From: Peter Stephenson <p.stephenson@samsung.com>
To: zsh-workers@zsh.org
Cc: Eduardo Bustamante <dualbus@gmail.com>
Subject: Re: Zsh parser buffer overflow - xsymlink
Date: Tue, 09 May 2017 17:01:15 +0100 [thread overview]
Message-ID: <20170509170115.38bcd963@pwslap01u.europe.root.pri> (raw)
In-Reply-To: <CAOSMAuvX2gSv5JqLjPYgWGWmwSPtWvsP0wPhYzkEZsGS8aX=uw@mail.gmail.com>
On Tue, 9 May 2017 10:05:38 -0500
Eduardo Bustamante <dualbus@gmail.com> wrote:
> The following seems to cause some sort of recursive expansion:
>
> dualbus@debian:~/bash-fuzzing/zsh-parser$ cat -v xsymlinks
> ${(r0$0)}
> $_:P
It's exceeding a fixed buffer length without checking.
The test is a bit brittle --- it assumes PATH_MAX isn't much longer than
the usual value. It could be cleverer about checking.
By the way, I'm leaving the couple of crashes I haven't looked at for
others.
pws
diff --git a/Src/utils.c b/Src/utils.c
index ea4b34b..5eb936b 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -886,7 +886,7 @@ xsymlinks(char *s, int full)
char **pp, **opp;
char xbuf2[PATH_MAX*3+1], xbuf3[PATH_MAX*2+1];
int t0, ret = 0;
- zulong xbuflen = strlen(xbuf);
+ zulong xbuflen = strlen(xbuf), pplen;
opp = pp = slashsplit(s);
for (; xbuflen < sizeof(xbuf) && *pp && ret >= 0; pp++) {
@@ -907,10 +907,18 @@ xsymlinks(char *s, int full)
xbuflen--;
continue;
}
- sprintf(xbuf2, "%s/%s", xbuf, *pp);
+ /* Includes null byte. */
+ pplen = strlen(*pp) + 1;
+ if (xbuflen + pplen + 1 > sizeof(xbuf2)) {
+ *xbuf = 0;
+ ret = -1;
+ break;
+ }
+ memcpy(xbuf2, xbuf, xbuflen);
+ xbuf2[xbuflen] = '/';
+ memcpy(xbuf2 + xbuflen + 1, *pp, pplen);
t0 = readlink(unmeta(xbuf2), xbuf3, PATH_MAX);
if (t0 == -1) {
- zulong pplen = strlen(*pp) + 1;
if ((xbuflen += pplen) < sizeof(xbuf)) {
strcat(xbuf, "/");
strcat(xbuf, *pp);
diff --git a/Test/D02glob.ztst b/Test/D02glob.ztst
index 413381f..0ff6968 100644
--- a/Test/D02glob.ztst
+++ b/Test/D02glob.ztst
@@ -687,6 +687,14 @@
0:modifier ':P' resolves symlinks before '..' components
*>*glob.tmp/hello/world
+ # This is a bit brittle as it depends on PATH_MAX.
+ # We could use sysconf..
+ bad_pwd="/${(l:16000:: :):-}"
+ print ${bad_pwd:P}
+0:modifier ':P' with path too long
+?(eval):2: path expansion failed, using root directory
+>/
+
foo=a
value="ac"
print ${value//[${foo}b-z]/x}
prev parent reply other threads:[~2017-05-09 16:01 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20170509150713epcas2p44208e6e20c198797cd2d39b88ef70942@epcas2p4.samsung.com>
2017-05-09 15:05 ` Eduardo Bustamante
2017-05-09 16:01 ` Peter Stephenson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170509170115.38bcd963@pwslap01u.europe.root.pri \
--to=p.stephenson@samsung.com \
--cc=dualbus@gmail.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).