From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-41282-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 24712 invoked by alias); 13 Jun 2017 13:27:27 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 41282
Received: (qmail 9032 invoked from network); 13 Jun 2017 13:27:27 -0000
X-Qmail-Scanner-Diagnostics: from mail-wr0-f176.google.com by f.primenet.com.au (envelope-from <brarcher@lexmark.com>, uid 7791) with qmail-scanner-2.11 
 (clamdscan: 0.99.2/21882. spamassassin: 3.4.1.  
 Clear:RC:0(209.85.128.176):SA:0(0.0/5.0):. 
 Processed in 3.341118 secs); 13 Jun 2017 13:27:27 -0000
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_PASS,T_DKIM_INVALID
	autolearn=unavailable autolearn_force=no version=3.4.1
X-Envelope-From: brarcher@lexmark.com
X-Qmail-Scanner-Mime-Attachments: |
X-Qmail-Scanner-Zip-Files: |
Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.128.176 as permitted sender)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=lexmark-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:from:date:message-id:subject:to;
        bh=XR5e2G2Ud0yYut1XKqYkjJ+UkRl4hAW8PGijHt+cifQ=;
        b=hfatgXcQNp1EK5o0ssDnmNMa7H1jIFi1+zWbAKqlsb5MUXY4i8eASthnELoFHehsrD
         MAexhpnPvSuqWHfK45k0t7o+efuo0fWEoMVBEp9Uf6Z3TFaa+V52wULIfCMI/QffcvDk
         TUVuVUvGOAzUq3+2coZwr4CGCzr1Sbz6HPCuqheUbTUNUiVT7Fkv7ailMtGs7BmlfRvt
         Xf4oZNqlk9quRIHOheNXqZdDTRQ26D1KWWCize2vqPJJwCTOBX+TZLfyxbeMfd9nzRvK
         ZoXiWTrZUIXTZ/BuHW83ILSKtstYF/lcW3ilWha3TiVSJ3XibB7rqwDBTUtMcsjjaaOM
         gNYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=XR5e2G2Ud0yYut1XKqYkjJ+UkRl4hAW8PGijHt+cifQ=;
        b=JREMfyZWrSHppkyP3I2K6dlj4HES8Yq3jOuLWJIs3+JRTcrozjIS8fMyA7U5Ige9AL
         nUK1onzyCMIUWtZ7jI14KiXbKEXrcoYaCgpbvsLs5PIMM4AyriaIDHc+pcAq6dVlrny0
         KI5uLoF+k8M1KCbbXD60IVqMbw7wzwKvHPDW8ScJSQUW26Dz7oS4/9qCXcXYyzQHIcYu
         U6BOlnW6Am1FrBjhy0diFIp96TxriuTOBP1Io8YTyktADl9HIkA5ujp5Ap/RG2mQQEQs
         HVgYDy6SFed7sggS9zqnE/BKWKsc+TXQwsEDSHqhCmoA2QL4aTtUMxUQv2ruT0SoZOvv
         7vfg==
X-Gm-Message-State: AKS2vOzP6AuzSeTsS8HkDlGhORwR8QRIXNw3uXrjdnBuodMv4xUTeOzM
	BUwXnrzJZaflqmNL4sORB735VRU446c7wcsRXA==
X-Received: by 10.223.130.151 with SMTP id 23mr3212707wrc.16.1497360432916;
 Tue, 13 Jun 2017 06:27:12 -0700 (PDT)
MIME-Version: 1.0
From: Branden Archer <brarcher@lexmark.com>
Date: Tue, 13 Jun 2017 09:26:32 -0400
Message-ID: <CAADoZg3-UZb4Tfj6SbTAuDLmrYBKhAuecUUGw7jBkWipiHDFaw@mail.gmail.com>
Subject: NULL pointer dereference in zsh 5.3.1 with builtin chdir
To: zsh-workers@zsh.org
Content-Type: multipart/alternative; boundary="001a114be2beb4d84a0551d764c7"

--001a114be2beb4d84a0551d764c7
Content-Type: text/plain; charset="UTF-8"

A NULL pointer dereference has been discovered in zsh 5.3.1 when built for
x86. The details are as follows:

- A script starts with #!/bin/sh , but /bin/sh is a symlink to /bin/zsh
- The script is executed with execve() by invoking "/bin/sh -c script", and
no environment variables are added. This results in only the following
environment variables being present inside of the script:

LOGNAME=root
SHLVL=1
PWD=/usr/share
OLDPWD=/home/root
_=/usr/bin/env

- The script cd's into another directory then invokes 'cd' by itself to
change directories to the home directory.
- If the top of the script is #!/bin/zsh the issue does not happen
- The issue also does not happen on bash

