From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 19382 invoked from network); 22 Apr 2023 17:45:21 -0000 Received: from zero.zsh.org (2a02:898:31:0:48:4558:7a:7368) by inbox.vuxu.org with ESMTPUTF8; 22 Apr 2023 17:45:21 -0000 ARC-Seal: i=2; cv=pass; a=rsa-sha256; d=zsh.org; s=rsa-20210803; t=1682185521; b=ofgR8ikY8Dv7sjmLX1HijHlwXtZVUH9+O5cKpQLDRtZ1zt+4q+ylM0JACAKG3EAqJp+3+Oxf5q 4ZkguTrnq6v7NiBQ4O3JZ6ZL/+N16utKQVvfebO1CUk/pAOmuVFg70qOkkeJfiyOVEzXIGfhUK SbEHy85Ims9UnBxCUGEdFOJY+EmJBcdIlt2ncMm7LtHAXGi3QQ1HTrEkiFiVLnfdJHbuay9fb4 1rCfR8xKtLh7lXkageRhlJwPB+Xj4pfzVYLna3ZXHiSTPSKbv/aHWtU7xa/al4ncGR2BqImre3 N/dy6r6XDSiMcbpURKRtRrdPYaEl87nibblyzoWwgvItdQ==; ARC-Authentication-Results: i=2; zsh.org; iprev=pass (mail-me3aus01olkn2153.outbound.protection.outlook.com) smtp.remote-ip=40.92.63.153; dkim=pass header.d=outlook.com header.s=selector1 header.a=rsa-sha256; dmarc=pass header.from=outlook.com; arc=pass (i=1) header.s=arcselector9901 arc.oldest-pass=1 smtp.remote-ip=40.92.63.153 ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20210803; t=1682185521; bh=PXXXxzV+yLExVh9natim3UTVuFTr6fKkKiogqphOXRE=; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help: List-Id:Sender:MIME-Version:Content-Type:Message-ID:Date:Subject:To:From: DKIM-Signature:DKIM-Signature; b=lBRZzNpoSJOvThIPdqWXIoMSCy/z4bizCFyMDnf/C7QbsCnK/XxzCuVIzEbYY+ECliPh8C86u2 AK/W7ScGVpGUC8WnwHIWOaXRQ61UTgzoFAgi/dj7v+qcPTKSIezHe78MgzWU17u1N0TJ3/TOPJ M4XveRfeP5sDJYa0hADo7Rwz6sVxXz838GEQfWLKrNRM+3kebPza+pnrvky8za71JJSUBAJFa0 QH9TDDXRn/MupM5O0gIosVD7ThpDltitI0XzApi2iB8w9pHufVASRr7cfALaGig5dmRBrwgYfd B9As4pv+pvuqqGfURutI24Ce+ISYTToieA/S1UcWlNFFJA==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org; s=rsa-20210803; h=List-Archive:List-Owner:List-Post:List-Unsubscribe: List-Subscribe:List-Help:List-Id:Sender:MIME-Version:Content-Type:Message-ID: Date:Subject:To:From:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References; bh=9XtjaaHTMCAUiRga5i1yp7co0pg5VWgv1D/LJIhMYHE=; b=Jz0BULm3IjIykWIdI/wg3xCPiA LyrqENlxGpPaRSoNMXHn0ZF78lIHmq7xWlb8rQQBDdLt7pgrgdBfidiEerKhAlKzNNBpnI561/G/s 9ONAMkrqK7KIxpzDLkYig3XPGwWr38zmcIwkOeJ+8iJ6awUomNmr99EwAP9mViT0say5QwgQ9rshg rgaZnxPFU4oDE1OZQxtx061Z0+cy7563ypCtnRvLYbCWZIW5otJHU2zRYPuQu9GWqt58c5QIaogux 3I2Ti/qNQYdAwGh+gkSip3XtWCzJsRQvNPZBTEpPYEhNUae+vYPNBTAr++bzdg5qNy4Hz78JJ7/Ao mU/Vwzzw==; Received: by zero.zsh.org with local id 1pqHIU-000ATt-Bb; Sat, 22 Apr 2023 17:45:18 +0000 Authentication-Results: zsh.org; iprev=pass (mail-me3aus01olkn2153.outbound.protection.outlook.com) smtp.remote-ip=40.92.63.153; dkim=pass header.d=outlook.com header.s=selector1 header.a=rsa-sha256; dmarc=pass header.from=outlook.com; arc=pass (i=1) header.s=arcselector9901 arc.oldest-pass=1 smtp.remote-ip=40.92.63.153 Received: from mail-me3aus01olkn2153.outbound.protection.outlook.com ([40.92.63.153]:26582 helo=AUS01-ME3-obe.outbound.protection.outlook.com) by zero.zsh.org