Zsh parser buffer overflow - xsymlink

Zsh parser buffer overflow - xsymlink

[Eduardo Bustamante]

[-- Attachment #1: Type: text/plain, Size: 7777 bytes --]

The following seems to cause some sort of recursive expansion:

dualbus@debian:~/bash-fuzzing/zsh-parser$ cat -v xsymlinks
${(r0$0)}
$_:P

dualbus@debian:~/bash-fuzzing/zsh-parser$ md5sum xsymlinks
22377c2c7d97ac88633232eb8df12a6e  xsymlinks

dualbus@debian:~/bash-fuzzing/zsh-parser$ base64 xsymlinks
JHsocjAkMCl9CiRfOlA=

dualbus@debian:~/bash-fuzzing/zsh-parser$ zsh -n xsymlinks
*** buffer overflow detected ***: zsh terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f0b7e9d0bcb]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f0b7ea59037]
/lib/x86_64-linux-gnu/libc.so.6(+0xf7170)[0x7f0b7ea57170]
/lib/x86_64-linux-gnu/libc.so.6(+0xf6729)[0x7f0b7ea56729]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xac)[0x7f0b7e9d4bdc]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x1ebb)[0x7f0b7e9a8bbb]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x8c)[0x7f0b7ea567bc]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7f0b7ea5670d]
zsh(+0x96be9)[0x56306ea28be9]
zsh(xsymlink+0x1d)[0x56306ea2a6ed]
zsh(modify+0xa1f)[0x56306ea1b86f]
zsh(+0x8b9cb)[0x56306ea1d9cb]
zsh(prefork+0xc1)[0x56306ea21ea1]
zsh(+0x3117a)[0x56306e9c317a]
zsh(+0x33e02)[0x56306e9c5e02]
zsh(+0x3420c)[0x56306e9c620c]
zsh(execlist+0x724)[0x56306e9c7b74]
zsh(execode+0x99)[0x56306e9c7fd9]
zsh(loop+0x349)[0x56306e9dc099]
zsh(zsh_main+0x4f6)[0x56306e9df826]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f0b7e9802b1]
zsh(_start+0x2a)[0x56306e9a933a]
======= Memory map: ========
56306e992000-56306ea53000 r-xp 00000000 fe:01 21889063
  /bin/zsh
56306ec52000-56306ec54000 r--p 000c0000 fe:01 21889063
  /bin/zsh
56306ec54000-56306ec5a000 rw-p 000c2000 fe:01 21889063
  /bin/zsh
56306ec5a000-56306ec6e000 rw-p 00000000 00:00 0
56306fb06000-56306fb45000 rw-p 00000000 00:00 0                          [heap]
7f0b7df0b000-7f0b7df21000 r-xp 00000000 fe:01 1310784
  /lib/x86_64-linux-gnu/libgcc_s.so.1
7f0b7df21000-7f0b7e120000 ---p 00016000 fe:01 1310784
  /lib/x86_64-linux-gnu/libgcc_s.so.1
7f0b7e120000-7f0b7e121000 r--p 00015000 fe:01 1310784
  /lib/x86_64-linux-gnu/libgcc_s.so.1
7f0b7e121000-7f0b7e122000 rw-p 00016000 fe:01 1310784
  /lib/x86_64-linux-gnu/libgcc_s.so.1
7f0b7e122000-7f0b7e12c000 r-xp 00000000 fe:01 1311265
  /lib/x86_64-linux-gnu/libnss_files-2.24.so
7f0b7e12c000-7f0b7e32c000 ---p 0000a000 fe:01 1311265
  /lib/x86_64-linux-gnu/libnss_files-2.24.so
7f0b7e32c000-7f0b7e32d000 r--p 0000a000 fe:01 1311265
  /lib/x86_64-linux-gnu/libnss_files-2.24.so
