* Buffer overflow in "!" handling? @ 2009-02-25 9:42 DragonK 2009-02-25 10:26 ` Peter Stephenson 0 siblings, 1 reply; 4+ messages in thread From: DragonK @ 2009-02-25 9:42 UTC (permalink / raw) To: zsh-workers Hello, I've stumbled upon a buffer overflow in zsh 4.3.9 (and 4.3.6) related to the handling of the "!" character in the command line (Linux). It's triggerable by typing "!AAAAAAAAA...A" (lots of A's) at the zsh prompt (works better if zsh is compiled with stack protection, otherwise a lot of A's are needed :) ). A quick look at the code indicates the problem to be in hist.c, function histsubchar(), where buf[256] is getting overflowed (*ptr is used to write to the buffer, but no check is made to see if ptr passed the end of buf). I might be wrong though, I only took a couple of minutes to look at the code. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Buffer overflow in "!" handling? 2009-02-25 9:42 Buffer overflow in "!" handling? DragonK @ 2009-02-25 10:26 ` Peter Stephenson 2009-02-25 11:39 ` DragonK 0 siblings, 1 reply; 4+ messages in thread From: Peter Stephenson @ 2009-02-25 10:26 UTC (permalink / raw) To: DragonK; +Cc: zsh-workers On Wed, 25 Feb 2009 11:42:50 +0200 DragonK <dragonk@gmail.com> wrote: > I've stumbled upon a buffer overflow in zsh 4.3.9 (and 4.3.6) related > to the handling of the "!" character in the command line (Linux). > > It's triggerable by typing "!AAAAAAAAA...A" (lots of A's) at the zsh > prompt (works better if zsh is compiled with stack protection, > otherwise a lot of A's are needed :) ). > > A quick look at the code indicates the problem to be in hist.c, > function histsubchar(), where buf[256] is getting overflowed (*ptr is > used to write to the buffer, but no check is made to see if ptr passed > the end of buf). I might be wrong though, I only took a couple of > minutes to look at the code. You're right, that's nasty. See if you can get it to happen with this... Index: Src/hist.c =================================================================== RCS file: /cvsroot/zsh/zsh/Src/hist.c,v retrieving revision 1.86 diff -u -r1.86 hist.c --- Src/hist.c 25 Nov 2008 18:39:04 -0000 1.86 +++ Src/hist.c 25 Feb 2009 10:24:08 -0000 @@ -394,9 +394,10 @@ zlong ev; static int marg = -1; static zlong mev = -1; - char buf[256], *ptr; + char *buf, *ptr; char *sline; Histent ehist; + size_t buflen; /* look, no goto's */ if (isfirstch && c == hatchar) { @@ -445,7 +446,7 @@ return bangchar; } cflag = 0; - ptr = buf; + ptr = buf = zhalloc(buflen = 265); /* get event number */ @@ -455,8 +456,14 @@ c = ingetc(); if (c == '?' || c == '\n' || lexstop) break; - else + else { *ptr++ = c; + if (ptr == buf + buflen) { + buf = hrealloc(buf, buflen, 2 * buflen); + ptr = buf + buflen; + buflen *= 2; + } + } } if (c != '\n' && !lexstop) c = ingetc(); @@ -484,6 +491,11 @@ break; } *ptr++ = c; + if (ptr == buf + buflen) { + buf = hrealloc(buf, buflen, 2 * buflen); + ptr = buf + buflen; + buflen *= 2; + } if (c == '#' || c == bangchar) { c = ingetc(); break; -- Peter Stephenson <pws@csr.com> Software Engineer CSR PLC, Churchill House, Cambridge Business Park, Cowley Road Cambridge, CB4 0WZ, UK Tel: +44 (0)1223 692070 ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Buffer overflow in "!" handling? 2009-02-25 10:26 ` Peter Stephenson @ 2009-02-25 11:39 ` DragonK 2009-02-25 11:42 ` Peter Stephenson 0 siblings, 1 reply; 4+ messages in thread From: DragonK @ 2009-02-25 11:39 UTC (permalink / raw) To: Peter Stephenson; +Cc: zsh-workers > > You're right, that's nasty. See if you can get it to happen with this... > I've applied the patch and it seems to work now; as far as I understand from the comments in mem.c, memory allocated with zhalloc() doesn't need to be explicitly free()d, right? ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Buffer overflow in "!" handling? 2009-02-25 11:39 ` DragonK @ 2009-02-25 11:42 ` Peter Stephenson 0 siblings, 0 replies; 4+ messages in thread From: Peter Stephenson @ 2009-02-25 11:42 UTC (permalink / raw) To: DragonK; +Cc: zsh-workers DragonK wrote: > > You're right, that's nasty. See if you can get it to happen with this... > > I've applied the patch and it seems to work now; as far as I > understand from the comments in mem.c, memory allocated with zhalloc() > doesn't need to be explicitly free()d, right? Yes, that's correct; the heap of memory is popped in one go when we return to the top level of processing. The hrealloc() is a bit of a hack... we're not really reallocating heap most of the time, we're just allocating more somewhere else, but from the API point of view it's the simplest thing to do in the rare cases where we really need more than 256 words. Thanks for looking. -- Peter Stephenson <pws@csr.com> Software Engineer CSR PLC, Churchill House, Cambridge Business Park, Cowley Road Cambridge, CB4 0WZ, UK Tel: +44 (0)1223 692070 ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-02-25 11:50 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2009-02-25 9:42 Buffer overflow in "!" handling? DragonK 2009-02-25 10:26 ` Peter Stephenson 2009-02-25 11:39 ` DragonK 2009-02-25 11:42 ` Peter Stephenson
Code repositories for project(s) associated with this public inbox https://git.vuxu.org/mirror/zsh/ This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).