with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1pqHHt-000A9L-9V; Sat, 22 Apr 2023 17:44:42 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MwwwmhsiDAvnhL1UbqA1C4Uy6SiX9c2xdJYnimdELLQ2TMX3FnpCV3u/aevrQyEY7dMBpmSg5tw9tE5jjGCS+J0QBIrM58I5ck9yscE5N5cNQcylHJriCCAI1Kd9VGHqOQs8zuhFoiNC2KQlO4HTyylbC4MoCXVg+pKH9lneKObWDcDIX3pTXyfVTJ/ciNpGdx6kW8LIg/pLlsAB9UQDt1E3zESoqmshI5P29xeXyuZxmbxjjh7W7J7M6OXgchi7q417nk3HEJI2rjyjmj+v3u623foMS04hNz0JXdBTxd+PaGNZ55rSaQfkhit7kgXxz5jSHiHfMuQdS1GXWSg0gw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9XtjaaHTMCAUiRga5i1yp7co0pg5VWgv1D/LJIhMYHE=; b=IonKkgO9yyG8vnUbx5Ds0aBxI7Mx6vfSGUF/kfZBhlrFKzPZzFQdyIr1tTOad9eVT7wyNcEgEFhH6zOcICefGR5SGRDxMZ5K2QO2fkg8NluJxkUv2wFThaoJCUU4IbmyTAUpy81Tc5CXaMrlerNTeYYVLMAhUGOTHdYsLA+VBxdl2WZ8avKlgsDnbRbcqTrni0uCCOPDUXMtZTYCWzV6fKaB9hVERrHCXoECr0qn0qRAhyyrnLZo31Bv5k8jk6y0ByVITloFlviKMtjFgW/LJQndyA8uBvv4MoOTwAMQt1eMmp/49mewaBdRA5rTX2iOkowYFlhjyeuvRmW96U2fOA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9XtjaaHTMCAUiRga5i1yp7co0pg5VWgv1D/LJIhMYHE=; b=YYMdCvXbZzAS9qIIL5fChY2AQd269NmZP+n+zzakoNtlyauyqKhgX8+o6H2VLMC5PgWLWbwZ4fX6BGISAI1MhqiANXGxd7wcet3Bknk24Hn+4djc/0dMJNC5pvo8EIrup6aKntLUSDH2oRY88UrEZuFog2rmmphtJ81OGo9wQvm09gsIFa66ADxk3OAdjOTuO+stKCGfrWJPtk2HbzwANvVjsLI5zqdIgwiBkgsNf2daRfQ8E3boFsdNr0xBm57V6PgjUPCuD2wSiBrgSg3yUzBubiZZZRnTxdtI9n1MWlJU03Xa27BvdgqKkQ2SbTF3c8g1Jcy0sN29Ghy5QaWr6Q== Received: from SY4P282MB2217.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:f7::7) by SYCP282MB0032.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:8b::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6340.16; Sat, 22 Apr 2023 17:44:35 +0000 Received: from SY4P282MB2217.AUSP282.PROD.OUTLOOK.COM ([fe80::438d:dde6:3f36:8a57]) by SY4P282MB2217.AUSP282.PROD.OUTLOOK.COM ([fe80::438d:dde6:3f36:8a57%6]) with mapi id 15.20.6340.011; Sat, 22 Apr 2023 17:44:35 +0000 From: Johenan Li To: "zsh-workers@zsh.org" Subject: Discovery of 3 Bugs in Zsh Thread-Topic: Discovery of 3 Bugs in Zsh Thread-Index: AQHZdUIA8uuF1jCXfk2mG7KJ78gIaA== Date: Sat, 22 Apr 2023 17:44:35 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: msip_labels: x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [ep0FSGZTwY26dlpK0dGKwGbrPcdX9HVw] x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SY4P282MB2217:EE_|SYCP282MB0032:EE_ x-ms-office365-filtering-correlation-id: 9cf30402-3fcb-466c-6baf-08db43593ce0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: rsKrvIOOhcviRYNSuYtcJQehFvrZG5QQdMQPrDb2lfRYkhX8EYLKZldlYzQehuAxTq3zRGKf4TeQZRGp6mvO5Dz1PiMhAAQAxGLoyNhlXWX6k/FY1wPkiJtj/FI2pwgJ1QPgMelOa9zNQWPQZHcXSj4JHp3v1nMuexBB74BbrfJHFwYAMTm54jd0wmY2HCPi06KaSrQUx9PB2gh5jiIu1RbDLdEPuALczdm7AFKDISFmv9CtydBHMuURCA8nQwPgxtnSgbTUnG65EjNdlUwI5ZCfEFWrE/QW670KtqJ+Y4N2A2cajN02SkSsNucQc8v4FtngDYrlNusHUInioaROVeLUaIt/HagajHYnfspueUrF7VAnA5MF25PuxtO3y/XeMaNKdYiqoT5QFm262xh7WxfS8pZ0ZnUNa3Nq3UE3AvXSMndnjsNjN1ugUdzyZ91QRaPDpNsLhZmDIIDG10GmUvi7/K6Fs9Exmf7UhhwZ01RNT7kPhxeiA168MVFQ8nlL x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?1DoDYbJhww2F1GVuSmV61PFcgwWnoSCup3S3Lk9KhMCX19EB+KX6Q3TyhE?