From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 34f87f24 for ; Tue, 14 May 2019 00:13:58 +0000 (UTC) Received: (qmail 29617 invoked by alias); 14 May 2019 00:13:44 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 44294 Received: (qmail 26890 invoked by uid 1010); 14 May 2019 00:13:44 -0000 X-Qmail-Scanner-Diagnostics: from mail-io1-f43.google.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.101.2/25447. spamassassin: 3.4.2. Clear:RC:0(209.85.166.43):SA:0(-2.0/5.0):. Processed in 4.550643 secs); 14 May 2019 00:13:44 -0000 X-Envelope-From: mikachu@gmail.com X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.166.43 as permitted sender) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=G8sFlCImbms21V0HSuI9zfsbYLAU/GLUEyGgjFA6bAY=; b=de+Oy3/VFkTK1BRN4uX1UZVTpeiMWDkTXsDIQ8revWC7W7a3f7NNOCXg03jboHfQRf kfIJ8D3fFLjBz0ibYDCqLG3jtXnEXmIgSdvtAcRe5DfEGvxJgZYdtVj/Y0Dr1Ay3+mmh 2xF+HIrMS6RpZiwp6C2TMCg8sMbCPNq5Dm+hsBxeQX4dpIwcIpHlz0Wc2n+fsRMGlq2h hGm0Al8QJSdgCgrj05voqEDcl6vE291q7q88J9/4NC9vJyqWAcH5A9fsQ92YXZv49AB4 tUpQQCBHAOh3zMhAcx5vibxNH1YYbSVILXILP5JAfroQOhxgQ+GQG+1/rwWAFT3HWzH2 ueAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=G8sFlCImbms21V0HSuI9zfsbYLAU/GLUEyGgjFA6bAY=; b=Jw4rZDp+xzDQ2YwTqCe9HLQhS4j8P8ef+m8YKwW8VSyRia4FVFb5vTCpEXVUX1N22K r4iahsIKG8gAgidRdnDFn21L2ztZRTAYjlzIYCiXqjSGl8FZMf+9nEG7aZ1IzMv5O/tG 1OU0YsvQ5r4Y87t+zTR3p/j7EZ6HwHuK6hWKd37zcNvZwjdpaRurze3UylRTTBQgDlts Ls1d/bsZWwxEGcpnYZVG7yCLoXKYb5MX/EADLfO3YMuTOMgGV9GT+wnAcpJrlcKs65Sr wSQlWsnvJdDKDbEVJtW5coZhfjPDZ3RiSPeGSUxq5xIr2A4yjRODVxTEVt6+Is1/aw/g l3rg== X-Gm-Message-State: APjAAAX0C5tbVw/xGe/u03Mz3YEYw3DitlQdtRvKCBNZZeEwYO7ZI+JZ aqQpYbnkji/vd8qCNqJC/oexIOfHTUr53s+RP8s= X-Google-Smtp-Source: APXvYqyc2b0Qh/RyjepY0j+eyXYJwwHlp+E+v/rm6xt1PiU8EjvCTwkkdg0VJP1sUhk3lh/WaW3i3biaoXqDWBCpsFE= X-Received: by 2002:a05:6602:2245:: with SMTP id o5mr6072596ioo.59.1557792786420; Mon, 13 May 2019 17:13:06 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <10142-1557786965.820774@PTYq.v5pM.vFPY> References: <10142-1557786965.820774@PTYq.v5pM.vFPY> From: Mikael Magnusson Date: Tue, 14 May 2019 02:13:05 +0200 Message-ID: Subject: Re: #3 typeset and braces (Re: Zsh - Multiple DoS Vulnerabilities) To: Oliver Kiddle Cc: "zsh-workers@zsh.org" Content-Type: text/plain; charset="UTF-8" On 5/14/19, Oliver Kiddle wrote: > On 10 May, Bart wrote: >> > #3 Invalid read from *dupstring *in *string.c* >> > POC folder: *03_dupstring_(string.c_39)* >> >> This gives exactly the same errors as #2, and then exits with >> >> [long ugly filename]:87: parse error near `}' > > I've cut this one down to just: > > typeset Q= {X} > > That reliably seg faults for me. But that's about as far as I've > been able to get - I'm not especially familiar with zsh's parsing > code. Yeah it looks like some stuff is not exactly going right here, Breakpoint 2, taddassign (code=0, state=0x7fffffffcfc0, typeset=1) at text.c:187 187 char *s = ecgetstr(state, EC_NODUP, NULL); (gdb) p *state $11 = {prog = 0x7ffff7ff23a8, pc = 0x7ffff7ff240c, strs = 0x7ffff7ff240c "typeset"} (gdb) step ecgetstr (s=0x7fffffffcfc0, dup=0, tokflag=0x0) at parse.c:2772 2772 wordcode c = *s->pc++; (gdb) 2775 if (c == 6 || c == 7) (gdb) 2777 else if (c & 2) { (gdb) p c $12 = 1701869940 (gdb) p *s $13 = {prog = 0x7ffff7ff23a8, pc = 0x7ffff7ff2410, strs = 0x7ffff7ff240c "typeset"} (gdb) p *s->pc $14 = 7628147 (gdb) p prog No symbol "prog" in current context. (gdb) p s->prog $15 = (Eprog) 0x7ffff7ff23a8 (gdb) p *s->prog $16 = {flags = 2, len = 52, npats = 0, nref = -1, pats = 0x7ffff7ff23e0, prog = 0x7ffff7ff23e0, strs = 0x7ffff7ff240c "typeset", shf = 0x0, dump = 0x0} (gdb) p *s->prog->prog $17 = 577 (gdb) p s->strs $18 = 0x7ffff7ff240c "typeset" (gdb) p s->strs+1 $19 = 0x7ffff7ff240d "ypeset" (gdb) list 2772 wordcode c = *s->pc++; 2773 char *r; 2774 2775 if (c == 6 || c == 7) 2776 r = ""; 2777 else if (c & 2) { 2778 buf[0] = (char) ((c >> 3) & 0xff); 2779 buf[1] = (char) ((c >> 11) & 0xff); 2780 buf[2] = (char) ((c >> 19) & 0xff); 2781 buf[3] = '\0'; (gdb) p c $21 = 1701869940 (gdb) p c&2 $22 = 0 (gdb) step 2785 r = s->strs + (c >> 2); (gdb) p s->strs $23 = 0x7ffff7ff240c "typeset" (gdb) p c>>2 $24 = 425467485 (gdb) p c $25 = 1701869940 (gdb) list 2780 buf[2] = (char) ((c >> 19) & 0xff); 2781 buf[3] = '\0'; 2782 r = dupstring(buf); 2783 dup = EC_NODUP; 2784 } else { 2785 r = s->strs + (c >> 2); 2786 } 2787 if (tokflag) 2788 *tokflag = (c & 1); 2789 (gdb) step 2787 if (tokflag) (gdb) p r $26 = 0x8000115b4269 -- Mikael Magnusson