zsh-workers
 help / Atom feed
From: Mikael Magnusson <mikachu@gmail.com>
To: Peter Stephenson <p.w.stephenson@ntlworld.com>
Cc: zsh-workers@zsh.org
Subject: Re: Zsh - Multiple DoS Vulnerabilities
Date: Fri, 17 May 2019 15:41:25 +0200
Message-ID: <CAHYJk3RSLsKXXWJW8zLvd2w7nFJxtXHNy26UJcYpgBY2NE_ZRA@mail.gmail.com> (raw)
In-Reply-To: <889eb5518ad0f98899ba24c2f3e95a87f7cc3df6.camel@ntlworld.com>

On 5/16/19, Peter Stephenson <p.w.stephenson@ntlworld.com> wrote:
> On Tue, 2019-05-14 at 22:30 +0200, Oliver Kiddle wrote:
>> I'm finding this one will crash on Linux but hang on FreeBSD. And not
>> crash with true as the condition. A variety of things can be used in the
>> condition. while .. do .. done can be used in place of if .. then .. fi,
>> && or ||. The me > you part can be cut down to :. Try the following:
>>
>>   if [[ m -eq y ]]; then
>>     : && !
>>     :
>>   fi
>>
>> Where I had a crash, it was interpreting the wordcode in ecgetstr().
>> Where it does r = s->strs + (c >> 2), c had an infeasibly large value
>> causing it to index well beyond the range of s->strs. I'd be inclined to
>> suspect the problem comes earlier when parsing this into wordcode.
>
> I'm starting to wonder if this is an allocation rather than a parsing
> problem --- the parsing is OK but something goes wrong with the final
> pointer / afterwards / in building or copying the word code, so
> that gettext2() or the exec code ends up trying to interpret garbage at
> the end.

FWIW I ran this under valgrind, and the first invalid read is the one
that causes the segfault, so no help there.

-- 
Mikael Magnusson

  reply index

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-10 15:03 David Wells
2019-05-10 16:37 ` Bart Schaefer
2019-05-12 16:21   ` Stephane Chazelas
2019-05-13 16:29     ` David Wells
2019-05-13 22:02       ` Bart Schaefer
2019-05-14 18:10       ` Stephane Chazelas
2019-05-14 21:24         ` Daniel Shahaf
2019-05-14 21:38           ` Bart Schaefer
2019-05-14 21:39         ` Daniel Shahaf
2019-05-14 22:25           ` Bart Schaefer
2019-05-15 10:48             ` Daniel Shahaf
2019-05-10 20:27 ` Bart Schaefer
2019-05-11  1:45   ` #7 (typeset -Tp) (was Re: Zsh - Multiple DoS Vulnerabilities) Oliver Kiddle
2019-05-13  9:01     ` Peter Stephenson
2019-05-13 21:11   ` PATCH: #6 negative job id (Re: " Oliver Kiddle
2019-05-13 21:44   ` Zsh - Multiple DoS Vulnerabilities Oliver Kiddle
2019-05-13 22:36   ` #3 typeset and braces (Re: Zsh - Multiple DoS Vulnerabilities) Oliver Kiddle
2019-05-14  0:13     ` Mikael Magnusson
2019-05-14  5:38       ` Bart Schaefer
2019-05-14 10:50     ` Peter Stephenson
2019-05-14 16:38   ` Zsh - Multiple DoS Vulnerabilities Peter Stephenson
2019-05-14 20:30   ` Oliver Kiddle
2019-05-15 16:50     ` Mikael Magnusson
2019-05-16 20:37     ` Peter Stephenson
2019-05-17 13:41       ` Mikael Magnusson [this message]
2019-05-17 13:51         ` Mikael Magnusson
2019-05-17 14:28           ` Mikael Magnusson
2019-05-18 10:31           ` Oliver Kiddle
2019-05-21 14:43             ` Oliver Kiddle
     [not found]               ` <CGME20190521154256eucas1p1f0816d2467abd8bf4a0c31058af2983a@eucas1p1.samsung.com>
2019-05-21 15:42                 ` Peter Stephenson

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAHYJk3RSLsKXXWJW8zLvd2w7nFJxtXHNy26UJcYpgBY2NE_ZRA@mail.gmail.com \
    --to=mikachu@gmail.com \
    --cc=p.w.stephenson@ntlworld.com \
    --cc=zsh-workers@zsh.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

zsh-workers

Archives are clonable: git clone --mirror http://inbox.vuxu.org/zsh-workers

Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.zsh.workers


AGPL code for this site: git clone https://public-inbox.org/ public-inbox