* Zsh parser segmentation fault on taddstr
@ 2017-05-07 16:45 Eduardo Bustamante
2017-05-07 20:36 ` Peter Stephenson
0 siblings, 1 reply; 5+ messages in thread
From: Eduardo Bustamante @ 2017-05-07 16:45 UTC (permalink / raw)
To: zsh-workers; +Cc: Eduardo A. Bustamante López
(please keep me CC'ed, since I'm not subscribed)
Hi all, the following file crashes Zsh when run with noexec:
dualbus@mksh-parser-4pxg:~$ cat -A
cmin-zsh-crashes/output_16_crashes_id:000392,sig:11,src:016511+011323,op:splice,rep:2
if (a)M-^?^@^@<<^EM-^?^I^F|&^D\
dualbus@mksh-parser-4pxg:~$ xxd
cmin-zsh-crashes/output_16_crashes_id:000392,sig:11,src:016511+011323,op:splice,rep:2
00000000: 6966 2028 6129 ff00 003c 3c05 ff09 067c if (a)...<<....|
00000010: 2604 5c &.\
(gdb) r -nv cmin-zsh-crashes/output_16_crashes_id:000392,sig:11,src:016511+011323,op:splice,rep:2
Starting program: /home/dualbus/zsh/Src/zsh -nv
cmin-zsh-crashes/output_16_crashes_id:000392,sig:11,src:016511+011323,op:splice,rep:2
if (a)�<<� |&\
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x000055555560480c in taddstr (s=0x800006cb54c4 <error: Cannot
access memory at address 0x800006cb54c4>) at text.c:148
#2 0x000055555560698b in gettext2 (state=0x7fffffffdd60) at text.c:949
#3 0x0000555555604f43 in getjobtext (prog=0x7ffff7ff13f8,
c=0x7ffff7ff143c) at text.c:337
#4 0x000055555558c394 in execpline2 (state=0x7fffffffe260, pcode=131,
how=18, input=0, output=0, last1=0) at exec.c:1865
#5 0x000055555558b08a in execpline (state=0x7fffffffe260,
slcode=32770, how=18, last1=0) at exec.c:1602
#6 0x000055555558a39e in execlist (state=0x7fffffffe260,
dont_change_job=0, exiting=0) at exec.c:1360
#7 0x0000555555589a44 in execode (p=0x7ffff7ff13f8,
dont_change_job=0, exiting=0, context=0x55555561a27f "toplevel") at
exec.c:1141
#8 0x00005555555aeb6b in loop (toplevel=1, justonce=0) at init.c:208
#9 0x00005555555b29bb in zsh_main (argc=3, argv=0x7fffffffe558) at init.c:1692
#10 0x000055555556a320 in main (argc=3, argv=0x7fffffffe558) at ./main.c:93
Bug found by fuzzing `zsh -nv @@' with AFL.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Zsh parser segmentation fault on taddstr
2017-05-07 16:45 Zsh parser segmentation fault on taddstr Eduardo Bustamante
@ 2017-05-07 20:36 ` Peter Stephenson
2017-05-08 1:59 ` Eduardo Bustamante
2017-05-08 9:37 ` Peter Stephenson
0 siblings, 2 replies; 5+ messages in thread
From: Peter Stephenson @ 2017-05-07 20:36 UTC (permalink / raw)
To: zsh-workers; +Cc: Eduardo Bustamante
On Sun, 7 May 2017 11:45:57 -0500
Eduardo Bustamante <dualbus@gmail.com> wrote:
> Hi all, the following file crashes Zsh when run with noexec:
>
> dualbus@mksh-parser-4pxg:~$ cat -A
> cmin-zsh-crashes/output_16_crashes_id:000392,sig:11,src:016511+011323,op:splice,rep:2
> if (a)M-^?^@^@<<^EM-^?^I^F|&^D\
>
> dualbus@mksh-parser-4pxg:~$ xxd
> cmin-zsh-crashes/output_16_crashes_id:000392,sig:11,src:016511+011323,op:splice,rep:2
> 00000000: 6966 2028 6129 ff00 003c 3c05 ff09 067c if (a)...<<....|
> 00000010: 2604 5c &.\
I haven't got an actual crash, but I am getting some undefined behaviour
which could do anything so is probably down to the same cause. I can
get the same behaviour here:
% fn() { cat <<y |& cat
FOO
y
}
% which fn
text.c:995: unknown word code in gettext2()
fn () {
time <<y | cat
}
The message is only present with debug enabled.
