous by thread: EOF at PS2
Index(es):
- Date
- Thread