7f0b7e32d000-7f0b7e32e000 rw-p 0000b000 fe:01 1311265
  /lib/x86_64-linux-gnu/libnss_files-2.24.so
7f0b7e32e000-7f0b7e334000 rw-p 00000000 00:00 0
7f0b7e334000-7f0b7e33f000 r-xp 00000000 fe:01 1311269
  /lib/x86_64-linux-gnu/libnss_nis-2.24.so
7f0b7e33f000-7f0b7e53e000 ---p 0000b000 fe:01 1311269
  /lib/x86_64-linux-gnu/libnss_nis-2.24.so
7f0b7e53e000-7f0b7e53f000 r--p 0000a000 fe:01 1311269
  /lib/x86_64-linux-gnu/libnss_nis-2.24.so
7f0b7e53f000-7f0b7e540000 rw-p 0000b000 fe:01 1311269
  /lib/x86_64-linux-gnu/libnss_nis-2.24.so
7f0b7e540000-7f0b7e554000 r-xp 00000000 fe:01 1311178
  /lib/x86_64-linux-gnu/libnsl-2.24.so
7f0b7e554000-7f0b7e754000 ---p 00014000 fe:01 1311178
  /lib/x86_64-linux-gnu/libnsl-2.24.so
7f0b7e754000-7f0b7e755000 r--p 00014000 fe:01 1311178
  /lib/x86_64-linux-gnu/libnsl-2.24.so
7f0b7e755000-7f0b7e756000 rw-p 00015000 fe:01 1311178
  /lib/x86_64-linux-gnu/libnsl-2.24.so
7f0b7e756000-7f0b7e758000 rw-p 00000000 00:00 0
7f0b7e758000-7f0b7e75f000 r-xp 00000000 fe:01 1311180
  /lib/x86_64-linux-gnu/libnss_compat-2.24.so
7f0b7e75f000-7f0b7e95e000 ---p 00007000 fe:01 1311180
  /lib/x86_64-linux-gnu/libnss_compat-2.24.so
7f0b7e95e000-7f0b7e95f000 r--p 00006000 fe:01 1311180
  /lib/x86_64-linux-gnu/libnss_compat-2.24.so
7f0b7e95f000-7f0b7e960000 rw-p 00007000 fe:01 1311180
  /lib/x86_64-linux-gnu/libnss_compat-2.24.so
7f0b7e960000-7f0b7eaf5000 r-xp 00000000 fe:01 1311151
  /lib/x86_64-linux-gnu/libc-2.24.so
7f0b7eaf5000-7f0b7ecf4000 ---p 00195000 fe:01 1311151
  /lib/x86_64-linux-gnu/libc-2.24.so
7f0b7ecf4000-7f0b7ecf8000 r--p 00194000 fe:01 1311151
  /lib/x86_64-linux-gnu/libc-2.24.so
7f0b7ecf8000-7f0b7ecfa000 rw-p 00198000 fe:01 1311151
  /lib/x86_64-linux-gnu/libc-2.24.so
7f0b7ecfa000-7f0b7ecfe000 rw-p 00000000 00:00 0
7f0b7ecfe000-7f0b7ee01000 r-xp 00000000 fe:01 1311172
  /lib/x86_64-linux-gnu/libm-2.24.so
7f0b7ee01000-7f0b7f000000 ---p 00103000 fe:01 1311172
  /lib/x86_64-linux-gnu/libm-2.24.so
7f0b7f000000-7f0b7f001000 r--p 00102000 fe:01 1311172
  /lib/x86_64-linux-gnu/libm-2.24.so
7f0b7f001000-7f0b7f002000 rw-p 00103000 fe:01 1311172
  /lib/x86_64-linux-gnu/libm-2.24.so
7f0b7f002000-7f0b7f027000 r-xp 00000000 fe:01 1310814
  /lib/x86_64-linux-gnu/libtinfo.so.5.9
7f0b7f027000-7f0b7f227000 ---p 00025000 fe:01 1310814
  /lib/x86_64-linux-gnu/libtinfo.so.5.9
7f0b7f227000-7f0b7f22b000 r--p 00025000 fe:01 1310814
  /lib/x86_64-linux-gnu/libtinfo.so.5.9
7f0b7f22b000-7f0b7f22c000 rw-p 00029000 fe:01 1310814
  /lib/x86_64-linux-gnu/libtinfo.so.5.9
7f0b7f22c000-7f0b7f22f000 r-xp 00000000 fe:01 1311170
  /lib/x86_64-linux-gnu/libdl-2.24.so
