From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-41080-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 15735 invoked by alias); 9 May 2017 15:06:06 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 41080
Received: (qmail 27856 invoked from network); 9 May 2017 15:06:05 -0000
X-Qmail-Scanner-Diagnostics: from mail-it0-f46.google.com by f.primenet.com.au (envelope-from <dualbus@gmail.com>, uid 7791) with qmail-scanner-2.11 
 (clamdscan: 0.99.2/21882. spamassassin: 3.4.1.  
 Clear:RC:0(209.85.214.46):SA:0(0.5/5.0):. 
 Processed in 1.124422 secs); 09 May 2017 15:06:05 -0000
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=0.5 required=5.0 tests=FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_SORBS_SPAM,
	SPF_PASS,T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.1
X-Envelope-From: dualbus@gmail.com
X-Qmail-Scanner-Mime-Attachments: |xsymlinks|
X-Qmail-Scanner-Zip-Files: |
Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.214.46 as permitted sender)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to:cc;
        bh=jKSkb058Sz6wIFiBfhEyTL1C3XtpcDvlXOmUklqIiUI=;
        b=BF0cA8mWYBuDUQ1wlvADpmCUdxol/+DqwyRuREECudEvkuEUVBN7sR8PZYRUJTJRrJ
         c/bIgSm2Oam0eHgDoI9ef6BOW2oLUTm9mr+rKaOx8va7hmvkqFCrvKvCenXf/5bfmipG
         rFi8AOFVcFezBsRTwM2ybDbznwpj03WmQd0FTU6UI532ybJa1BjjSoEe3AhKR12voucJ
         m0XO/F4RP0w2BWqDJvHab3/y9QBg1q3ygFIDpn+VT5J3Py0E/dZvIIRtQA2W8UkO1f5Q
         MdD7JgkU4SuIM9IuLHm0IIsI7f+CnvtgZvWpHiKLciRo2SScNQYVdw26qZ9Uc1qnVC9C
         YTiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
        bh=jKSkb058Sz6wIFiBfhEyTL1C3XtpcDvlXOmUklqIiUI=;
        b=PDqObXvUDm0SmeTe4LeA4KS8kDrBWU1gwFLsglpkcsScnGSs+xXl0cvRceRm0QEWEv
         KvKBhtE1Xh+LVib906mthfK3Bp30Jzk8whjx+HUnIbTzwAz3lZyqP+xKa5BAkLSgrVqN
         A2bd48tWthuztgHKUZJcU5ztiADWBC774OmoeJP0Y8FvA4SclTTk0SxtDI9HwsE8VMdI
         pbvfZ0rLEs5R1DtVe5Z26kXUPUvfMA3lzdR2VNLByTakwNr7srLbAsWlFw/HFBYfOOU7
         NwxqJLhw2AnwO2hS+r9+znCgrRcW+BVtZ38t4TSayPVclbgohNUdhJiBxt9iDrkXR/gY
         0J6w==
X-Gm-Message-State: AODbwcAgRW7IPyytSsaNXnwbFkhkGVBbYZFw3nQM/ZdgOvYnzvM9MYsC
	nLjxFkC3dd3hLFoYRZhGZSMX5Wht8A==
X-Received: by 10.36.224.133 with SMTP id c127mr1719627ith.73.1494342359478;
 Tue, 09 May 2017 08:05:59 -0700 (PDT)
MIME-Version: 1.0
From: Eduardo Bustamante <dualbus@gmail.com>
Date: Tue, 9 May 2017 10:05:38 -0500
Message-ID: <CAOSMAuvX2gSv5JqLjPYgWGWmwSPtWvsP0wPhYzkEZsGS8aX=uw@mail.gmail.com>
Subject: Zsh parser buffer overflow - xsymlink
To: zsh-workers@zsh.org
Cc: =?UTF-8?Q?Eduardo_A=2E_Bustamante_L=C3=B3pez?= <dualbus@gmail.com>
Content-Type: multipart/mixed; boundary="94eb2c19d3ac8297e1054f18b196"

--94eb2c19d3ac8297e1054f18b196
Content-Type: text/plain; charset="UTF-8"

