From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 547b53ab for ; Mon, 13 May 2019 21:12:16 +0000 (UTC) Received: (qmail 25708 invoked by alias); 13 May 2019 21:12:01 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 44290 Received: (qmail 26481 invoked by uid 1010); 13 May 2019 21:12:01 -0000 X-Qmail-Scanner-Diagnostics: from park01.gkg.net by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.101.2/25447. spamassassin: 3.4.2. Clear:RC:0(205.235.26.22):SA:0(-1.9/5.0):. Processed in 4.26104 secs); 13 May 2019 21:12:01 -0000 X-Envelope-From: SRS0=vIyL=TN=yahoo.co.uk=okiddle@bounces.park01.gkg.net X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at bounces.park01.gkg.net designates 205.235.26.22 as permitted sender) X-Virus-Scanned: by amavisd-new at gkg.net Authentication-Results: amavisd4.gkg.net (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.co.uk X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s2048; t=1557781875; bh=7SgJjdt5HvROV/9hLEMxAwXSj+2Cf2x6Fzl5ZPDgKt4=; h=From:References:To:Subject:Date:From:Subject; b=lue7ggRG930uI3SIzTCngxMbMeH+fJ5B7aUcMGV0eYnK/k9t8dnnHluLQrPA53hhYOEK+kfq+T0BboYsNamJGQ+xTjpk5U7HnY+BNEPB+O+GMvTfMOXSOsCWln2uTjQ6DDNG/cI8N1t1aNDDAmx5oRyVG2lsHImBWvMvi2C0CYX7MWvahMaHOfwmB1uc+A4+sfBc+7Q5SedkA+bes6dwea4a1HIgH10oBx7W4ZgiZgzH04tCbo5rxMXmAHOlhFgjEIzP0URwoDTIfNUUhAWEGZHedzRnzgwEUjlXhC9yd2R25f0zSbb268hGgE0L15nAbDIZwbBmi3ti+zz8/aZgFw== X-YMail-OSG: nN5oxgAVM1mEXbyDAYB7RjyIBOuZpakxTE3OKC2VxlWNi0nZcgD7LibkYh9Vw2K XvSV_wmxoMWBPNNuLKo.k8pu7zPw7JoTcT015hNh8jGf5.spldE_sq_U1OaZVWw5EBOrwUyWFsa9 tDZKimr1tmmit_S4kQfd2eQfMUjQjDbZZZFsPCtCL4r9ZXpXWelPKCYtiStaQPLvL0M9hX8qKCdp cJtCpPn6Lt_IpXVtIsMV4MD0tWbBRBD8BllWqNK2K_uKsbTfuwWemJG19aXEhUOCoYm6ntKyLmhX HHF_2ErfQ7tzPQn_x5VVdbBoETBuOaAYgigC6_sI7L2OATNkR4oNx39CBVUSJu1h9n0E1Sovx.V_ I3jDzdWRgGHWzrpGhpGK8lgZO2HUlxv5Ao4RQZP7_x_5LGnn37zMm2cjnh_N2KIoPCFqUHiQj9fd G1dnvlQdN.GUYbAINkj7Y_xTIc2_a9SGQLtJMr_rq5gZolmKz9eG97QNCX7Dmf2s61VjEsf_09yO bBpZbkNvk0X7lIMELVHIKEdwA0lda_ycoP5MAD9R5N_Nbchomf_Vyj0Nv5SX3n2B8VdyxRQEYHNK xbctmgVinKiWajAjEcF62xX6AzvHHFFmeAEvj6Mz0FGc6uuHRtWktT2IyscVqmeuZBMTdwBOnjW. zmyqEUMZ6fh5Q.Tj5CMe.8DID4OLMp6uwu3AI97G5_Kekwv7dKKtB7lsrC_3MSjB5w9e0V.vJeyy E0hz7iJsMUmzaGDbJKauEJyw1VzuYyRKvgZT_zR7eM1TLsi_8FqpVB0czf_6T8mbaZKypjX3.EYe wFSuF8L2Xycduy9r77JkCgGnPorh.qjVExWhI9bQ_gZ650ac2N8PYr9KIvvq6krVx_T8vYNFenMB J8Ia_Y9q.a1Mq0Xn6TYhQ6Wgg8scxkbRODx1lWFGzHcjBj4QgQusT_wu3n0IxNbk6ibZaFjvG1gu uYPz6q54nyWfm.m43b4UVjLB84fe6sDtIffp9Aqk2KEROEcAH.CqFOUZTS5u0dOqlvSQpZ0vXIu1 f208jcw_J771aMR4qSQEUQBIo2V70.ZvFzWWdu09Vgqul8Dd_s0z00.04mPW9_IQAqJlAD__hn6P 2BmjAFenuyDuhwth1_D6..E8WP0qQ6nEn7SdPbnzCEOIO9Ac- In-reply-to: From: Oliver Kiddle References: To: David Wells , "zsh-workers@zsh.org" Subject: PATCH: #6 negative job id (Re: Zsh - Multiple DoS Vulnerabilities) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <7896.1557781873.1@hydra> Date: Mon, 13 May 2019 23:11:13 +0200 Message-ID: <7897-1557781873.356639@G2HH.W-X3.36PY> On 10 May, Bart wrote: > > #6 Invalid read from *getjob *in *jobs.c* > > POC folder: *06_getjob_(jobs.c_1935)* > > This one I fed to "zsh -xf" and got (file name removed for readability): > > +1> bg $'%\M-\C-?' $'\C-VI7' > bg:1: no job control in this shell. > +1> disown $'%777777777777777\M-^' This can be reproduced with just %777777777777777 or %2147483648 for that matter. Seems the value returned from atoi() wraps to negative values if it doesn't fit in an int. This patch prevents the crash but perhaps atoi() should be replaced with something that does better error handling to cover numbers that are too big but get truncated to something positive. Oliver diff --git a/Src/jobs.c b/Src/jobs.c index 73d7f26da..50751decb 100644 --- a/Src/jobs.c +++ b/Src/jobs.c @@ -1932,7 +1932,7 @@ getjob(const char *s, const char *prog) /* a digit here means we have a job number */ if (idigit(*s)) { jobnum = atoi(s); - if (jobnum && jobnum <= mymaxjob && myjobtab[jobnum].stat && + if (jobnum > 0 && jobnum <= mymaxjob && myjobtab[jobnum].stat && !(myjobtab[jobnum].stat & STAT_SUBJOB) && /* * If running jobs in a subshell, we are allowed to