* Discovery of 3 Bugs in Zsh
@ 2023-04-22 17:44 Johenan Li
2023-04-22 20:55 ` Bart Schaefer
2023-04-22 21:03 ` Bart Schaefer
0 siblings, 2 replies; 3+ messages in thread
From: Johenan Li @ 2023-04-22 17:44 UTC (permalink / raw)
To: zsh-workers
[-- Attachment #1.1: Type: text/plain, Size: 6977 bytes --]
Dear zsh-workers@zsh.org team,
I am a user of zsh and recently I have discovered three bugs in the software. The first bug is related to a buffer overflow, the second one involves gdb traceback information (the type of bug is unclear), and the third one was identified through asan reports of a memory leak.
I am providing my compilation options and related information to help you better understand these issues. I have also attached the files that reproduce these bugs.
Machine and OS: Ubuntu 20.04.1 x86-64
Compilation flags: "./configure --enable-zsh-debug CC=afl-cc CXX=afl-c++" with ASan and UBSan instrumentation.
The bugs can be replicated by running the following commands:
1.zsh < bug_4
2.zsh < bug_7
3.The memory leak can be triggered by running zsh and then immediately exiting.
bug_4
[Detaching after fork from child process 16485]
zsh: command not found: reboot
=================================================================
==16469==ERROR: AddressSanitizer: global-buffer-overflow on address 0x555a916f32df at pc 0x555a909ad412 bp 0x7fff064b7f30 sp 0x7fff064b7f28
READ of size 1 at 0x555a916f32df thread T0
[Detaching after fork from child process 16486]
#0 0x555a909ad411 in getjobtext /src/zsh/Src/text.c:338:9
#1 0x555a907ab2f3 in execpline2 /src/zsh/Src/exec.c:1995:6
#2 0x555a9078903e in execpline /src/zsh/Src/exec.c:1728:5
#3 0x555a90785d97 in execlist /src/zsh/Src/exec.c:1482:7
#4 0x555a90783ddf in execode /src/zsh/Src/exec.c:1263:5
#5 0x555a90824335 in loop /src/zsh/Src/init.c:212:6
#6 0x555a908339f1 in zsh_main /src/zsh/Src/init.c:1928:6
#7 0x7f274b581d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#8 0x7f274b581e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#9 0x555a90646a84 in _start (/src/zsh/Src/zsh+0xe5a84) (BuildId: c199c076f6fac1efdb3142a08f2ffe511ebca5a0)
0x555a916f32df is located 1 bytes to the left of global variable 'jbuf' defined in 'text.c:317:17' (0x555a916f32e0) of size 80
0x555a916f32df is located 30 bytes to the right of global variable 'tjob' defined in 'text.c' (0x555a916f32c0) of size 1
SUMMARY: AddressSanitizer: global-buffer-overflow /src/zsh/Src/text.c:338:9 in getjobtext
Shadow bytes around the buggy address:
0x0aabd22d6600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aabd22d6610: 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0aabd22d6620: f9 f9 f9 f9 04 f9 f9 f9 04 f9 f9 f9 04 f9 f9 f9
0x0aabd22d6630: 04 f9 f9 f9 04 f9 f9 f9 04 f9 f9 f9 04 f9 f9 f9
0x0aabd22d6640: 04 f9 f9 f9 01 f9 f9 f9 04 f9 f9 f9 00 f9 f9 f9
=>0x0aabd22d6650: 00 f9 f9 f9 00 f9 f9 f9 01 f9 f9[f9]00 00 00 00
0x0aabd22d6660: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0aabd22d6670: 00 f9 f9 f9 00 f9 f9 f9 04 f9 f9 f9 00 02 f9 f9
0x0aabd22d6680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aabd22d6690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aabd22d66a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==16469==ABORTING
[Inferior 1 (process 16469) exited with code 01]
bug_17
Reading symbols from zsh...
(gdb) r < /src/fuzzResult/zsh_crashes/crashes/bug_17
Starting program: /src/zsh/Src/zsh < /src/fuzzResult/zsh_crashes/crashes/bug_17
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Detaching after fork from child process 16468]
zsh: no such file or directory: 1dI\M-^^
Program received signal SIGILL, Illegal instruction.
