A NULL pointer dereference has been discovered in zsh 5.3.1 when built for x86. The details are as follows: - A script starts with #!/bin/sh , but /bin/sh is a symlink to /bin/zsh - The script is executed with execve() by invoking "/bin/sh -c script", and no environment variables are added. This results in only the following environment variables being present inside of the script: LOGNAME=root SHLVL=1 PWD=/usr/share OLDPWD=/home/root _=/usr/bin/env - The script cd's into another directory then invokes 'cd' by itself to change directories to the home directory. - If the top of the script is #!/bin/zsh the issue does not happen - The issue also does not happen on bash Following is a shell session which, when the environment is stripped down, also reproduces the issue: root~# echo $ZSH_VERSION 5.3.1 root~# /bin/ls -l /bin/sh lrwxrwxrwx 1 root root 8 Jun 12 11:09 /bin/sh -> /bin/zsh root~# /usr/bin/env LOGNAME=root SHLVL=1 PWD=/home/root OLDPWD=/home/root PS1=root~# _=/usr/bin/env root~# /bin/cat test.sh #!/bin/sh set -x cd /usr/share pwd env cd root~# ./test.sh + cd /usr/share + pwd /usr/share + env LOGNAME=root SHLVL=2 PWD=/usr/share OLDPWD=/home/root PS1=root~# _=/usr/bin/env + cd zsh: segmentation fault (core dumped) ./test.sh The following is the backstack from the crash from gdb: #0 cd_do_chdir (hard=0, dest=0x0, cnam=0x8184fe0 "cd") at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/builtin.c:990 #1 cd_get_dest (func=10, hard=0, argv=0x8184fe8, nam=0x8184fe0 "cd") at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/builtin.c:939 #2 bin_cd (nam=0x8184fe0 "cd", argv=0x8184fe8, ops=0xbfa47b94, func=10) at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/builtin.c:836 #3 0x08056a70 in execbuiltin (args=0x8184fc8, assigns=0x0, bn=0x8160534 ) at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/builtin.c:485 #4 0x080629a4 in execcmd_exec (state=state@entry=0xbfa4a654, eparams=eparams@entry=0xbfa48e08, input=input@entry=0, output=0, how=18, last1=2) at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/exec.c:3854 #5 0x080632c8 in execpline2 (state=state@entry=0xbfa4a654, pcode=pcode@entry=2755, how=how@entry=18, input=0, output=0, last1=0) at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/exec.c:1861 #6 0x0806384e in execpline (state=state@entry=0xbfa4a654, slcode=, how=how@entry=18, last1=0) at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/exec.c:1591 #7 0x08064681 in execlist (state=0xbfa4a654, dont_change_job=1, exiting=0) at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/exec.c:1349 #8 0x08082fcb in execif (state=0xbfa4a654, do_exec=0) at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/loop.c:572 #9 0x08062485 in execcmd_exec (state=state@entry=0xbfa4a654, eparams=eparams@entry=0xbfa4a328, input=input@entry=0, output=0, how=18, last1=2) at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/exec.c:3680 #10 0x080632c8 in execpline2 (state=state@entry=0xbfa4a654, pcode=pcode@entry=1219, how=how@entry=18, input=0, output=0, last1=0) at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/exec.c:1861 #11 0x0806384e in execpline (state=state@entry=0xbfa4a654, slcode=, how=how@entry=18, last1=0) at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/exec.c:1591 #12 0x08064681 in execlist (state=0xbfa4a654, dont_change_job=0, exiting=0) at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/exec.c:1349 #13 0x08064bfc in execode (p=0x8181d28, dont_change_job=0, exiting=0, context=0x8114721 "toplevel") at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/exec.c:1130 #14 0x08076076 in loop (toplevel=1, justonce=0) at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/init.c:208 #15 0x08078de0 in zsh_main (argc=2, argv=0xbfa4a914) at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/init.c:1692 #16 0x0804ae13 in main (argc=2, argv=0xbfa4a914) at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/main.c:93 Note that in frame #1 the dir pointer is the following: (gdb) frame 1 #1 cd_get_dest (func=10, hard=0, argv=0x8184fe8, nam=0x8184fe0 "cd") at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/builtin.c:939 939 if (!(dest = cd_do_chdir(nam, getdata(dir), hard))) { (gdb) print dir $3 = (LinkNode) 0x817f750 (gdb) print *dir $4 = {next = 0x8189338, prev = 0x81876b8, dat = 0x0} And I assume that getdata(dir) simply returns the dat item, which is null. When that is dereferenced later, a NULL pointer dereference occurs: (gdb) frame 0 #0 cd_do_chdir (hard=0, dest=0x0, cnam=0x8184fe0 "cd") at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/builtin.c:990 990 nocdpath = dest[0] == '.' && If you have questions about this issue, let me know. - Branden