From: Oliver Kiddle <okiddle@yahoo.co.uk>
To: Bart Schaefer <schaefer@brasslantern.com>
Cc: David Wells <bughunters@tenable.com>,
"zsh-workers@zsh.org" <zsh-workers@zsh.org>
Subject: #7 (typeset -Tp) (was Re: Zsh - Multiple DoS Vulnerabilities)
Date: Sat, 11 May 2019 03:45:25 +0200 [thread overview]
Message-ID: <58882-1557539125.040984@0wLk.G1UB.-8BX> (raw)
In-Reply-To: <CAH+w=7Y8d0h43rM_dHhbiT8nvL3-zxF8DUWTjn--hPX8sF7iaA@mail.gmail.com>
Bart wrote:
> > #7 Invalid read from *hasher *in *hashtable.c*
> > POC folder: *07_hasher_(hashtable.c_85)*
> +2> typeset -priTt CeE e
>
> and then just goes away until killed. Only that final typeset is
> necessary to reproduce the bug, the rest is irrelevant.
Actually all it needs is the combination of -T and -p along with
variables that aren't already tied.
With other relevant branches of bin_typeset() for things like
typeset -pi, we check for OPT_ISSET(ops, 'p') early and don't call
typeset_single(). (-m is an exception to this).
An alternative to the following patch would be to simply print an error.
This would just involve the -p test joining the -m test on the next
lines after the final bit of context. However, the behaviour as per this
patch is more consistent with other meaningless typeset combinations
like -pi and -pF.
I'm fairly certain that the second part of the patch renders the lines
removed in the first part as dead code but it'd be good if someone else
could check my logic which is as follows: Given -p, typeset_single() is
only now called when -m is set. usepm will always then be true because
with -m, pm will always be set and never with PM_UNSET. So we go into
the if (usepm) block on line 2193 which has early returns on every
branch.
Oliver
diff --git a/Src/builtin.c b/Src/builtin.c
index 49f017046..ca0ce35f5 100644
--- a/Src/builtin.c
+++ b/Src/builtin.c
@@ -2583,9 +2583,6 @@ typeset_single(char *cname, char *pname, Param pm, UNUSED(int func),
}
pm->node.flags |= (on & PM_READONLY);
- if (OPT_ISSET(ops,'p'))
- paramtab->printnode(&pm->node, PRINT_TYPESET);
-
return pm;
}
@@ -2714,7 +2711,7 @@ bin_typeset(char *name, char **argv, LinkList assigns, Options ops, int func)
(!isset(GLOBALEXPORT) && !OPT_ISSET(ops,'g')))
on |= PM_LOCAL;
- if (on & PM_TIED) {
+ if ((on & PM_TIED) && !OPT_ISSET(ops, 'p')) {
Param apm;
struct asgment asg0, asg2;
char *oldval = NULL, *joinstr;
next prev parent reply other threads:[~2019-05-11 1:46 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-10 15:03 Zsh - Multiple DoS Vulnerabilities David Wells
2019-05-10 16:37 ` Bart Schaefer
2019-05-12 16:21 ` Stephane Chazelas
2019-05-13 16:29 ` David Wells
2019-05-13 22:02 ` Bart Schaefer
2019-05-14 18:10 ` Stephane Chazelas
2019-05-14 21:24 ` Daniel Shahaf
2019-05-14 21:38 ` Bart Schaefer
2019-05-14 21:39 ` Daniel Shahaf
2019-05-14 22:25 ` Bart Schaefer
2019-05-15 10:48 ` Daniel Shahaf
2019-05-31 12:05 ` [PATCH] [doc] [repost] warnings about restricted shell (Was: Zsh - Multiple DoS Vulnerabilities) Stephane Chazelas
2019-06-03 9:35 ` Peter Stephenson
2019-06-04 2:39 ` dana
2019-06-04 7:34 ` dana
2019-05-10 20:27 ` Zsh - Multiple DoS Vulnerabilities Bart Schaefer
2019-05-11 1:45 ` Oliver Kiddle [this message]
2019-05-13 9:01 ` #7 (typeset -Tp) (was Re: Zsh - Multiple DoS Vulnerabilities) Peter Stephenson
2019-05-13 21:11 ` PATCH: #6 negative job id (Re: " Oliver Kiddle
2019-05-13 21:44 ` Zsh - Multiple DoS Vulnerabilities Oliver Kiddle
2019-05-13 22:36 ` #3 typeset and braces (Re: Zsh - Multiple DoS Vulnerabilities) Oliver Kiddle
2019-05-14 0:13 ` Mikael Magnusson
2019-05-14 5:38 ` Bart Schaefer
2019-05-14 10:50 ` Peter Stephenson
2019-05-14 16:38 ` Zsh - Multiple DoS Vulnerabilities Peter Stephenson
2019-05-14 20:30 ` Oliver Kiddle
2019-05-15 16:50 ` Mikael Magnusson
2019-05-16 20:37 ` Peter Stephenson
2019-05-17 13:41 ` Mikael Magnusson
2019-05-17 13:51 ` Mikael Magnusson
2019-05-17 14:28 ` Mikael Magnusson
2019-05-18 10:31 ` Oliver Kiddle
2019-05-21 14:43 ` Oliver Kiddle
[not found] ` <CGME20190521154256eucas1p1f0816d2467abd8bf4a0c31058af2983a@eucas1p1.samsung.com>
2019-05-21 15:42 ` Peter Stephenson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=58882-1557539125.040984@0wLk.G1UB.-8BX \
--to=okiddle@yahoo.co.uk \
--cc=bughunters@tenable.com \
--cc=schaefer@brasslantern.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).