Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: Zsh - Multiple DoS Vulnerabilities



On 5/17/19, Mikael Magnusson <mikachu@xxxxxxxxx> wrote:
> On 5/17/19, Mikael Magnusson <mikachu@xxxxxxxxx> wrote:
>> On 5/16/19, Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx> wrote:
>>> On Tue, 2019-05-14 at 22:30 +0200, Oliver Kiddle wrote:
>>>> I'm finding this one will crash on Linux but hang on FreeBSD. And not
>>>> crash with true as the condition. A variety of things can be used in
>>>> the
>>>> condition. while .. do .. done can be used in place of if .. then ..
>>>> fi,
>>>> && or ||. The me > you part can be cut down to :. Try the following:
>>>>
>>>>   if [[ m -eq y ]]; then
>>>>     : && !
>>>>     :
>>>>   fi
>>>>
>>>> Where I had a crash, it was interpreting the wordcode in ecgetstr().
>>>> Where it does r = s->strs + (c >> 2), c had an infeasibly large value
>>>> causing it to index well beyond the range of s->strs. I'd be inclined
>>>> to
>>>> suspect the problem comes earlier when parsing this into wordcode.
>>>
>>> I'm starting to wonder if this is an allocation rather than a parsing
>>> problem --- the parsing is OK but something goes wrong with the final
>>> pointer / afterwards / in building or copying the word code, so
>>> that gettext2() or the exec code ends up trying to interpret garbage at
>>> the end.
>>
>> FWIW I ran this under valgrind, and the first invalid read is the one
>> that causes the segfault, so no help there.
>
> Played with gdb reverse debugging a bit and found that at one point
> before the crash, we have this somewhat incorrect string built up:
> (gdb) p tptr-48
> $28 = 0x6e7560 <jbuf> "if [[ m -eq y ]]; then; : && ! :; select G\305\305 in
> "

If I save the above code in a file, named crash.zsh and run zsh -fc
'source crash.zsh' then it will crash. If I run zcompile on it, and
then run the same command, I instead get the infinite loop in text.c:

420		if (stack) {
(gdb)
421		    if (!(s = tstack))
(gdb)
423		    if (s->pop) {
(gdb)
428		    code = s->code;
(gdb)
429		    stack = 0;
(gdb)
434		switch (wc_code(code)) {
(gdb)
458		    if (!s) {
(gdb)
468			if (!(stack = (WC_SUBLIST_TYPE(code) == WC_SUBLIST_END))) {
(gdb)
479		    if (stack < 1 && (WC_SUBLIST_FLAGS(s->code) & WC_SUBLIST_SIMPLE))
(gdb)
481		    break;
(gdb)
420		if (stack) {


-- 
Mikael Magnusson



Messages sorted by: Reverse Date, Date, Thread, Author