= =?iso-8859-1?Q?G0CwjaebYRfLViEJYRLItyRNPmFbcE+HHObKjMWDVcKzU4ZSlWxXm7+S37?= =?iso-8859-1?Q?TkRBZ0YlaPh9l0kbFVvkD+Yv1Z/6guHEXyZo2bZuCsyt8widDftOC3IYk8?= =?iso-8859-1?Q?/p5Llbw9/jiw+NyvaeAXcEFVe+Ds8JcMuNO3ZhsoqxyR7kLvG11QTBRngV?= =?iso-8859-1?Q?2MDguWUP/d6nNnmpebgRsevPxPcNBnb7UqLZH605kdtlobGRsX1Zbmk2eJ?= =?iso-8859-1?Q?GDzXcRVCpq0iYoSzy7WLPcT+WtFW7/69dVJIOlDs6VCo/koQxqbEJIQPKA?= =?iso-8859-1?Q?2GJu2XkaO19QK4HBpMJ8G8YHrD6WuAAlOW3fvnJTYjcB1jOYL8yysx8U8k?= =?iso-8859-1?Q?3F9EruZ4K0kjtyYX6pTT6JqXedIp0Pd6Xl6vsv5cdx1JxWk4gZUCxSkNgy?= =?iso-8859-1?Q?PrzEqyscUFt3zb3sYHgSLsou3GTm0t3969eXshYHSkEF9mSDeyawCuKmeU?= =?iso-8859-1?Q?WgPHpPGZpfMdNKPNDSBMpKFlussIyeWFRFRMiBdOXUv4o3KdLURZEpSJpk?= =?iso-8859-1?Q?YlDsIzRaZU2FHtmteJyOUJjJUPyuorXlFqjZrIBkxNAjMWPbRPcc+owxc4?= =?iso-8859-1?Q?oJMtVnBkUWX2i3EJYVscGbGIJIyZAQXxXHASKVu6zSR7jJ/iMqfX/FncfV?= =?iso-8859-1?Q?IgoN9hZchM/vRo5K8bYpxWmynEvY+cH2XvX08USzKW9fbss6Yv6SqJBmw+?= =?iso-8859-1?Q?8TLehWA+G3Rday2P+ohFlowli6mxxLk5dZkujt732FLzvQ9Eb0KGv86ouc?= =?iso-8859-1?Q?wztJXTOP21SmsTqJ70/o9sWhrG2USuEtMlPlkY8F4gRsgJd58aL2Mjl8sB?= =?iso-8859-1?Q?zpt7kNIAi5b1ITJjEUkUM0KOTtyjS0MBkl+05TUrhSLy1vbe575x3KcHSl?= =?iso-8859-1?Q?iG5DDXqcotPx5zjeLuoLDrv3QFLCmzVNrDJVEgj3gW8U6xBQiG5YiHTqcP?= =?iso-8859-1?Q?+h+0fnC6zLh3y4SMjKnvXMh8KARr45RvNP+bHsJ4epgDvu2MQOlrsap9u+?= =?iso-8859-1?Q?yeHjhhTbUqRahQYzkHFgQeGBJfzg1U/f0U2XUOkLltXPbkeU/d3x5nXUsa?= =?iso-8859-1?Q?7nYt/aZ50Xyiuq9AaSYrbCRG7aMxWZom3pqro13/d9jJT+PXYn/l+wHWIg?= =?iso-8859-1?Q?7ojyJ0eml/eJqLfeaXdy6xpeoHr4ADE5DH2OQ14FND4Xy4JXfXsLYGb1J1?= =?iso-8859-1?Q?8AMDEzd4vM65PWHCjTwcd2yzWn4DzJDXjUosO2QRkT871Pp+UH5/ktlbuO?= =?iso-8859-1?Q?shlx?= Content-Type: multipart/mixed; boundary="_004_SY4P282MB22172C2E89EB590BB4A6E6D4B8619SY4P282MB2217AUSP_" MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SY4P282MB2217.AUSP282.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: 9cf30402-3fcb-466c-6baf-08db43593ce0 X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Apr 2023 17:44:35.5483 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYCP282MB0032 X-Seq: 51668 Archived-At: X-Loop: zsh-workers@zsh.org Errors-To: zsh-workers-owner@zsh.org Precedence: list Precedence: bulk Sender: zsh-workers-request@zsh.org X-no-archive: yes List-Id: List-Help: , List-Subscribe: , List-Unsubscribe: , List-Post: List-Owner: List-Archive: --_004_SY4P282MB22172C2E89EB590BB4A6E6D4B8619SY4P282MB2217AUSP_ Content-Type: multipart/alternative; boundary="_000_SY4P282MB22172C2E89EB590BB4A6E6D4B8619SY4P282MB2217AUSP_" --_000_SY4P282MB22172C2E89EB590BB4A6E6D4B8619SY4P282MB2217AUSP_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Dear zsh-workers@zsh.org team, I am a user of zsh and recently I have discovered three bugs in the softwar= e. The first bug is related to a buffer overflow, the second one involves g= db traceback information (the