Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: Zsh - Multiple DoS Vulnerabilities



On 5/17/19, Mikael Magnusson <mikachu@xxxxxxxxx> wrote:
> On 5/16/19, Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx> wrote:
>> On Tue, 2019-05-14 at 22:30 +0200, Oliver Kiddle wrote:
>>> I'm finding this one will crash on Linux but hang on FreeBSD. And not
>>> crash with true as the condition. A variety of things can be used in the
>>> condition. while .. do .. done can be used in place of if .. then .. fi,
>>> && or ||. The me > you part can be cut down to :. Try the following:
>>>
>>>   if [[ m -eq y ]]; then
>>>     : && !
>>>     :
>>>   fi
>>>
>>> Where I had a crash, it was interpreting the wordcode in ecgetstr().
>>> Where it does r = s->strs + (c >> 2), c had an infeasibly large value
>>> causing it to index well beyond the range of s->strs. I'd be inclined to
>>> suspect the problem comes earlier when parsing this into wordcode.
>>
>> I'm starting to wonder if this is an allocation rather than a parsing
>> problem --- the parsing is OK but something goes wrong with the final
>> pointer / afterwards / in building or copying the word code, so
>> that gettext2() or the exec code ends up trying to interpret garbage at
>> the end.
>
> FWIW I ran this under valgrind, and the first invalid read is the one
> that causes the segfault, so no help there.

Played with gdb reverse debugging a bit and found that at one point
before the crash, we have this somewhat incorrect string built up:
(gdb) p tptr-48
$28 = 0x6e7560 <jbuf> "if [[ m -eq y ]]; then; : && ! :; select G\305\305 in "


-- 
Mikael Magnusson



Messages sorted by: Reverse Date, Date, Thread, Author