* Zsh parser buffer overflow - xsymlink
@ 2017-05-09 15:05 ` Eduardo Bustamante
2017-05-09 16:01 ` Peter Stephenson
0 siblings, 1 reply; 2+ messages in thread
From: Eduardo Bustamante @ 2017-05-09 15:05 UTC (permalink / raw)
To: zsh-workers; +Cc: Eduardo A. Bustamante López
[-- Attachment #1: Type: text/plain, Size: 7777 bytes --]
The following seems to cause some sort of recursive expansion:
dualbus@debian:~/bash-fuzzing/zsh-parser$ cat -v xsymlinks
${(r0$0)}
$_:P
dualbus@debian:~/bash-fuzzing/zsh-parser$ md5sum xsymlinks
22377c2c7d97ac88633232eb8df12a6e xsymlinks
dualbus@debian:~/bash-fuzzing/zsh-parser$ base64 xsymlinks
JHsocjAkMCl9CiRfOlA=
dualbus@debian:~/bash-fuzzing/zsh-parser$ zsh -n xsymlinks
*** buffer overflow detected ***: zsh terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f0b7e9d0bcb]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f0b7ea59037]
/lib/x86_64-linux-gnu/libc.so.6(+0xf7170)[0x7f0b7ea57170]
/lib/x86_64-linux-gnu/libc.so.6(+0xf6729)[0x7f0b7ea56729]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xac)[0x7f0b7e9d4bdc]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x1ebb)[0x7f0b7e9a8bbb]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x8c)[0x7f0b7ea567bc]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7f0b7ea5670d]
zsh(+0x96be9)[0x56306ea28be9]
zsh(xsymlink+0x1d)[0x56306ea2a6ed]
zsh(modify+0xa1f)[0x56306ea1b86f]
zsh(+0x8b9cb)[0x56306ea1d9cb]
zsh(prefork+0xc1)[0x56306ea21ea1]
zsh(+0x3117a)[0x56306e9c317a]
zsh(+0x33e02)[0x56306e9c5e02]
zsh(+0x3420c)[0x56306e9c620c]
zsh(execlist+0x724)[0x56306e9c7b74]
zsh(execode+0x99)[0x56306e9c7fd9]
zsh(loop+0x349)[0x56306e9dc099]
zsh(zsh_main+0x4f6)[0x56306e9df826]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f0b7e9802b1]
zsh(_start+0x2a)[0x56306e9a933a]
======= Memory map: ========
56306e992000-56306ea53000 r-xp 00000000 fe:01 21889063
/bin/zsh
56306ec52000-56306ec54000 r--p 000c0000 fe:01 21889063
/bin/zsh
56306ec54000-56306ec5a000 rw-p 000c2000 fe:01 21889063
/bin/zsh
56306ec5a000-56306ec6e000 rw-p 00000000 00:00 0
56306fb06000-56306fb45000 rw-p 00000000 00:00 0 [heap]
7f0b7df0b000-7f0b7df21000 r-xp 00000000 fe:01 1310784
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f0b7df21000-7f0b7e120000 ---p 00016000 fe:01 1310784
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f0b7e120000-7f0b7e121000 r--p 00015000 fe:01 1310784
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f0b7e121000-7f0b7e122000 rw-p 00016000 fe:01 1310784
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f0b7e122000-7f0b7e12c000 r-xp 00000000 fe:01 1311265
/lib/x86_64-linux-gnu/libnss_files-2.24.so
7f0b7e12c000-7f0b7e32c000 ---p 0000a000 fe:01 1311265