0x00005593ef6e5401 in addfd (forked=<optimized out>, save=<optimized out>, mfds=<optimized out>, fd1=<optimized out>, fd2=<optimized out>, rflag=<optimized out>, varid=<optimized out>) at exec.c:2462
2462 mfds[fd1]->pipe = pipes[1 - rflag];
(gdb) bt
#0 0x00005593ef6e5401 in addfd (forked=<optimized out>, save=<optimized out>, mfds=<optimized out>, fd1=<optimized out>, fd2=<optimized out>,
rflag=<optimized out>, varid=<optimized out>) at exec.c:2462
#1 0x00005593ef6d9831 in execcmd_exec (state=<optimized out>, eparams=<optimized out>, input=<optimized out>, output=<optimized out>,
how=<optimized out>, last1=2, close_if_forked=<optimized out>) at exec.c:3897
#2 0x00005593ef6d13b9 in execpline2 (state=<optimized out>, pcode=<optimized out>, how=<optimized out>, input=<optimized out>, output=<optimized out>,
last1=<optimized out>) at exec.c:2003
#3 0x00005593ef6af03f in execpline (state=0x7ffd09cfc540, slcode=<optimized out>, how=18, last1=-272253408) at exec.c:1728
#4 0x00005593ef6abd98 in execlist (state=<optimized out>, dont_change_job=<optimized out>, exiting=0) at exec.c:1482
#5 0x00005593ef6a9de0 in execode (p=<optimized out>, dont_change_job=<optimized out>, exiting=<optimized out>, context=<optimized out>) at exec.c:1263
#6 0x00005593ef74a336 in loop (toplevel=<optimized out>, justonce=<optimized out>) at init.c:212
#7 0x00005593ef7599f2 in zsh_main (argc=<optimized out>, argv=<optimized out>) at init.c:1928
#8 0x00007ff227c98d90 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#9 0x00007ff227c98e40 in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#10 0x00005593ef56ca85 in _start ()
exit command
=================================================================
==27287==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x55a248dac8ce in __interceptor_malloc (/usr/local/bin/zsh+0x1688ce) (BuildId: c199c076f6fac1efdb3142a08f2ffe511ebca5a0)
#1 0x55a248f6c517 in zalloc /src/zsh/Src/mem.c:966:26
#2 0x55a248f6b97f in pushheap /src/zsh/Src/mem.c:304:19
#3 0x55a248f067c3 in loop /src/zsh/Src/init.c:113:5
#4 0x55a248f169f1 in zsh_main /src/zsh/Src/init.c:1928:6
#5 0x7f0d29ea1d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
SUMMARY: AddressSanitizer: 16 byte(s) leaked in 1 allocation(s).
I would appreciate it if you could allocate appropriate CVE numbers for these issues and get back to me as soon as possible.
Thank you for your attention to this matter.
Sincerely,
MiniPython
[-- Attachment #1.2: Type: text/html, Size: 14081 bytes --]
[-- Attachment #2: bug_4_17.zip --]
[-- Type: application/x-zip-compressed, Size: 713 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Discovery of 3 Bugs in Zsh
2023-04-22 17:44 Discovery of 3 Bugs in Zsh Johenan Li
@ 2023-04-22 20:55 ` Bart Schaefer
2023-04-22 21:03 ` Bart Schaefer
1 sibling, 0 replies; 3+ messages in thread
From: Bart Schaefer @ 2023-04-22 20:55 UTC (permalink / raw)
To: Johenan Li; +Cc: zsh-workers
On Sat, Apr 22, 2023 at 10:46 AM Johenan Li <liyuweiheng@outlook.com> wrote:
>
> Machine and OS: Ubuntu 20.04.1 x86-64
> Compilation flags: "./configure --enable-zsh-debug CC=afl-cc CXX=afl-c++" with ASan and UBSan instrumentation.
Which zsh sources did you compile?
> The bugs can be replicated by running the following commands:
> 1.zsh < bug_4
> 2.zsh < bug_7
> 3.The memory leak can be triggered by running zsh and then immediately exiting.
Thanks for reporting, but:
- bug_4 looks like a shell command history and won't produce
equivalent results outside your local host. Furthermore, it contains
a "reboot" command, as well as a "sudo" and a couple "vim", so I would
not recommend anyone attempt sourcing it.
- bug_7 is not in the attached zip
- bug_17 is a binary file? Is it really intended to be directed to
the shell input?
- memory that leaks only at shell exit (doesn't grow or leak
repeatedly during shell execution) has not typically been considered a
bug.
> I would appreciate it if you could allocate appropriate CVE numbers for these issues and get back to me as soon as possible.
We do not typically allocate CVEs unless an identified security issue
has been found.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Discovery of 3 Bugs in Zsh
2023-04-22 17:44 Discovery of 3 Bugs in Zsh Johenan Li
2023-04-22 20:55 ` Bart Schaefer
@ 2023-04-22 21:03 ` Bart Schaefer
1 sibling, 0 replies; 3+ messages in thread
From: Bart Schaefer @ 2023-04-22 21:03 UTC (permalink / raw)
To: Johenan Li; +Cc: zsh-workers
On Sat, Apr 22, 2023 at 10:46 AM Johenan Li <liyuweiheng@outlook.com> wrote:
>
> #0 0x555a909ad411 in getjobtext /src/zsh/Src/text.c:338:9
>
> 0x555a916f32df is located 1 bytes to the left of global variable 'jbuf' defined in 'text.c:317:17' (0x555a916f32e0) of size 80
> 0x555a916f32df is located 30 bytes to the right of global variable 'tjob' defined in 'text.c' (0x555a916f32c0) of size 1
Perhaps there's some way to have a job with an empty jobtext?
diff --git a/Src/text.c b/Src/text.c
index 56127c457..8b1bd96b6 100644
--- a/Src/text.c
+++ b/Src/text.c
@@ -335,7 +335,7 @@ getjobtext(Eprog prog, Wordcode c)
tlim = tptr + JOBTEXTSIZE - 1;
tjob = 1;
gettext2(&s);
- if (tptr[-1] == Meta)
+ if (tptr > jbuf && tptr[-1] == Meta)
--tptr;
*tptr = '\0';
freeeprog(prog); /* mark as unused */
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-04-22 21:04 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-04-22 17:44 Discovery of 3 Bugs in Zsh Johenan Li
2023-04-22 20:55 ` Bart Schaefer
2023-04-22 21:03 ` Bart Schaefer
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).