That's a completely valid function --- I'm guessing it's to do with some
interaction between the here-document and the |&, since | works OK, but
that's as far as I've got.
pws
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Zsh parser segmentation fault on taddstr
2017-05-07 20:36 ` Peter Stephenson
@ 2017-05-08 1:59 ` Eduardo Bustamante
2017-05-08 9:37 ` Peter Stephenson
1 sibling, 0 replies; 5+ messages in thread
From: Eduardo Bustamante @ 2017-05-08 1:59 UTC (permalink / raw)
To: Peter Stephenson; +Cc: zsh-workers
On Sun, May 7, 2017 at 3:36 PM, Peter Stephenson
<p.w.stephenson@ntlworld.com> wrote:
[...]
> I haven't got an actual crash, but I am getting some undefined behaviour
> which could do anything so is probably down to the same cause. I can
> get the same behaviour here:
FWIW, I built Zsh this way:
CC=clang CFLAGS='-O0 -ggdb' LDFLAGS='' ./configure
zsh configuration
-----------------
zsh version : 5.3.1-dev-0
host operating system : x86_64-unknown-linux-gnu
source code location : .
compiler : clang
preprocessor flags :
executable compiler flags : -O0 -ggdb
module compiler flags : -O0 -ggdb -fPIC
executable linker flags : -rdynamic
module linker flags : -shared
library flags : -ldl -ltinfo -lrt -lm -lc
installation basename : zsh
binary install path : /usr/local/bin
man page install path : /usr/local/share/man
info install path : /usr/local/share/info
functions install path : /usr/local/share/zsh/5.3.1-dev-0/functions
See config.modules for installed modules and functions.
dualbus@debian:~/src/zsh/zsh$ md5sum crash
c6abfc1333f1b544789e8578d54e1b60 crash
dualbus@debian:~/src/zsh/zsh$ base64 crash
aWYgKGEp/wAAPDwF/wkGfCYEXA==
dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nv crash
if (a)�<<� |&\Segmentation fault
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Zsh parser segmentation fault on taddstr
2017-05-07 20:36 ` Peter Stephenson
2017-05-08 1:59 ` Eduardo Bustamante
@ 2017-05-08 9:37 ` Peter Stephenson
2017-05-08 13:51 ` Eduardo Bustamante
1 sibling, 1 reply; 5+ messages in thread
From: Peter Stephenson @ 2017-05-08 9:37 UTC (permalink / raw)
To: Peter Stephenson, zsh-workers; +Cc: Eduardo Bustamante
On Sun, 7 May 2017 21:36:31 +0100
Peter Stephenson <p.w.stephenson@ntlworld.com> wrote:
> % fn() { cat <<y |& cat
> FOO
> y
> }
> % which fn
> text.c:995: unknown word code in gettext2()
> fn () {
> time <<y | cat
> }
This fixes the missing flag that was causing that problem.
pws
diff --git a/Src/parse.c b/Src/parse.c
index 6fe283d..83e87af 100644
--- a/Src/parse.c
+++ b/Src/parse.c
@@ -2143,7 +2143,7 @@ par_redir(int *rp, char *idstring)
* the definition of WC_REDIR_WORDS. */
ecispace(r, ncodes);
*rp = r + ncodes;
- ecbuf[r] = WCB_REDIR(type);
+ ecbuf[r] = WCB_REDIR(type | REDIR_FROM_HEREDOC_MASK);
ecbuf[r + 1] = fd1;
/*
diff --git a/Test/A04redirect.ztst b/Test/A04redirect.ztst
index d7fe22f..a5de552 100644
--- a/Test/A04redirect.ztst
+++ b/Test/A04redirect.ztst
@@ -586,3 +586,18 @@
>x
>bar
>y
+
+ fn-here-pipe() {
+ cat <<-HERE |& cat
+ FOO
+ HERE
+ }
+ fn-here-pipe
+ which fn-here-pipe
+0:Combination of HERE-document and |&
+>FOO
+>fn-here-pipe () {
+> cat <<HERE 2>&1 | cat
+>FOO
+>HERE
+>}
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Zsh parser segmentation fault on taddstr
2017-05-08 9:37 ` Peter Stephenson
@ 2017-05-08 13:51 ` Eduardo Bustamante
0 siblings, 0 replies; 5+ messages in thread
From: Eduardo Bustamante @ 2017-05-08 13:51 UTC (permalink / raw)
To: Peter Stephenson; +Cc: Peter Stephenson, zsh-workers
On Mon, May 8, 2017 at 4:37 AM, Peter Stephenson
<p.stephenson@samsung.com> wrote:
[...]
> This fixes the missing flag that was causing that problem.
Thanks!
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-05-08 13:51 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-07 16:45 Zsh parser segmentation fault on taddstr Eduardo Bustamante
2017-05-07 20:36 ` Peter Stephenson
2017-05-08 1:59 ` Eduardo Bustamante
2017-05-08 9:37 ` Peter Stephenson
2017-05-08 13:51 ` Eduardo Bustamante
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).