/lib/x86_64-linux-gnu/libnss_files-2.24.so
7f0b7e32c000-7f0b7e32d000 r--p 0000a000 fe:01 1311265
/lib/x86_64-linux-gnu/libnss_files-2.24.so
7f0b7e32d000-7f0b7e32e000 rw-p 0000b000 fe:01 1311265
/lib/x86_64-linux-gnu/libnss_files-2.24.so
7f0b7e32e000-7f0b7e334000 rw-p 00000000 00:00 0
7f0b7e334000-7f0b7e33f000 r-xp 00000000 fe:01 1311269
/lib/x86_64-linux-gnu/libnss_nis-2.24.so
7f0b7e33f000-7f0b7e53e000 ---p 0000b000 fe:01 1311269
/lib/x86_64-linux-gnu/libnss_nis-2.24.so
7f0b7e53e000-7f0b7e53f000 r--p 0000a000 fe:01 1311269
/lib/x86_64-linux-gnu/libnss_nis-2.24.so
7f0b7e53f000-7f0b7e540000 rw-p 0000b000 fe:01 1311269
/lib/x86_64-linux-gnu/libnss_nis-2.24.so
7f0b7e540000-7f0b7e554000 r-xp 00000000 fe:01 1311178
/lib/x86_64-linux-gnu/libnsl-2.24.so
7f0b7e554000-7f0b7e754000 ---p 00014000 fe:01 1311178
/lib/x86_64-linux-gnu/libnsl-2.24.so
7f0b7e754000-7f0b7e755000 r--p 00014000 fe:01 1311178
/lib/x86_64-linux-gnu/libnsl-2.24.so
7f0b7e755000-7f0b7e756000 rw-p 00015000 fe:01 1311178
/lib/x86_64-linux-gnu/libnsl-2.24.so
7f0b7e756000-7f0b7e758000 rw-p 00000000 00:00 0
7f0b7e758000-7f0b7e75f000 r-xp 00000000 fe:01 1311180
/lib/x86_64-linux-gnu/libnss_compat-2.24.so
7f0b7e75f000-7f0b7e95e000 ---p 00007000 fe:01 1311180
/lib/x86_64-linux-gnu/libnss_compat-2.24.so
7f0b7e95e000-7f0b7e95f000 r--p 00006000 fe:01 1311180
/lib/x86_64-linux-gnu/libnss_compat-2.24.so
7f0b7e95f000-7f0b7e960000 rw-p 00007000 fe:01 1311180
/lib/x86_64-linux-gnu/libnss_compat-2.24.so
7f0b7e960000-7f0b7eaf5000 r-xp 00000000 fe:01 1311151
/lib/x86_64-linux-gnu/libc-2.24.so
7f0b7eaf5000-7f0b7ecf4000 ---p 00195000 fe:01 1311151
/lib/x86_64-linux-gnu/libc-2.24.so
7f0b7ecf4000-7f0b7ecf8000 r--p 00194000 fe:01 1311151
/lib/x86_64-linux-gnu/libc-2.24.so
7f0b7ecf8000-7f0b7ecfa000 rw-p 00198000 fe:01 1311151
/lib/x86_64-linux-gnu/libc-2.24.so
7f0b7ecfa000-7f0b7ecfe000 rw-p 00000000 00:00 0
7f0b7ecfe000-7f0b7ee01000 r-xp 00000000 fe:01 1311172
/lib/x86_64-linux-gnu/libm-2.24.so
7f0b7ee01000-7f0b7f000000 ---p 00103000 fe:01 1311172
/lib/x86_64-linux-gnu/libm-2.24.so
7f0b7f000000-7f0b7f001000 r--p 00102000 fe:01 1311172
/lib/x86_64-linux-gnu/libm-2.24.so
7f0b7f001000-7f0b7f002000 rw-p 00103000 fe:01 1311172
/lib/x86_64-linux-gnu/libm-2.24.so
7f0b7f002000-7f0b7f027000 r-xp 00000000 fe:01 1310814
/lib/x86_64-linux-gnu/libtinfo.so.5.9
7f0b7f027000-7f0b7f227000 ---p 00025000 fe:01 1310814
/lib/x86_64-linux-gnu/libtinfo.so.5.9
7f0b7f227000-7f0b7f22b000 r--p 00025000 fe:01 1310814
/lib/x86_64-linux-gnu/libtinfo.so.5.9
7f0b7f22b000-7f0b7f22c000 rw-p 00029000 fe:01 1310814
/lib/x86_64-linux-gnu/libtinfo.so.5.9
7f0b7f22c000-7f0b7f22f000 r-xp 00000000 fe:01 1311170