type of bug is unclear), and the third one wa= s identified through asan reports of a memory leak. I am providing my compilation options and related information to help you b= etter understand these issues. I have also attached the files that reproduc= e these bugs. Machine and OS: Ubuntu 20.04.1 x86-64 Compilation flags: "./configure --enable-zsh-debug CC=3Dafl-cc CXX=3Dafl-c+= +" with ASan and UBSan instrumentation. The bugs can be replicated by running the following commands: 1.zsh < bug_4 2.zsh < bug_7 3.The memory leak can be triggered by running zsh and then immediately exit= ing. bug_4 [Detaching after fork from child process 16485] zsh: command not found: reboot =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D16469=3D=3DERROR: AddressSanitizer: global-buffer-overflow on address= 0x555a916f32df at pc 0x555a909ad412 bp 0x7fff064b7f30 sp 0x7fff064b7f28 READ of size 1 at 0x555a916f32df thread T0 [Detaching after fork from child process 16486] #0 0x555a909ad411 in getjobtext /src/zsh/Src/text.c:338:9 #1 0x555a907ab2f3 in execpline2 /src/zsh/Src/exec.c:1995:6 #2 0x555a9078903e in execpline /src/zsh/Src/exec.c:1728:5 #3 0x555a90785d97 in execlist /src/zsh/Src/exec.c:1482:7 #4 0x555a90783ddf in execode /src/zsh/Src/exec.c:1263:5 #5 0x555a90824335 in loop /src/zsh/Src/init.c:212:6 #6 0x555a908339f1 in zsh_main /src/zsh/Src/init.c:1928:6 #7 0x7f274b581d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: = 69389d485a9793dbe873f0ea2c93e02efaa9aa3d) #8 0x7f274b581e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6= +0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d) #9 0x555a90646a84 in _start (/src/zsh/Src/zsh+0xe5a84) (BuildId: c199c0= 76f6fac1efdb3142a08f2ffe511ebca5a0) 0x555a916f32df is located 1 bytes to the left of global variable 'jbuf' def= ined in 'text.c:317:17' (0x555a916f32e0) of size 80 0x555a916f32df is located 30 bytes to the right of global variable 'tjob' d= efined in 'text.c' (0x555a916f32c0) of size 1 SUMMARY: AddressSanitizer: global-buffer-overflow /src/zsh/Src/text.c:338:9= in getjobtext Shadow bytes around the buggy address: 0x0aabd22d6600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aabd22d6610: 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0aabd22d6620: f9 f9 f9 f9 04 f9 f9 f9 04 f9 f9 f9 04 f9 f9 f9 0x0aabd22d6630: 04 f9 f9 f9 04 f9 f9 f9 04 f9 f9 f9 04 f9 f9 f9 0x0aabd22d6640: 04 f9 f9 f9 01 f9 f9 f9 04 f9 f9 f9 00 f9 f9 f9 =3D>0x0aabd22d6650: 00 f9 f9 f9 00 f9 f9 f9 01 f9 f9[f9]00 00 00 00 0x0aabd22d6660: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 0x0aabd22d6670: 00 f9 f9 f9 00 f9 f9 f9 04 f9 f9 f9 00 02 f9 f9 0x0aabd22d6680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aabd22d6690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aabd22d66a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =3D=3D16469=3D=3DABORTING [Inferior 1 (process 16469) exited with code 01] bug_17 Reading symbols from zsh... (gdb) r < /src/fuzzResult/zsh_crashes/crashes/bug_17 Starting program: /src/zsh/Src/zsh < /src/fuzzResult/zsh_crashes/crashes/bu= g_17 warning: Error disabling address space randomization: Operation not permitt= ed [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [Detaching after fork from child process 16468] zsh: no such file or directory: 1dI\M-^^ Program received signal SIGILL, Illegal instruction. 