Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: [BUG] Two vulnerabilities in zsh - #1 :: null dereference in check_colon_subscript in subst.c

X-seq: zsh-workers 45861
From: Daniel Shahaf <d.s@xxxxxxxxxxxxxxxxxx>
To: Aaron Esau <arinerron@xxxxxxxxxxxxxx>
Subject: Re: [BUG] Two vulnerabilities in zsh - #1 :: null dereference in check_colon_subscript in subst.c
Date: Wed, 20 May 2020 00:40:15 +0000
Cc: "zsh-workers@xxxxxxx" <zsh-workers@xxxxxxx>, Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx>
In-reply-to: <wUyJbXo1lRhl4AYZR5ZuGgFNdYiAV1WPC7o0DRLgCliFUJuAePd3VZ2mcVzBKNW1nvmFCZMU6nd2jJ2gN2e02ioHUgzfAOjPzVUHXufMEIo=@protonmail.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <wUyJbXo1lRhl4AYZR5ZuGgFNdYiAV1WPC7o0DRLgCliFUJuAePd3VZ2mcVzBKNW1nvmFCZMU6nd2jJ2gN2e02ioHUgzfAOjPzVUHXufMEIo=@protonmail.com>

Aaron Esau wrote on Tue, 19 May 2020 06:48 +0000:
> The following code in check_colon_subscript in subst.c checks if the value at a pointer obtained from a call to parse_subscript is NULL:
> 
>   *endp = parse_subscript(str, 0, ':');
>   if (!*endp) {
>       /* No trailing colon? */
>       *endp = parse_subscript(str, 0, '\0');
>       if (!*endp)
>           return NULL;
>   }  
> 
> However, the pointer itself can be NULL. [...]
> 
> ## Patch
> 
> diff --git Src/subst.c Src/subst.c
> index 90b5fc121..ac12c6d0e 100644
> --- Src/subst.c
> +++ Src/subst.c
> @@ -1571,10 +1571,10 @@ check_colon_subscript(char *str, char **endp)
>      }  
> 

Your MUA corrupted the patch by munging the trailing whitespace.

You generated the patch without the a/ and b/ prefixes.  I tried this
once but discovered (to my dismay) that «git apply» doesn't apply such
patches by default.  How do you deal with that?

>      *endp = parse_subscript(str, 0, ':');
> -    if (!*endp) {
> +    if (endp && !*endp) {
>  	/* No trailing colon? */
>  	*endp = parse_subscript(str, 0, '\0');
> -	if (!*endp)
> +	if (endp && !*endp)
>  	   return NULL;
>      }  
>      sav = **endp;

endp has already been dereferenced by the time you have it tested for
NULL.  Thus, this patch is a no-op.  In fact, you'll probably find the
(optimized) object code generated for this snippet is not changed by
applying this patch.  If this patch changes the behaviour at all, that'd
be a compiler bug.

Besides, all callers pass non-NULL values for endp.

Did you post the correct patch?

Daniel

References:
- [BUG] Two vulnerabilities in zsh
  - From: Aaron Esau

Messages sorted by: Reverse Date, Date, Thread, Author