From: Daniel Shahaf <d.s@daniel.shahaf.name>
To: Aaron Esau <arinerron@protonmail.com>
Cc: "zsh-workers@zsh.org" <zsh-workers@zsh.org>,
Peter Stephenson <p.w.stephenson@ntlworld.com>
Subject: Re: [BUG] Two vulnerabilities in zsh - #1 :: null dereference in check_colon_subscript in subst.c
Date: Wed, 20 May 2020 00:40:15 +0000 [thread overview]
Message-ID: <20200520004015.1689d22b@tarpaulin.shahaf.local2> (raw)
In-Reply-To: <wUyJbXo1lRhl4AYZR5ZuGgFNdYiAV1WPC7o0DRLgCliFUJuAePd3VZ2mcVzBKNW1nvmFCZMU6nd2jJ2gN2e02ioHUgzfAOjPzVUHXufMEIo=@protonmail.com>
Aaron Esau wrote on Tue, 19 May 2020 06:48 +0000:
> The following code in check_colon_subscript in subst.c checks if the value at a pointer obtained from a call to parse_subscript is NULL:
>
> *endp = parse_subscript(str, 0, ':');
> if (!*endp) {
> /* No trailing colon? */
> *endp = parse_subscript(str, 0, '\0');
> if (!*endp)
> return NULL;
> }
>
> However, the pointer itself can be NULL. [...]
>
> ## Patch
>
> diff --git Src/subst.c Src/subst.c
> index 90b5fc121..ac12c6d0e 100644
> --- Src/subst.c
> +++ Src/subst.c
> @@ -1571,10 +1571,10 @@ check_colon_subscript(char *str, char **endp)
> }
>
Your MUA corrupted the patch by munging the trailing whitespace.
You generated the patch without the a/ and b/ prefixes. I tried this
once but discovered (to my dismay) that «git apply» doesn't apply such
patches by default. How do you deal with that?
> *endp = parse_subscript(str, 0, ':');
> - if (!*endp) {
> + if (endp && !*endp) {
> /* No trailing colon? */
> *endp = parse_subscript(str, 0, '\0');
> - if (!*endp)
> + if (endp && !*endp)
> return NULL;
> }
> sav = **endp;
endp has already been dereferenced by the time you have it tested for
NULL. Thus, this patch is a no-op. In fact, you'll probably find the
(optimized) object code generated for this snippet is not changed by
applying this patch. If this patch changes the behaviour at all, that'd
be a compiler bug.
Besides, all callers pass non-NULL values for endp.
Did you post the correct patch?
Daniel
prev parent reply other threads:[~2020-05-20 0:41 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-19 6:48 [BUG] Two vulnerabilities in zsh Aaron Esau
2020-05-19 17:04 ` Daniel Shahaf
2020-05-19 20:38 ` Peter Stephenson
2020-05-20 0:45 ` Daniel Shahaf
2020-05-22 18:56 ` Peter Stephenson
2020-05-22 21:47 ` Peter Stephenson
2020-05-23 2:17 ` Daniel Shahaf
2020-05-23 16:45 ` Peter Stephenson
2020-05-20 0:40 ` Daniel Shahaf [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200520004015.1689d22b@tarpaulin.shahaf.local2 \
--to=d.s@daniel.shahaf.name \
--cc=arinerron@protonmail.com \
--cc=p.w.stephenson@ntlworld.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).