0x00005593ef6e5401 in addfd (forked=3D, save=3D, mfds=3D, fd1=3D, fd2=3D, r= flag=3D, varid=3D) at exec.c:2462 2462 mfds[fd1]->pipe =3D pipes[1 - rflag]; (gdb) bt #0 0x00005593ef6e5401 in addfd (forked=3D, save=3D, mfds=3D, fd1=3D, fd2=3D, rflag=3D, varid=3D) at exec.c:2462 #1 0x00005593ef6d9831 in execcmd_exec (state=3D, eparams=3D= , input=3D, output=3D, how=3D, last1=3D2, close_if_forked=3D) at= exec.c:3897 #2 0x00005593ef6d13b9 in execpline2 (state=3D, pcode=3D, how=3D, input=3D, output=3D, last1=3D) at exec.c:2003 #3 0x00005593ef6af03f in execpline (state=3D0x7ffd09cfc540, slcode=3D, how=3D18, last1=3D-272253408) at exec.c:1728 #4 0x00005593ef6abd98 in execlist (state=3D, dont_change_jo= b=3D, exiting=3D0) at exec.c:1482 #5 0x00005593ef6a9de0 in execode (p=3D, dont_change_job=3D<= optimized out>, exiting=3D, context=3D) at ex= ec.c:1263 #6 0x00005593ef74a336 in loop (toplevel=3D, justonce=3D) at init.c:212 #7 0x00005593ef7599f2 in zsh_main (argc=3D, argv=3D) at init.c:1928 #8 0x00007ff227c98d90 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #9 0x00007ff227c98e40 in __libc_start_main () from /lib/x86_64-linux-gnu/l= ibc.so.6 #10 0x00005593ef56ca85 in _start () exit command =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D27287=3D=3DERROR: LeakSanitizer: detected memory leaks Direct leak of 16 byte(s) in 1 object(s) allocated from: #0 0x55a248dac8ce in __interceptor_malloc (/usr/local/bin/zsh+0x1688ce)= (BuildId: c199c076f6fac1efdb3142a08f2ffe511ebca5a0) #1 0x55a248f6c517 in zalloc /src/zsh/Src/mem.c:966:26 #2 0x55a248f6b97f in pushheap /src/zsh/Src/mem.c:304:19 #3 0x55a248f067c3 in loop /src/zsh/Src/init.c:113:5 #4 0x55a248f169f1 in zsh_main /src/zsh/Src/init.c:1928:6 #5 0x7f0d29ea1d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: = 69389d485a9793dbe873f0ea2c93e02efaa9aa3d) SUMMARY: AddressSanitizer: 16 byte(s) leaked in 1 allocation(s). I would appreciate it if you could allocate appropriate CVE numbers for the= se issues and get back to me as soon as possible. Thank you for your attention to this matter. Sincerely, MiniPython --_000_SY4P282MB22172C2E89EB590BB4A6E6D4B8619SY4P282MB2217AUSP_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Dear zsh-workers@zsh.org team,

I am a user of zsh and recently I ha= ve discovered three bugs in the software. The first bug is related to a buf= fer overflow, the second one involves gdb traceback information (the type of bug is unclear), and the third one = was identified through asan reports of a memory leak.

