* buffer overflow on zsh-3.1.9
@ 2000-08-14 18:34 Jonel Rienton
2000-08-14 18:38 ` Bart Schaefer
0 siblings, 1 reply; 5+ messages in thread
From: Jonel Rienton @ 2000-08-14 18:34 UTC (permalink / raw)
To: zsh-workers
i would like to report a buffer overflow for zsh, procedures as follows:
1. hold down the alt key
2. while holding alt key press 9 six times
3 release both keys, hit any letter or number
result is a huge core file and a very high cpu load which almost bring down
my system.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: buffer overflow on zsh-3.1.9
2000-08-14 18:34 buffer overflow on zsh-3.1.9 Jonel Rienton
@ 2000-08-14 18:38 ` Bart Schaefer
2000-08-14 23:13 ` Jonel Rienton
0 siblings, 1 reply; 5+ messages in thread
From: Bart Schaefer @ 2000-08-14 18:38 UTC (permalink / raw)
To: Jonel Rienton, zsh-workers
On Aug 14, 1:34pm, Jonel Rienton wrote:
} Subject: buffer overflow on zsh-3.1.9
It's not a buffer overflow.
} 1. hold down the alt key
} 2. while holding alt key press 9 six times
You've just told zsh that you want it to repeat the next command 999999
times.
} 3 release both keys, hit any letter or number
The next command is to insert that character. Zsh faithfully attempts to
insert one character 999999 times. Every 256 or so insertions it allocates
a larger buffer; eventually your system runs out of memory and zsh gives
up and crashes.
The buffer didn't overflow -- that is, I doubt zsh wrote any bytes beyond
the bounds of any buffer it succeeded in allocating.
We *could* put some sort of arbitrary limit on the maximum numeric prefix
argument, to prevent large repetitions like this, but this is clearly a
case of pilot error rather than programming error.
--
Bart Schaefer Brass Lantern Enterprises
http://www.well.com/user/barts http://www.brasslantern.com
Zsh: http://www.zsh.org | PHPerl Project: http://phperl.sourceforge.net
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: buffer overflow on zsh-3.1.9
2000-08-14 18:38 ` Bart Schaefer
@ 2000-08-14 23:13 ` Jonel Rienton
2000-08-15 1:04 ` Bart Schaefer
2000-08-15 3:19 ` Dan Nelson
0 siblings, 2 replies; 5+ messages in thread
From: Jonel Rienton @ 2000-08-14 23:13 UTC (permalink / raw)
To: Bart Schaefer, zsh-workers
doesn't this constitute for a malicious user to bring down your system in a
multi environment box?
Jonel Rienton
----------------------------------------------
http://qmail.freebsduser.org/qmail.html
This email is sent by qmail-1.03 on a
FreeBSD 4.1-STABLE box
-----Original Message-----
From: Bart Schaefer [mailto:schaefer@candle.brasslantern.com]
Sent: Monday, August 14, 2000 1:38 PM
To: Jonel Rienton; zsh-workers@sunsite.auc.dk
Subject: Re: buffer overflow on zsh-3.1.9
On Aug 14, 1:34pm, Jonel Rienton wrote:
} Subject: buffer overflow on zsh-3.1.9
It's not a buffer overflow.
} 1. hold down the alt key
} 2. while holding alt key press 9 six times
You've just told zsh that you want it to repeat the next command 999999
times.
} 3 release both keys, hit any letter or number
The next command is to insert that character. Zsh faithfully attempts to
insert one character 999999 times. Every 256 or so insertions it allocates
a larger buffer; eventually your system runs out of memory and zsh gives
up and crashes.
The buffer didn't overflow -- that is, I doubt zsh wrote any bytes beyond
the bounds of any buffer it succeeded in allocating.
We *could* put some sort of arbitrary limit on the maximum numeric prefix
argument, to prevent large repetitions like this, but this is clearly a
case of pilot error rather than programming error.
--
Bart Schaefer Brass Lantern Enterprises
http://www.well.com/user/barts http://www.brasslantern.com
Zsh: http://www.zsh.org | PHPerl Project: http://phperl.sourceforge.net
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: buffer overflow on zsh-3.1.9
2000-08-14 23:13 ` Jonel Rienton
@ 2000-08-15 1:04 ` Bart Schaefer
2000-08-15 3:19 ` Dan Nelson
1 sibling, 0 replies; 5+ messages in thread
From: Bart Schaefer @ 2000-08-15 1:04 UTC (permalink / raw)
To: Jonel Rienton; +Cc: zsh-workers
On Mon, 14 Aug 2000, Jonel Rienton wrote:
> doesn't this constitute for a malicious user to bring down your system
> in a multi environment box?
If you have to defend your box against the users that have shell access,
you're already in much deeper trouble than anything a change to zsh would
help you with.
> This email is sent by qmail-1.03 on a
> FreeBSD 4.1-STABLE box
Incidentally, on my desktop linux box at work (a 200MHz Pentium II with
128Mb RAM, getting rather old now) I have to hit Alt-9 seven times to even
slow the shell down noticeably when I hit the next key, and it still
succeeded in inserting 'a' 9999999 times.
I don't recall for certain, but I believe FreeBSD may be one of the
platforms that has pathologically bad realloc() behavior when repeatedly
expanding the same buffer. Try configuring with --enable-zsh-mem to see
whether the behavior improves.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: buffer overflow on zsh-3.1.9
2000-08-14 23:13 ` Jonel Rienton
2000-08-15 1:04 ` Bart Schaefer
@ 2000-08-15 3:19 ` Dan Nelson
1 sibling, 0 replies; 5+ messages in thread
From: Dan Nelson @ 2000-08-15 3:19 UTC (permalink / raw)
To: Jonel Rienton; +Cc: Bart Schaefer, zsh-workers
In the last episode (Aug 14), Jonel Rienton said:
> doesn't this constitute for a malicious user to bring down your
> system in a multi environment box?
No more than a "for(;;) malloc(1024);" loop or even /bin/sh's
"a=`yes`". Although having zsh core dump is bad form (sh simply prints
"out of space"). Adjust your shell's resource limits if you're worried
about their memory usage.
--
Dan Nelson
dnelson@emsphone.com
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2000-08-15 3:19 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2000-08-14 18:34 buffer overflow on zsh-3.1.9 Jonel Rienton
2000-08-14 18:38 ` Bart Schaefer
2000-08-14 23:13 ` Jonel Rienton
2000-08-15 1:04 ` Bart Schaefer
2000-08-15 3:19 ` Dan Nelson
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).