From: Peter Stephenson <p.stephenson@samsung.com>
To: <zsh-workers@zsh.org>
Subject: Re: Zsh - Multiple DoS Vulnerabilities
Date: Tue, 14 May 2019 17:38:21 +0100 [thread overview]
Message-ID: <1557851901.4353.46.camel@samsung.com> (raw)
In-Reply-To: <CAH+w=7Y8d0h43rM_dHhbiT8nvL3-zxF8DUWTjn--hPX8sF7iaA@mail.gmail.com>
On Fri, 2019-05-10 at 13:27 -0700, Bart Schaefer wrote:
> On Fri, May 10, 2019 at 8:04 AM David Wells <bughunters@tenable.com> wrote:
> >
> >
> > #1 Invalid read from *taddrstr *call in *text.c*
> > POC folder: *01_taddstr_(text.c_148)*
> This has literal NUL bytes embedded in the body of an if/then. Run
> from an interactive shell, it gives:
>
> text.c:995: unknown word code in gettext2()
> text.c:995: unknown word code in gettext2()
> text.c:72: attempting to decrement tindent below zero
> text.c:72: attempting to decrement tindent below zero
>
> and then (several seconds later) a crash.
>
> The following minimal subset of their test will put the shell into an
> infinite loop, without (at least for as long as I was willing to wait)
> crashing it:
>
> if true; then me > you || !
> :
> fi
So the best guess at the moment is the embedded NUL bytes are being
misinterpreted by whatever causes the text to be handled wrongly, so
they are only tangentially relevant?
That would fit with what I'm seeing, which is the infinite loop is in
gettext2(), before anything is executed. This function tries to decode
wordcode set up by the parser, which is hard to debug because of the
strong correlation between the two completely separate bits of code (and
its own internal structure is a bit head-scratching, too). Might be
interesting to perturb it until it just doesn't fail any more...
The parsing phase seemed to finish normally, as far as I could see.
pws
next prev parent reply other threads:[~2019-05-14 16:39 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-10 15:03 David Wells
2019-05-10 16:37 ` Bart Schaefer
2019-05-12 16:21 ` Stephane Chazelas
2019-05-13 16:29 ` David Wells
2019-05-13 22:02 ` Bart Schaefer
2019-05-14 18:10 ` Stephane Chazelas
2019-05-14 21:24 ` Daniel Shahaf
2019-05-14 21:38 ` Bart Schaefer
2019-05-14 21:39 ` Daniel Shahaf
2019-05-14 22:25 ` Bart Schaefer
2019-05-15 10:48 ` Daniel Shahaf
2019-05-31 12:05 ` [PATCH] [doc] [repost] warnings about restricted shell (Was: Zsh - Multiple DoS Vulnerabilities) Stephane Chazelas
2019-06-03 9:35 ` Peter Stephenson
2019-06-04 2:39 ` dana
2019-06-04 7:34 ` dana
2019-05-10 20:27 ` Zsh - Multiple DoS Vulnerabilities Bart Schaefer
2019-05-11 1:45 ` #7 (typeset -Tp) (was Re: Zsh - Multiple DoS Vulnerabilities) Oliver Kiddle
2019-05-13 9:01 ` Peter Stephenson
2019-05-13 21:11 ` PATCH: #6 negative job id (Re: " Oliver Kiddle
2019-05-13 21:44 ` Zsh - Multiple DoS Vulnerabilities Oliver Kiddle
2019-05-13 22:36 ` #3 typeset and braces (Re: Zsh - Multiple DoS Vulnerabilities) Oliver Kiddle
2019-05-14 0:13 ` Mikael Magnusson
2019-05-14 5:38 ` Bart Schaefer
2019-05-14 10:50 ` Peter Stephenson
2019-05-14 16:38 ` Peter Stephenson [this message]
2019-05-14 20:30 ` Zsh - Multiple DoS Vulnerabilities Oliver Kiddle
2019-05-15 16:50 ` Mikael Magnusson
2019-05-16 20:37 ` Peter Stephenson
2019-05-17 13:41 ` Mikael Magnusson
2019-05-17 13:51 ` Mikael Magnusson
2019-05-17 14:28 ` Mikael Magnusson
2019-05-18 10:31 ` Oliver Kiddle
2019-05-21 14:43 ` Oliver Kiddle
[not found] ` <CGME20190521154256eucas1p1f0816d2467abd8bf4a0c31058af2983a@eucas1p1.samsung.com>
2019-05-21 15:42 ` Peter Stephenson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1557851901.4353.46.camel@samsung.com \
--to=p.stephenson@samsung.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).