/lib/x86_64-linux-gnu/libdl-2.24.so
7f0b7f22f000-7f0b7f42e000 ---p 00003000 fe:01 1311170
/lib/x86_64-linux-gnu/libdl-2.24.so
7f0b7f42e000-7f0b7f42f000 r--p 00002000 fe:01 1311170
/lib/x86_64-linux-gnu/libdl-2.24.so
7f0b7f42f000-7f0b7f430000 rw-p 00003000 fe:01 1311170
/lib/x86_64-linux-gnu/libdl-2.24.so
7f0b7f430000-7f0b7f434000 r-xp 00000000 fe:01 1310846
/lib/x86_64-linux-gnu/libcap.so.2.25
7f0b7f434000-7f0b7f634000 ---p 00004000 fe:01 1310846
/lib/x86_64-linux-gnu/libcap.so.2.25
7f0b7f634000-7f0b7f635000 r--p 00004000 fe:01 1310846
/lib/x86_64-linux-gnu/libcap.so.2.25
7f0b7f635000-7f0b7f636000 rw-p 00005000 fe:01 1310846
/lib/x86_64-linux-gnu/libcap.so.2.25
7f0b7f636000-7f0b7f659000 r-xp 00000000 fe:01 1310733
/lib/x86_64-linux-gnu/ld-2.24.so
7f0b7f6a4000-7f0b7f6c2000 rw-p 00000000 00:00 0
7f0b7f6c2000-7f0b7f713000 r--p 00000000 fe:01 26351510
/usr/lib/locale/aa_DJ.utf8/LC_CTYPE
7f0b7f713000-7f0b7f843000 r--p 00000000 fe:01 26351509
/usr/lib/locale/aa_DJ.utf8/LC_COLLATE
7f0b7f843000-7f0b7f845000 rw-p 00000000 00:00 0
7f0b7f845000-7f0b7f846000 r--p 00000000 fe:01 26351533
/usr/lib/locale/aa_ET/LC_NUMERIC
7f0b7f846000-7f0b7f847000 r--p 00000000 fe:01 26480725
/usr/lib/locale/en_US.utf8/LC_TIME
7f0b7f847000-7f0b7f848000 r--p 00000000 fe:01 26355066
/usr/lib/locale/chr_US/LC_MONETARY
7f0b7f848000-7f0b7f849000 r--p 00000000 fe:01 26355282
/usr/lib/locale/en_AG/LC_MESSAGES/SYS_LC_MESSAGES
7f0b7f849000-7f0b7f84a000 r--p 00000000 fe:01 26355068
/usr/lib/locale/chr_US/LC_PAPER
7f0b7f84a000-7f0b7f84b000 r--p 00000000 fe:01 26355067
/usr/lib/locale/chr_US/LC_NAME
7f0b7f84b000-7f0b7f84c000 r--p 00000000 fe:01 26480723
/usr/lib/locale/en_US.utf8/LC_ADDRESS
7f0b7f84c000-7f0b7f84d000 r--p 00000000 fe:01 26355069
/usr/lib/locale/chr_US/LC_TELEPHONE
7f0b7f84d000-7f0b7f84e000 r--p 00000000 fe:01 26355064
/usr/lib/locale/chr_US/LC_MEASUREMENT
7f0b7f84e000-7f0b7f855000 r--s 00000000 fe:01 25449459
/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
7f0b7f855000-7f0b7f856000 r--p 00000000 fe:01 26480724
/usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
7f0b7f856000-7f0b7f859000 rw-p 00000000 00:00 0
7f0b7f859000-7f0b7f85a000 r--p 00023000 fe:01 1310733
/lib/x86_64-linux-gnu/ld-2.24.so
7f0b7f85a000-7f0b7f85b000 rw-p 00024000 fe:01 1310733
/lib/x86_64-linux-gnu/ld-2.24.so
7f0b7f85b000-7f0b7f85c000 rw-p 00000000 00:00 0
7ffd7905d000-7ffd7907e000 rw-p 00000000 00:00 0 [stack]
7ffd790dc000-7ffd790de000 r--p 00000000 00:00 0 [vvar]
7ffd790de000-7ffd790e0000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]
Aborted (core dumped)
[-- Attachment #2: xsymlinks --]
[-- Type: application/octet-stream, Size: 14 bytes --]
