From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 4c64ffea for ; Fri, 17 May 2019 14:29:26 +0000 (UTC) Received: (qmail 8157 invoked by alias); 17 May 2019 14:29:15 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 44315 Received: (qmail 25494 invoked by uid 1010); 17 May 2019 14:29:15 -0000 X-Qmail-Scanner-Diagnostics: from mail-it1-f175.google.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.101.2/25447. spamassassin: 3.4.2. Clear:RC:0(209.85.166.175):SA:0(-2.0/5.0):. Processed in 1.464395 secs); 17 May 2019 14:29:15 -0000 X-Envelope-From: mikachu@gmail.com X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.166.175 as permitted sender) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=GW88wP55FtpVtz2DFvdJTkn03qztlJJnw3aHB5jIGrQ=; b=feDrppaLql3pTpiCEhe82CXzsHrnK0amXHmGiQmxY9puU1fm3q85goJt6eTtCJ30uF Vb3sgPeJZa/4fXiZXsUlnuE2DCW5i4H4OZ1wck9WEazJrih8Qxm2TaDEQ+Kovo8RZzJP 0HJC5fqPnljprXpXm3c/OnwXkikOQMdI/nB+qExLbt9jXMpJrxjWS3DT+Yv4KdDaL1H2 +6YudX0xB7/B6cun1AhVOnpL12WwHoUn0V4Km+1PeGJv/xIb2yiBCypnYWOyH21wi9eF EOzUil5rwKTXr3OrRF6IfhTHiRERGaKInGxW0eXnJMhaBMhg4+R4YtHKz7YEhZ8cyBcS 2o+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=GW88wP55FtpVtz2DFvdJTkn03qztlJJnw3aHB5jIGrQ=; b=pYnGaMtG7X5A5SZ8jlXsffWrRkSE4241KziHPI3TWMNLZZJU2AhrzAfRf+tTxQFL7a TZIOib8H1tW8GVjzfDmEIiCD/gOcrotJ3da2/Kfz2xo9RgQgjnVXt/BzXAyM0FVS0LNH 19CZ1qf5VZoaIHZeIW+0UvZrOvNkPRJGXOKmDYWK7XiPGfkz+p508Nr6yRB7zdieeGVy ZPu186AF1+gbY2U1suNmQfm3b++AirvJqvgUlPO9CbKQP0mAyUJcs4YA2rRaHsWYDyCg PjnmSCXkRkMJdSkBGd243V3P3lL7V+bZH5IClry9oAgvzmHMYIUBXuaZjr2olDpcJrEr BhUA== X-Gm-Message-State: APjAAAXikIEt3n+CVcs2zdSDzrOcLi+WiinF9zwuw7/PV7muGHYb5O3J JDTG8j+gY+5hBUKC9pPniaqU9rIuXbZr0cM9tso= X-Google-Smtp-Source: APXvYqyeudCv/MT8Kl5yCFLp4Poi3fTnH+eDJToXuTaftQYVLLy4eLL0CsIaNpak+qW8Z29GlKXQy0R3oV9V95wjZvA= X-Received: by 2002:a24:8d42:: with SMTP id w63mr17629503itd.114.1558103320805; Fri, 17 May 2019 07:28:40 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: <21436-1557865831.121649@2P7I.HAU9.QsaG> <889eb5518ad0f98899ba24c2f3e95a87f7cc3df6.camel@ntlworld.com> From: Mikael Magnusson Date: Fri, 17 May 2019 16:28:39 +0200 Message-ID: Subject: Re: Zsh - Multiple DoS Vulnerabilities To: Peter Stephenson Cc: zsh-workers@zsh.org Content-Type: text/plain; charset="UTF-8" On 5/17/19, Mikael Magnusson wrote: > On 5/17/19, Mikael Magnusson wrote: >> On 5/16/19, Peter Stephenson wrote: >>> On Tue, 2019-05-14 at 22:30 +0200, Oliver Kiddle wrote: >>>> I'm finding this one will crash on Linux but hang on FreeBSD. And not >>>> crash with true as the condition. A variety of things can be used in >>>> the >>>> condition. while .. do .. done can be used in place of if .. then .. >>>> fi, >>>> && or ||. The me > you part can be cut down to :. Try the following: >>>> >>>> if [[ m -eq y ]]; then >>>> : && ! >>>> : >>>> fi >>>> >>>> Where I had a crash, it was interpreting the wordcode in ecgetstr(). >>>> Where it does r = s->strs + (c >> 2), c had an infeasibly large value >>>> causing it to index well beyond the range of s->strs. I'd be inclined >>>> to >>>> suspect the problem comes earlier when parsing this into wordcode. >>> >>> I'm starting to wonder if this is an allocation rather than a parsing >>> problem --- the parsing is OK but something goes wrong with the final >>> pointer / afterwards / in building or copying the word code, so >>> that gettext2() or the exec code ends up trying to interpret garbage at >>> the end. >> >> FWIW I ran this under valgrind, and the first invalid read is the one >> that causes the segfault, so no help there. > > Played with gdb reverse debugging a bit and found that at one point > before the crash, we have this somewhat incorrect string built up: > (gdb) p tptr-48 > $28 = 0x6e7560 "if [[ m -eq y ]]; then; : && ! :; select G\305\305 in > " If I save the above code in a file, named crash.zsh and run zsh -fc 'source crash.zsh' then it will crash. If I run zcompile on it, and then run the same command, I instead get the infinite loop in text.c: 420 if (stack) { (gdb) 421 if (!(s = tstack)) (gdb) 423 if (s->pop) { (gdb) 428 code = s->code; (gdb) 429 stack = 0; (gdb) 434 switch (wc_code(code)) { (gdb) 458 if (!s) { (gdb) 468 if (!(stack = (WC_SUBLIST_TYPE(code) == WC_SUBLIST_END))) { (gdb) 479 if (stack < 1 && (WC_SUBLIST_FLAGS(s->code) & WC_SUBLIST_SIMPLE)) (gdb) 481 break; (gdb) 420 if (stack) { -- Mikael Magnusson