The following seems to cause some sort of recursive expansion:

dualbus@debian:~/bash-fuzzing/zsh-parser$ cat -v xsymlinks
${(r0$0)}
$_:P

dualbus@debian:~/bash-fuzzing/zsh-parser$ md5sum xsymlinks
22377c2c7d97ac88633232eb8df12a6e  xsymlinks

dualbus@debian:~/bash-fuzzing/zsh-parser$ base64 xsymlinks
JHsocjAkMCl9CiRfOlA=

dualbus@debian:~/bash-fuzzing/zsh-parser$ zsh -n xsymlinks
*** buffer overflow detected ***: zsh terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f0b7e9d0bcb]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f0b7ea59037]
/lib/x86_64-linux-gnu/libc.so.6(+0xf7170)[0x7f0b7ea57170]
/lib/x86_64-linux-gnu/libc.so.6(+0xf6729)[0x7f0b7ea56729]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xac)[0x7f0b7e9d4bdc]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x1ebb)[0x7f0b7e9a8bbb]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x8c)[0x7f0b7ea567bc]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7f0b7ea5670d]
zsh(+0x96be9)[0x56306ea28be9]
zsh(xsymlink+0x1d)[0x56306ea2a6ed]
zsh(modify+0xa1f)[0x56306ea1b86f]
zsh(+0x8b9cb)[0x56306ea1d9cb]
zsh(prefork+0xc1)[0x56306ea21ea1]
zsh(+0x3117a)[0x56306e9c317a]
zsh(+0x33e02)[0x56306e9c5e02]
zsh(+0x3420c)[0x56306e9c620c]
zsh(execlist+0x724)[0x56306e9c7b74]
zsh(execode+0x99)[0x56306e9c7fd9]
zsh(loop+0x349)[0x56306e9dc099]
zsh(zsh_main+0x4f6)[0x56306e9df826]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f0b7e9802b1]
zsh(_start+0x2a)[0x56306e9a933a]
======= Memory map: ========
56306e992000-56306ea53000 r-xp 00000000 fe:01 21889063
  /bin/zsh
56306ec52000-56306ec54000 r--p 000c0000 fe:01 21889063
  /bin/zsh
56306ec54000-56306ec5a000 rw-p 000c2000 fe:01 21889063
  /bin/zsh
56306ec5a000-56306ec6e000 rw-p 00000000 00:00 0
56306fb06000-56306fb45000 rw-p 00000000 00:00 0                          [heap]
7f0b7df0b000-7f0b7df21000 r-xp 00000000 fe:01 1310784
  /lib/x86_64-linux-gnu/libgcc_s.so.1
7f0b7df21000-7f0b7e120000 ---p 00016000 fe:01 1310784
  /lib/x86_64-linux-gnu/libgcc_s.so.1
7f0b7e120000-7f0b7e121000 r--p 00015000 fe:01 1310784
  /lib/x86_64-linux-gnu/libgcc_s.so.1
7f0b7e121000-7f0b7e122000 rw-p 00016000 fe:01 1310784
  /lib/x86_64-linux-gnu/libgcc_s.so.1
7f0b7e122000-7f0b7e12c000 r-xp 00000000 fe:01 1311265
  /lib/x86_64-linux-gnu/libnss_files-2.24.so
7f0b7e12c000-7f0b7e32c000 ---p 0000a000 fe:01 1311265
  /lib/x86_64-linux-gnu/libnss_files-2.24.so
7f0b7e32c000-7f0b7e32d000 r--p 0000a000 fe:01 1311265
  /lib/x86_64-linux-gnu/libnss_files-2.24.so
7f0b7e32d000-7f0b7e32e000 rw-p 0000b000 fe:01 1311265
  /lib/x86_64-linux-gnu/libnss_files-2.24.so
7f0b7e32e000-7f0b7e334000 rw-p 00000000 00:00 0
7f0b7e334000-7f0b7e33f000 r-xp 00000000 fe:01 1311269