Following is a shell session which, when the environment is stripped down,
also reproduces the issue:

root~# echo $ZSH_VERSION
5.3.1
root~# /bin/ls -l /bin/sh
lrwxrwxrwx    1 root     root             8 Jun 12 11:09 /bin/sh -> /bin/zsh
root~# /usr/bin/env
LOGNAME=root
SHLVL=1
PWD=/home/root
OLDPWD=/home/root
PS1=root~#
_=/usr/bin/env
root~# /bin/cat test.sh
#!/bin/sh
set -x
cd /usr/share
pwd
env
cd
root~# ./test.sh
+ cd /usr/share
+ pwd
/usr/share
+ env
LOGNAME=root
SHLVL=2
PWD=/usr/share
OLDPWD=/home/root
PS1=root~#
_=/usr/bin/env
+ cd
zsh: segmentation fault (core dumped)  ./test.sh


The following is the backstack from the crash from gdb:


#0  cd_do_chdir (hard=0, dest=0x0, cnam=0x8184fe0 "cd") at
/usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/builtin.c:990
#1  cd_get_dest (func=10, hard=0, argv=0x8184fe8, nam=0x8184fe0 "cd")
    at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/builtin.c:939
#2  bin_cd (nam=0x8184fe0 "cd", argv=0x8184fe8, ops=0xbfa47b94, func=10)
    at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/builtin.c:836
#3  0x08056a70 in execbuiltin (args=0x8184fc8, assigns=0x0, bn=0x8160534
<builtins+468>)
    at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/builtin.c:485
#4  0x080629a4 in execcmd_exec (state=state@entry=0xbfa4a654,
eparams=eparams@entry=0xbfa48e08,
    input=input@entry=0, output=0, how=18, last1=2) at
/usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/exec.c:3854
#5  0x080632c8 in execpline2 (state=state@entry=0xbfa4a654,
pcode=pcode@entry=2755, how=how@entry=18, input=0,
    output=0, last1=0) at
/usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/exec.c:1861
#6  0x0806384e in execpline (state=state@entry=0xbfa4a654,
slcode=<optimized out>, how=how@entry=18, last1=0)
    at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/exec.c:1591
#7  0x08064681 in execlist (state=0xbfa4a654, dont_change_job=1, exiting=0)
    at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/exec.c:1349
#8  0x08082fcb in execif (state=0xbfa4a654, do_exec=0) at
/usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/loop.c:572
#9  0x08062485 in execcmd_exec (state=state@entry=0xbfa4a654,
eparams=eparams@entry=0xbfa4a328,
    input=input@entry=0, output=0, how=18, last1=2) at
/usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/exec.c:3680
#10 0x080632c8 in execpline2 (state=state@entry=0xbfa4a654,
pcode=pcode@entry=1219, how=how@entry=18, input=0,
    output=0, last1=0) at
/usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/exec.c:1861
#11 0x0806384e in execpline (state=state@entry=0xbfa4a654,
slcode=<optimized out>, how=how@entry=18, last1=0)
    at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/exec.c:1591
#12 0x08064681 in execlist (state=0xbfa4a654, dont_change_job=0, exiting=0)
    at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/exec.c:1349
#13 0x08064bfc in execode (p=0x8181d28, dont_change_job=0, exiting=0,
context=0x8114721 "toplevel")
    at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/exec.c:1130
#14 0x08076076 in loop (toplevel=1, justonce=0) at
/usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/init.c:208
#15 0x08078de0 in zsh_main (argc=2, argv=0xbfa4a914) at
/usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/init.c:1692
#16 0x0804ae13 in main (argc=2, argv=0xbfa4a914) at
/usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/main.c:93


Note that in frame #1 the dir pointer is the following:


(gdb) frame 1
#1  cd_get_dest (func=10, hard=0, argv=0x8184fe8, nam=0x8184fe0 "cd")
    at /usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/builtin.c:939
939        if (!(dest = cd_do_chdir(nam, getdata(dir), hard))) {
(gdb) print dir
$3 = (LinkNode) 0x817f750
(gdb) print *dir
$4 = {next = 0x8189338, prev = 0x81876b8, dat = 0x0}


And I assume that getdata(dir) simply returns the dat item, which is null.
When that is dereferenced later, a NULL pointer dereference occurs:


(gdb) frame 0
#0  cd_do_chdir (hard=0, dest=0x0, cnam=0x8184fe0 "cd") at
/usr/src/debug/zsh/5.3.1-r0/zsh-5.3.1/Src/builtin.c:990
990        nocdpath = dest[0] == '.' &&


If you have questions about this issue, let me know.

- Branden

--001a114be2beb4d84a0551d764c7--