help / color / mirror / code / Atom feed
From: "Liu, Song" <songliu@psu.edu>
To: "zsh-workers@zsh.org" <zsh-workers@zsh.org>
Cc: "Hu, Hong" <honghu@psu.edu>
Subject: ZSH crashed when reading bytes from a large binary
Date: Sun, 11 Sep 2022 14:43:08 +0000	[thread overview]
Message-ID: <SN6PR02MB4575B046FAF910E0AACD5903B3459@SN6PR02MB4575.namprd02.prod.outlook.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 2882 bytes --]

Dear maintainers:

When ZSH reads bytes from binary, ZSH will adjust the allocated memory according to binary size. But if the binary size is large enough, ZSH will fail to reallocate memory.

The problem is that, when ZSH failed to reallocate memory, ZSH didn’t check the return value of `realloc` function and handle the error. This will make ZSH crash.

On line 6923 of `zsh/Src/builtin.c`, the correct code should like the following:

``` c
If (buf = realloc(buf, bsiz *= 2)) {
   // same as previous code
} else {


  *   Ubuntu 20.04.5 LTS x86_64
  *   Ubuntu clang version 10.0.1-++20211003084855+ef32c611aa21-1~exp1~20211003085243.2
  *   ZSH source code commit: eb738c793a6f9f293fc655c6aa87effc3dd9e44f (latest)

Steps to Reproduce:
``` shell
# clone and build zsh shell from source
git clone git@github.com:zsh-users/zsh.git<mailto:git@github.com:zsh-users/zsh.git>
cd zsh
# compile ZSH with Address Sanitizer
CFLAGS=" -g -O0 " LDFLAGS=" -fsanitize=address " ../zsh/configure
make -j$(nproc)

# generate large binary.
dd if=/dev/zero of=large.bin iflag=fullblock bs=1M count=600

# trigger segment fault.
./Src/zsh -c "read byte < ./large.bin"                    #  Segment fault

ASAN log:

``` shell
==883996==ERROR: AddressSanitizer: requested allocation size 0xffffffff80000000 (0xffffffff80001000 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    #0 0x7f3bfc697c3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163
    #1 0x55c82f1a6ad6 in bin_read /data/song/zsh-crash/zsh/Src/builtin.c:6923
    #2 0x55c82f18d8bb in execbuiltin /data/song/zsh-crash/zsh/Src/builtin.c:506
    #3 0x55c82f1b6dc1 in execcmd_exec /data/song/zsh-crash/zsh/Src/exec.c:4148
    #4 0x55c82f1b06c6 in execpline2 /data/song/zsh-crash/zsh/Src/exec.c:1960
    #5 0x55c82f1af35c in execpline /data/song/zsh-crash/zsh/Src/exec.c:1689
    #6 0x55c82f1ae671 in execlist /data/song/zsh-crash/zsh/Src/exec.c:1444
    #7 0x55c82f1adced in execode /data/song/zsh-crash/zsh/Src/exec.c:1221
    #8 0x55c82f1adbb1 in execstring /data/song/zsh-crash/zsh/Src/exec.c:1187
    #9 0x55c82f1d7432 in init_misc /data/song/zsh-crash/zsh/Src/init.c:1389
    #10 0x55c82f1d89b6 in zsh_main /data/song/zsh-crash/zsh/Src/init.c:1780
    #11 0x55c82f18c95c in main main.c:93
    #12 0x7f3bfc1f1082 in __libc_start_main ../csu/libc-start.c:308

==883996==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163 in __interceptor_realloc


[-- Attachment #2: Type: text/html, Size: 11181 bytes --]

             reply	other threads:[~2022-09-11 14:48 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-11 14:43 Liu, Song [this message]
2022-09-12  7:36 ` Jun T
2022-09-14 21:43   ` Bart Schaefer
2022-09-15 10:19     ` Jun T
2022-09-15 10:41       ` Peter Stephenson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=SN6PR02MB4575B046FAF910E0AACD5903B3459@SN6PR02MB4575.namprd02.prod.outlook.com \
    --to=songliu@psu.edu \
    --cc=honghu@psu.edu \
    --cc=zsh-workers@zsh.org \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).