  /lib/x86_64-linux-gnu/libnss_nis-2.24.so
7f0b7e33f000-7f0b7e53e000 ---p 0000b000 fe:01 1311269
  /lib/x86_64-linux-gnu/libnss_nis-2.24.so
7f0b7e53e000-7f0b7e53f000 r--p 0000a000 fe:01 1311269
  /lib/x86_64-linux-gnu/libnss_nis-2.24.so
7f0b7e53f000-7f0b7e540000 rw-p 0000b000 fe:01 1311269
  /lib/x86_64-linux-gnu/libnss_nis-2.24.so
7f0b7e540000-7f0b7e554000 r-xp 00000000 fe:01 1311178
  /lib/x86_64-linux-gnu/libnsl-2.24.so
7f0b7e554000-7f0b7e754000 ---p 00014000 fe:01 1311178
  /lib/x86_64-linux-gnu/libnsl-2.24.so
7f0b7e754000-7f0b7e755000 r--p 00014000 fe:01 1311178
  /lib/x86_64-linux-gnu/libnsl-2.24.so
7f0b7e755000-7f0b7e756000 rw-p 00015000 fe:01 1311178
  /lib/x86_64-linux-gnu/libnsl-2.24.so
7f0b7e756000-7f0b7e758000 rw-p 00000000 00:00 0
7f0b7e758000-7f0b7e75f000 r-xp 00000000 fe:01 1311180
  /lib/x86_64-linux-gnu/libnss_compat-2.24.so
7f0b7e75f000-7f0b7e95e000 ---p 00007000 fe:01 1311180
  /lib/x86_64-linux-gnu/libnss_compat-2.24.so
7f0b7e95e000-7f0b7e95f000 r--p 00006000 fe:01 1311180
  /lib/x86_64-linux-gnu/libnss_compat-2.24.so
7f0b7e95f000-7f0b7e960000 rw-p 00007000 fe:01 1311180
  /lib/x86_64-linux-gnu/libnss_compat-2.24.so
7f0b7e960000-7f0b7eaf5000 r-xp 00000000 fe:01 1311151
  /lib/x86_64-linux-gnu/libc-2.24.so
7f0b7eaf5000-7f0b7ecf4000 ---p 00195000 fe:01 1311151
  /lib/x86_64-linux-gnu/libc-2.24.so
7f0b7ecf4000-7f0b7ecf8000 r--p 00194000 fe:01 1311151
  /lib/x86_64-linux-gnu/libc-2.24.so
7f0b7ecf8000-7f0b7ecfa000 rw-p 00198000 fe:01 1311151
  /lib/x86_64-linux-gnu/libc-2.24.so
7f0b7ecfa000-7f0b7ecfe000 rw-p 00000000 00:00 0
7f0b7ecfe000-7f0b7ee01000 r-xp 00000000 fe:01 1311172
  /lib/x86_64-linux-gnu/libm-2.24.so
7f0b7ee01000-7f0b7f000000 ---p 00103000 fe:01 1311172
  /lib/x86_64-linux-gnu/libm-2.24.so
7f0b7f000000-7f0b7f001000 r--p 00102000 fe:01 1311172
  /lib/x86_64-linux-gnu/libm-2.24.so
7f0b7f001000-7f0b7f002000 rw-p 00103000 fe:01 1311172
  /lib/x86_64-linux-gnu/libm-2.24.so
7f0b7f002000-7f0b7f027000 r-xp 00000000 fe:01 1310814
  /lib/x86_64-linux-gnu/libtinfo.so.5.9
7f0b7f027000-7f0b7f227000 ---p 00025000 fe:01 1310814
  /lib/x86_64-linux-gnu/libtinfo.so.5.9
7f0b7f227000-7f0b7f22b000 r--p 00025000 fe:01 1310814
  /lib/x86_64-linux-gnu/libtinfo.so.5.9
7f0b7f22b000-7f0b7f22c000 rw-p 00029000 fe:01 1310814
  /lib/x86_64-linux-gnu/libtinfo.so.5.9
7f0b7f22c000-7f0b7f22f000 r-xp 00000000 fe:01 1311170
  /lib/x86_64-linux-gnu/libdl-2.24.so
7f0b7f22f000-7f0b7f42e000 ---p 00003000 fe:01 1311170
  /lib/x86_64-linux-gnu/libdl-2.24.so
7f0b7f42e000-7f0b7f42f000 r--p 00002000 fe:01 1311170
  /lib/x86_64-linux-gnu/libdl-2.24.so
7f0b7f42f000-7f0b7f430000 rw-p 00003000 fe:01 1311170
