From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-26602-mason-zsh=primenet.com.au@sunsite.dk>
Received: (qmail 7132 invoked from network); 25 Feb 2009 10:27:56 -0000
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-1.7 required=5.0 tests=AWL,BAYES_00,PLING_QUERY
	autolearn=no version=3.2.5
Received: from news.dotsrc.org (HELO a.mx.sunsite.dk) (130.225.247.88)
  by ns1.primenet.com.au with SMTP; 25 Feb 2009 10:27:56 -0000
Received-SPF: none (ns1.primenet.com.au: domain at sunsite.dk does not designate permitted sender hosts)
Received: (qmail 70639 invoked from network); 25 Feb 2009 10:27:51 -0000
Received: from sunsite.dk (130.225.247.90)
  by a.mx.sunsite.dk with SMTP; 25 Feb 2009 10:27:51 -0000
Received: (qmail 3095 invoked by alias); 25 Feb 2009 10:27:47 -0000
Mailing-List: contact zsh-workers-help@sunsite.dk; run by ezmlm
Precedence: bulk
X-No-Archive: yes
X-Seq: 26602
Received: (qmail 3079 invoked from network); 25 Feb 2009 10:27:46 -0000
Received: from bifrost.dotsrc.org (130.225.254.106)
  by sunsite.dk with SMTP; 25 Feb 2009 10:27:46 -0000
Received: from cluster-g.mailcontrol.com (cluster-g.mailcontrol.com [208.87.233.190])
	by bifrost.dotsrc.org (Postfix) with ESMTPS id 9C0968058F83
	for <zsh-workers@sunsite.dk>; Wed, 25 Feb 2009 11:27:42 +0100 (CET)
Received: from rly27g.srv.mailcontrol.com (localhost.localdomain [127.0.0.1])
	by rly27g.srv.mailcontrol.com (MailControl) with ESMTP id n1PARexf001746
	for <zsh-workers@sunsite.dk>; Wed, 25 Feb 2009 10:27:40 GMT
Received: from submission.mailcontrol.com (submission.mailcontrol.com [86.111.216.190])
	by rly27g.srv.mailcontrol.com (MailControl) id n1PAQhOA029617
	for zsh-workers@sunsite.dk; Wed, 25 Feb 2009 10:26:43 GMT
Received: from cameurexb01.EUROPE.ROOT.PRI ([193.128.72.68])
	by rly27g-eth0.srv.mailcontrol.com (envelope-sender Peter.Stephenson@csr.com) (MIMEDefang) with ESMTP id n1PAQRB3028213; Wed, 25 Feb 2009 10:26:43 +0000 (GMT)
Received: from news01 ([10.103.143.38]) by cameurexb01.EUROPE.ROOT.PRI with Microsoft SMTPSVC(6.0.3790.3959);
	 Wed, 25 Feb 2009 10:26:03 +0000
Date: Wed, 25 Feb 2009 10:26:03 +0000
From: Peter Stephenson <pws@csr.com>
To: DragonK <dragonk@gmail.com>
Cc: zsh-workers@sunsite.dk
Subject: Re: Buffer overflow in "!" handling?
Message-ID: <20090225102603.089bc856@news01>
In-Reply-To: <8fa12ca90902250142s171605bekd87885e3dbc5c4a6@mail.gmail.com>
References: <8fa12ca90902250142s171605bekd87885e3dbc5c4a6@mail.gmail.com>
Organization: CSR
X-Mailer: Claws Mail 3.5.0 (GTK+ 2.12.8; i386-redhat-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 25 Feb 2009 10:26:03.0280 (UTC) FILETIME=[75D52900:01C99733]
X-Scanned-By: MailControl A_08_51_00 (www.mailcontrol.com) on 10.71.1.137
X-Virus-Scanned: ClamAV 0.92.1/9045/Wed Feb 25 06:28:30 2009 on bifrost
X-Virus-Status: Clean

On Wed, 25 Feb 2009 11:42:50 +0200
DragonK <dragonk@gmail.com> wrote:
> I've stumbled upon a buffer overflow in zsh 4.3.9 (and 4.3.6) related
> to the handling of the "!" character in the command line (Linux).
> 
> It's triggerable by typing "!AAAAAAAAA...A" (lots of A's) at the zsh
> prompt (works better if zsh is compiled with stack protection,
> otherwise a lot of A's are needed :) ).
> 
> A quick look at the code indicates the problem to be in hist.c,
> function histsubchar(), where buf[256] is getting overflowed (*ptr is
> used to write to the buffer, but no check is made to see if ptr passed
> the end of buf).  I might be wrong though, I only took a couple of
> minutes to look at the code.

You're right, that's nasty.  See if you can get it to happen with this...

Index: Src/hist.c
===================================================================
RCS file: /cvsroot/zsh/zsh/Src/hist.c,v
retrieving revision 1.86
diff -u -r1.86 hist.c
--- Src/hist.c	25 Nov 2008 18:39:04 -0000	1.86
+++ Src/hist.c	25 Feb 2009 10:24:08 -0000
@@ -394,9 +394,10 @@
     zlong ev;
     static int marg = -1;
     static zlong mev = -1;
-    char buf[256], *ptr;
+    char *buf, *ptr;
     char *sline;
     Histent ehist;
+    size_t buflen;
 
     /* look, no goto's */
     if (isfirstch && c == hatchar) {
@@ -445,7 +446,7 @@
 	    return bangchar;
 	}
 	cflag = 0;
-	ptr = buf;
+	ptr = buf = zhalloc(buflen = 265);
 
 	/* get event number */
 
@@ -455,8 +456,14 @@
 		c = ingetc();
 		if (c == '?' || c == '\n' || lexstop)
 		    break;
-		else
+		else {
 		    *ptr++ = c;
+		    if (ptr == buf + buflen) {
+			buf = hrealloc(buf, buflen, 2 * buflen);
+			ptr = buf + buflen;
+			buflen *= 2;
+		    }
+		}
 	    }
 	    if (c != '\n' && !lexstop)
 		c = ingetc();
@@ -484,6 +491,11 @@
 			break;
 		}
 		*ptr++ = c;
+		if (ptr == buf + buflen) {
+		    buf = hrealloc(buf, buflen, 2 * buflen);
+		    ptr = buf + buflen;
+		    buflen *= 2;
+		}
 		if (c == '#' || c == bangchar) {
 		    c = ingetc();
 		    break;


-- 
Peter Stephenson <pws@csr.com>                  Software Engineer
CSR PLC, Churchill House, Cambridge Business Park, Cowley Road
Cambridge, CB4 0WZ, UK                          Tel: +44 (0)1223 692070