7f0b7f22f000-7f0b7f42e000 ---p 00003000 fe:01 1311170
  /lib/x86_64-linux-gnu/libdl-2.24.so
7f0b7f42e000-7f0b7f42f000 r--p 00002000 fe:01 1311170
  /lib/x86_64-linux-gnu/libdl-2.24.so
7f0b7f42f000-7f0b7f430000 rw-p 00003000 fe:01 1311170
  /lib/x86_64-linux-gnu/libdl-2.24.so
7f0b7f430000-7f0b7f434000 r-xp 00000000 fe:01 1310846
  /lib/x86_64-linux-gnu/libcap.so.2.25
7f0b7f434000-7f0b7f634000 ---p 00004000 fe:01 1310846
  /lib/x86_64-linux-gnu/libcap.so.2.25
7f0b7f634000-7f0b7f635000 r--p 00004000 fe:01 1310846
  /lib/x86_64-linux-gnu/libcap.so.2.25
7f0b7f635000-7f0b7f636000 rw-p 00005000 fe:01 1310846
  /lib/x86_64-linux-gnu/libcap.so.2.25
7f0b7f636000-7f0b7f659000 r-xp 00000000 fe:01 1310733
  /lib/x86_64-linux-gnu/ld-2.24.so
7f0b7f6a4000-7f0b7f6c2000 rw-p 00000000 00:00 0
7f0b7f6c2000-7f0b7f713000 r--p 00000000 fe:01 26351510
  /usr/lib/locale/aa_DJ.utf8/LC_CTYPE
7f0b7f713000-7f0b7f843000 r--p 00000000 fe:01 26351509
  /usr/lib/locale/aa_DJ.utf8/LC_COLLATE
7f0b7f843000-7f0b7f845000 rw-p 00000000 00:00 0
7f0b7f845000-7f0b7f846000 r--p 00000000 fe:01 26351533
  /usr/lib/locale/aa_ET/LC_NUMERIC
7f0b7f846000-7f0b7f847000 r--p 00000000 fe:01 26480725
  /usr/lib/locale/en_US.utf8/LC_TIME
7f0b7f847000-7f0b7f848000 r--p 00000000 fe:01 26355066
  /usr/lib/locale/chr_US/LC_MONETARY
7f0b7f848000-7f0b7f849000 r--p 00000000 fe:01 26355282
  /usr/lib/locale/en_AG/LC_MESSAGES/SYS_LC_MESSAGES
7f0b7f849000-7f0b7f84a000 r--p 00000000 fe:01 26355068
  /usr/lib/locale/chr_US/LC_PAPER
7f0b7f84a000-7f0b7f84b000 r--p 00000000 fe:01 26355067
  /usr/lib/locale/chr_US/LC_NAME
7f0b7f84b000-7f0b7f84c000 r--p 00000000 fe:01 26480723
  /usr/lib/locale/en_US.utf8/LC_ADDRESS
7f0b7f84c000-7f0b7f84d000 r--p 00000000 fe:01 26355069
  /usr/lib/locale/chr_US/LC_TELEPHONE
7f0b7f84d000-7f0b7f84e000 r--p 00000000 fe:01 26355064
  /usr/lib/locale/chr_US/LC_MEASUREMENT
7f0b7f84e000-7f0b7f855000 r--s 00000000 fe:01 25449459
  /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
7f0b7f855000-7f0b7f856000 r--p 00000000 fe:01 26480724
  /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
7f0b7f856000-7f0b7f859000 rw-p 00000000 00:00 0
7f0b7f859000-7f0b7f85a000 r--p 00023000 fe:01 1310733
  /lib/x86_64-linux-gnu/ld-2.24.so
7f0b7f85a000-7f0b7f85b000 rw-p 00024000 fe:01 1310733
  /lib/x86_64-linux-gnu/ld-2.24.so
7f0b7f85b000-7f0b7f85c000 rw-p 00000000 00:00 0
7ffd7905d000-7ffd7907e000 rw-p 00000000 00:00 0                          [stack]
7ffd790dc000-7ffd790de000 r--p 00000000 00:00 0                          [vvar]
7ffd790de000-7ffd790e0000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
  [vsyscall]
Aborted (core dumped)

