From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 22643 invoked by alias); 9 May 2017 16:01:27 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 41081 Received: (qmail 4843 invoked from network); 9 May 2017 16:01:27 -0000 X-Qmail-Scanner-Diagnostics: from mailout3.w1.samsung.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.99.2/21882. spamassassin: 3.4.1. Clear:RC:0(210.118.77.13):SA:0(-5.0/5.0):. Processed in 1.164459 secs); 09 May 2017 16:01:27 -0000 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=RCVD_IN_DNSWL_HI, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RP_MATCHES_RCVD,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.1 X-Envelope-From: p.stephenson@samsung.com X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: none (ns1.primenet.com.au: domain at samsung.com does not designate permitted sender hosts) X-AuditID: cbfec7ef-f796a6d00000373c-0d-5911e7d12b09 Date: Tue, 09 May 2017 17:01:15 +0100 From: Peter Stephenson To: zsh-workers@zsh.org Cc: Eduardo Bustamante Subject: Re: Zsh parser buffer overflow - xsymlink Message-id: <20170509170115.38bcd963@pwslap01u.europe.root.pri> In-reply-to: Organization: Samsung Cambridge Solution Centre X-Mailer: Claws Mail 3.7.9 (GTK+ 2.22.0; i386-redhat-linux-gnu) MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrGIsWRmVeSWpSXmKPExsWy7djP87oXnwtGGnQcE7c4fuYMu8XB5odM DkweO2fdZfdYdfADUwBTFJdNSmpOZllqkb5dAldG25N1LAXLBSoWNb9mbWC8wtPFyMkhIWAi cfNVCwuELSZx4d56ti5GLg4hgWWMEtebmtkhnM+MEl9u32GH6Xi6/yw7XNXWG5eYIJx/jBIr 9x9lhHBOM0p09LQwQzhnGCW2d3aB9bMIqErM7pkLtpFNwFBi6qbZjCC2iIC4xNm158HizAJa Ev1XdwHVc3AICxhJXDwfCGLyCthLTF4WC1LBKRAsceXpfbBOfgF9iat/PzFBXGcvMfPKGbA4 r4CgxI/J96Am6khs2/aYHcKWl9i85i3YaRICk9klLq9bzwwyX0JAVmLTAWaIOS4SB2ZshPpY WOLV8S1QtoxEZ8dBqF39jBJPun0h5sxglDh9ZgcbRMJaou/2RUaIZXwSk7ZNh5rPK9HRJgRR 4iHR23SVcQKj0iwkp85CcuosJKcuYGRexSiSWlqcm55abKhXnJhbXJqXrpecn7uJEZgaTv87 /n4H49PmkEOMAhyMSjy8AXsFI4VYE8uKK3MPMUpwMCuJ8G46DxTiTUmsrEotyo8vKs1JLT7E KM3BoiTOy3vqWoSQQHpiSWp2ampBahFMlomDU6qBceKUWoGvUod+t8vIbti1OWp/5wI7V+9i s0JfPsO7XRfad81+9rAnaEJH4rNZoZd/Xg1RPXna1t9gmhJ/K8ehq8LcZW5cb9SF2uZuSBbh vMfY/tAr6kBhwc2NR7Ktp4Wuz2C3rW7IXvQzukVm+9UQCZl1l+MKerdeElJhOKg77f30j51K vrKflViKMxINtZiLihMBH8Rt/AkDAAA= X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrBIsWRmVeSWpSXmKPExsVy+t/xK7rxLwQjDfY/lrA4fuYMu8XB5odM DkweO2fdZfdYdfADUwBTlJtNRmpiSmqRQmpecn5KZl66rVJoiJuuhZJCXmJuqq1ShK5vSJCS QlliTimQZ2SABhycA9yDlfTtEtwy2p6sYylYLlCxqPk1awPjFZ4uRk4OCQETiaf7z7JD2GIS F+6tZ+ti5OIQEljCKNFwoZsRJCEk0MAkcXFzBkTiNKPExX872SASZxglbrwRALFZBFQlZvfM ZQGx2QQMJaZumg3WLCIgLnF27XmwOLOAlkT/1V1A2zg4hAWMJC6eDwQxeQXsJSYviwUxOQWC Jea0xUJsWsYoMXnrfrBOfgF9iat/PzFB3GkvMfPKGbDpvAKCEj8m34ObvnlbEyuELS+xec1b Zogr1SVu3N3NPoFRZBaSlllIWmYhaVnAyLyKUSS1tDg3PbfYUK84Mbe4NC9dLzk/dxMjMNa2 Hfu5eQfjpY3BhxgFOBiVeHhX7BeMFGJNLCuuzD3EKMHBrCTCu+k8UIg3JbGyKrUoP76oNCe1 +BCjKTCIJjJLiSbnA9NAXkm8oYmhuaWhkbGFhbmRkZI4b8mHK+FCAumJJanZqakFqUUwfUwc nFINjIuifMLXXXI916Hp8MmkZrrbkp6mXRtFUtdzRmRx3e7z/zG3ji3IaZNbxE1N/Z9rDi/m NXhz/Wiu3q/4eU8mqT66kD7HMfP53iQRk4LFklzdAu6T4oP29PtIM73+VvE9VUBukYl1J7OB 5cfnc09PEfobk8hyNf+HS+9TfrvKEw90H4jbTp23UomlOCPRUIu5qDgRAHEdmOTLAgAA X-MTR: 20000000000000000@CPGS X-CMS-MailID: 20170509160118eucas1p16788a8733aa79ca4ca94aeb849e66e97 X-Msg-Generator: CA X-Sender-IP: 182.198.249.179 X-Local-Sender: =?UTF-8?B?UGV0ZXIgU3RlcGhlbnNvbhtTQ1NDLURhdGEgUGxhbmUb?= =?UTF-8?B?7IK87ISx7KCE7J6QG1ByaW5jaXBhbCBFbmdpbmVlciwgU29mdHdhcmU=?= X-Global-Sender: =?UTF-8?B?UGV0ZXIgU3RlcGhlbnNvbhtTQ1NDLURhdGEgUGxhbmUbU2Ft?= =?UTF-8?B?c3VuZyBFbGVjdHJvbmljcxtQcmluY2lwYWwgRW5naW5lZXIsIFNvZnR3YXJl?= X-Sender-Code: =?UTF-8?B?QzEwG0VIURtDMTBDRDA1Q0QwNTAwNTg=?= CMS-TYPE: 201P X-HopCount: 7 X-CMS-RootMailID: 20170509150713epcas2p44208e6e20c198797cd2d39b88ef70942 X-RootMTR: 20170509150713epcas2p44208e6e20c198797cd2d39b88ef70942 References: On Tue, 9 May 2017 10:05:38 -0500 Eduardo Bustamante wrote: > The following seems to cause some sort of recursive expansion: > > dualbus@debian:~/bash-fuzzing/zsh-parser$ cat -v xsymlinks > ${(r0$0)} > $_:P It's exceeding a fixed buffer length without checking. The test is a bit brittle --- it assumes PATH_MAX isn't much longer than the usual value. It could be cleverer about checking. By the way, I'm leaving the couple of crashes I haven't looked at for others. pws diff --git a/Src/utils.c b/Src/utils.c index ea4b34b..5eb936b 100644 --- a/Src/utils.c +++ b/Src/utils.c @@ -886,7 +886,7 @@ xsymlinks(char *s, int full) char **pp, **opp; char xbuf2[PATH_MAX*3+1], xbuf3[PATH_MAX*2+1]; int t0, ret = 0; - zulong xbuflen = strlen(xbuf); + zulong xbuflen = strlen(xbuf), pplen; opp = pp = slashsplit(s); for (; xbuflen < sizeof(xbuf) && *pp && ret >= 0; pp++) { @@ -907,10 +907,18 @@ xsymlinks(char *s, int full) xbuflen--; continue; } - sprintf(xbuf2, "%s/%s", xbuf, *pp); + /* Includes null byte. */ + pplen = strlen(*pp) + 1; + if (xbuflen + pplen + 1 > sizeof(xbuf2)) { + *xbuf = 0; + ret = -1; + break; + } + memcpy(xbuf2, xbuf, xbuflen); + xbuf2[xbuflen] = '/'; + memcpy(xbuf2 + xbuflen + 1, *pp, pplen); t0 = readlink(unmeta(xbuf2), xbuf3, PATH_MAX); if (t0 == -1) { - zulong pplen = strlen(*pp) + 1; if ((xbuflen += pplen) < sizeof(xbuf)) { strcat(xbuf, "/"); strcat(xbuf, *pp); diff --git a/Test/D02glob.ztst b/Test/D02glob.ztst index 413381f..0ff6968 100644 --- a/Test/D02glob.ztst +++ b/Test/D02glob.ztst @@ -687,6 +687,14 @@ 0:modifier ':P' resolves symlinks before '..' components *>*glob.tmp/hello/world + # This is a bit brittle as it depends on PATH_MAX. + # We could use sysconf.. + bad_pwd="/${(l:16000:: :):-}" + print ${bad_pwd:P} +0:modifier ':P' with path too long +?(eval):2: path expansion failed, using root directory +>/ + foo=a value="ac" print ${value//[${foo}b-z]/x}