  /lib/x86_64-linux-gnu/libdl-2.24.so
7f0b7f430000-7f0b7f434000 r-xp 00000000 fe:01 1310846
  /lib/x86_64-linux-gnu/libcap.so.2.25
7f0b7f434000-7f0b7f634000 ---p 00004000 fe:01 1310846
  /lib/x86_64-linux-gnu/libcap.so.2.25
7f0b7f634000-7f0b7f635000 r--p 00004000 fe:01 1310846
  /lib/x86_64-linux-gnu/libcap.so.2.25
7f0b7f635000-7f0b7f636000 rw-p 00005000 fe:01 1310846
  /lib/x86_64-linux-gnu/libcap.so.2.25
7f0b7f636000-7f0b7f659000 r-xp 00000000 fe:01 1310733
  /lib/x86_64-linux-gnu/ld-2.24.so
7f0b7f6a4000-7f0b7f6c2000 rw-p 00000000 00:00 0
7f0b7f6c2000-7f0b7f713000 r--p 00000000 fe:01 26351510
  /usr/lib/locale/aa_DJ.utf8/LC_CTYPE
7f0b7f713000-7f0b7f843000 r--p 00000000 fe:01 26351509
  /usr/lib/locale/aa_DJ.utf8/LC_COLLATE
7f0b7f843000-7f0b7f845000 rw-p 00000000 00:00 0
7f0b7f845000-7f0b7f846000 r--p 00000000 fe:01 26351533
  /usr/lib/locale/aa_ET/LC_NUMERIC
7f0b7f846000-7f0b7f847000 r--p 00000000 fe:01 26480725
  /usr/lib/locale/en_US.utf8/LC_TIME
7f0b7f847000-7f0b7f848000 r--p 00000000 fe:01 26355066
  /usr/lib/locale/chr_US/LC_MONETARY
7f0b7f848000-7f0b7f849000 r--p 00000000 fe:01 26355282
  /usr/lib/locale/en_AG/LC_MESSAGES/SYS_LC_MESSAGES
7f0b7f849000-7f0b7f84a000 r--p 00000000 fe:01 26355068
  /usr/lib/locale/chr_US/LC_PAPER
7f0b7f84a000-7f0b7f84b000 r--p 00000000 fe:01 26355067
  /usr/lib/locale/chr_US/LC_NAME
7f0b7f84b000-7f0b7f84c000 r--p 00000000 fe:01 26480723
  /usr/lib/locale/en_US.utf8/LC_ADDRESS
7f0b7f84c000-7f0b7f84d000 r--p 00000000 fe:01 26355069
  /usr/lib/locale/chr_US/LC_TELEPHONE
7f0b7f84d000-7f0b7f84e000 r--p 00000000 fe:01 26355064
  /usr/lib/locale/chr_US/LC_MEASUREMENT
7f0b7f84e000-7f0b7f855000 r--s 00000000 fe:01 25449459
  /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
7f0b7f855000-7f0b7f856000 r--p 00000000 fe:01 26480724
  /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
7f0b7f856000-7f0b7f859000 rw-p 00000000 00:00 0
7f0b7f859000-7f0b7f85a000 r--p 00023000 fe:01 1310733
  /lib/x86_64-linux-gnu/ld-2.24.so
7f0b7f85a000-7f0b7f85b000 rw-p 00024000 fe:01 1310733
  /lib/x86_64-linux-gnu/ld-2.24.so
7f0b7f85b000-7f0b7f85c000 rw-p 00000000 00:00 0
7ffd7905d000-7ffd7907e000 rw-p 00000000 00:00 0                          [stack]
7ffd790dc000-7ffd790de000 r--p 00000000 00:00 0                          [vvar]
7ffd790de000-7ffd790e0000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
  [vsyscall]
Aborted (core dumped)

--94eb2c19d3ac8297e1054f18b196
Content-Type: application/octet-stream; name=xsymlinks
Content-Disposition: attachment; filename=xsymlinks
Content-Transfer-Encoding: base64
X-Attachment-Id: f_j2hotitd0

JHsocjAkMCl9CiRfOlA=
--94eb2c19d3ac8297e1054f18b196--