[-- Attachment #2: xsymlinks --]
[-- Type: application/octet-stream, Size: 14 bytes --]

${(r0$0)}
$_:P

Re: Zsh parser buffer overflow - xsymlink

[Peter Stephenson]

On Tue, 9 May 2017 10:05:38 -0500
Eduardo Bustamante <dualbus@gmail.com> wrote:
> The following seems to cause some sort of recursive expansion:
> 
> dualbus@debian:~/bash-fuzzing/zsh-parser$ cat -v xsymlinks
> ${(r0$0)}
> $_:P

It's exceeding a fixed buffer length without checking.

The test is a bit brittle --- it assumes PATH_MAX isn't much longer than
the usual value.  It could be cleverer about checking.

By the way, I'm leaving the couple of crashes I haven't looked at for
others.

pws

diff --git a/Src/utils.c b/Src/utils.c
index ea4b34b..5eb936b 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -886,7 +886,7 @@ xsymlinks(char *s, int full)
     char **pp, **opp;
     char xbuf2[PATH_MAX*3+1], xbuf3[PATH_MAX*2+1];
     int t0, ret = 0;
-    zulong xbuflen = strlen(xbuf);
+    zulong xbuflen = strlen(xbuf), pplen;
 
     opp = pp = slashsplit(s);
     for (; xbuflen < sizeof(xbuf) && *pp && ret >= 0; pp++) {
@@ -907,10 +907,18 @@ xsymlinks(char *s, int full)
 	    xbuflen--;
 	    continue;
 	}
-	sprintf(xbuf2, "%s/%s", xbuf, *pp);
+	/* Includes null byte. */
+	pplen = strlen(*pp) + 1;
+	if (xbuflen + pplen + 1 > sizeof(xbuf2)) {
+	    *xbuf = 0;
+	    ret = -1;
+	    break;
+	}
+	memcpy(xbuf2, xbuf, xbuflen);
+	xbuf2[xbuflen] = '/';
+	memcpy(xbuf2 + xbuflen + 1, *pp, pplen);
 	t0 = readlink(unmeta(xbuf2), xbuf3, PATH_MAX);
 	if (t0 == -1) {
-	    zulong pplen = strlen(*pp) + 1;
 	    if ((xbuflen += pplen) < sizeof(xbuf)) {
 		strcat(xbuf, "/");
 		strcat(xbuf, *pp);
diff --git a/Test/D02glob.ztst b/Test/D02glob.ztst
index 413381f..0ff6968 100644
--- a/Test/D02glob.ztst
+++ b/Test/D02glob.ztst
@@ -687,6 +687,14 @@
 0:modifier ':P' resolves symlinks before '..' components
 *>*glob.tmp/hello/world
 
+ # This is a bit brittle as it depends on PATH_MAX.
+ # We could use sysconf..
+ bad_pwd="/${(l:16000:: :):-}"
+ print ${bad_pwd:P}
+0:modifier ':P' with path too long
+?(eval):2: path expansion failed, using root directory
+>/
+
  foo=a
  value="ac"
  print ${value//[${foo}b-z]/x}