${(r0$0)}
$_:P
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Zsh parser buffer overflow - xsymlink
2017-05-09 15:05 ` Zsh parser buffer overflow - xsymlink Eduardo Bustamante
@ 2017-05-09 16:01 ` Peter Stephenson
0 siblings, 0 replies; 2+ messages in thread
From: Peter Stephenson @ 2017-05-09 16:01 UTC (permalink / raw)
To: zsh-workers; +Cc: Eduardo Bustamante
On Tue, 9 May 2017 10:05:38 -0500
Eduardo Bustamante <dualbus@gmail.com> wrote:
> The following seems to cause some sort of recursive expansion:
>
> dualbus@debian:~/bash-fuzzing/zsh-parser$ cat -v xsymlinks
> ${(r0$0)}
> $_:P
It's exceeding a fixed buffer length without checking.
The test is a bit brittle --- it assumes PATH_MAX isn't much longer than
the usual value. It could be cleverer about checking.
By the way, I'm leaving the couple of crashes I haven't looked at for
others.
pws
diff --git a/Src/utils.c b/Src/utils.c
index ea4b34b..5eb936b 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -886,7 +886,7 @@ xsymlinks(char *s, int full)
char **pp, **opp;
char xbuf2[PATH_MAX*3+1], xbuf3[PATH_MAX*2+1];
int t0, ret = 0;
- zulong xbuflen = strlen(xbuf);
+ zulong xbuflen = strlen(xbuf), pplen;
opp = pp = slashsplit(s);
for (; xbuflen < sizeof(xbuf) && *pp && ret >= 0; pp++) {
@@ -907,10 +907,18 @@ xsymlinks(char *s, int full)
xbuflen--;
continue;
}
- sprintf(xbuf2, "%s/%s", xbuf, *pp);
+ /* Includes null byte. */
+ pplen = strlen(*pp) + 1;
+ if (xbuflen + pplen + 1 > sizeof(xbuf2)) {
+ *xbuf = 0;
+ ret = -1;
+ break;
+ }
+ memcpy(xbuf2, xbuf, xbuflen);
+ xbuf2[xbuflen] = '/';
+ memcpy(xbuf2 + xbuflen + 1, *pp, pplen);
t0 = readlink(unmeta(xbuf2), xbuf3, PATH_MAX);
if (t0 == -1) {
- zulong pplen = strlen(*pp) + 1;
if ((xbuflen += pplen) < sizeof(xbuf)) {
strcat(xbuf, "/");
strcat(xbuf, *pp);
diff --git a/Test/D02glob.ztst b/Test/D02glob.ztst
index 413381f..0ff6968 100644
--- a/Test/D02glob.ztst
+++ b/Test/D02glob.ztst
@@ -687,6 +687,14 @@
0:modifier ':P' resolves symlinks before '..' components
*>*glob.tmp/hello/world
+ # This is a bit brittle as it depends on PATH_MAX.
+ # We could use sysconf..
+ bad_pwd="/${(l:16000:: :):-}"
+ print ${bad_pwd:P}
+0:modifier ':P' with path too long
+?(eval):2: path expansion failed, using root directory
+>/
+
foo=a
value="ac"
print ${value//[${foo}b-z]/x}
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-05-09 16:01 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <CGME20170509150713epcas2p44208e6e20c198797cd2d39b88ef70942@epcas2p4.samsung.com>
2017-05-09 15:05 ` Zsh parser buffer overflow - xsymlink Eduardo Bustamante
2017-05-09 16:01 ` Peter Stephenson
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).