I am providing my compilation option= s and related information to help you better understand these issues. I hav= e also attached the files that reproduce these bugs.
Machine and OS: Ubuntu 20.04.1 x86-64
Compilation flags: "./configure --enable= -zsh-debug CC=3Dafl-cc CXX=3Dafl-c++" with ASan and UBSan instrumentat= ion.
The bugs can be replicated by running the fol= lowing commands:
1.zsh < bug_4
2.zsh < bug_7
3.The memory leak can be triggered b= y running zsh and then immediately exiting.
bug_4
[Detaching after fork from child process 1648= 5]
zsh: command not found: reboot
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D16469=3D=3DERROR: AddressSanitizer: glo= bal-buffer-overflow on address 0x555a916f32df at pc 0x555a909ad412 bp 0x7ff= f064b7f30 sp 0x7fff064b7f28
READ of size 1 at 0x555a916f32df thread T0
[Detaching after fork from child process 1648= 6]
    #0 0x555a909ad411 in getjobtext= /src/zsh/Src/text.c:338:9
    #1 0x555a907ab2f3 in execpline2= /src/zsh/Src/exec.c:1995:6
    #2 0x555a9078903e in execpline = /src/zsh/Src/exec.c:1728:5
    #3 0x555a90785d97 in execlist /= src/zsh/Src/exec.c:1482:7
    #4 0x555a90783ddf in execode /s= rc/zsh/Src/exec.c:1263:5
    #5 0x555a90824335 in loop /src/= zsh/Src/init.c:212:6
    #6 0x555a908339f1 in zsh_main /= src/zsh/Src/init.c:1928:6
    #7 0x7f274b581d8f  (/lib/x= 86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e0= 2efaa9aa3d)
    #8 0x7f274b581e3f in __libc_sta= rt_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793d= be873f0ea2c93e02efaa9aa3d)
    #9 0x555a90646a84 in _start (/s= rc/zsh/Src/zsh+0xe5a84) (BuildId: c199c076f6fac1efdb3142a08f2ffe511ebca5a0)=

0x555a916f32df is located 1 bytes to the left= of global variable 'jbuf' defined in 'text.c:317:17' (0x555a916f32e0) of s= ize 80
0x555a916f32df is located 30 bytes to the rig= ht of global variable 'tjob' defined in 'text.c' (0x555a916f32c0) of size 1=
SUMMARY: AddressSanitizer: global-buffer-over= flow /src/zsh/Src/text.c:338:9 in getjobtext
Shadow bytes around the buggy address:
  0x0aabd22d6600: 00 00 00 00 00 00 00 0= 0 00 00 00 00 00 00 00 00
  0x0aabd22d6610: 00 00 00 00 f9 f9 f9 f= 9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0aabd22d6620: f9 f9 f9 f9 04 f9 f9 f= 9 04 f9 f9 f9 04 f9 f9 f9
  0x0aabd22d6630: 04 f9 f9 f9 04 f9 f9 f= 9 04 f9 f9 f9 04 f9 f9 f9
  0x0aabd22d6640: 04 f9 f9 f9 01 f9 f9 f= 9 04 f9 f9 f9 00 f9 f9 f9
=3D>0x0aabd22d6650: 00 f9 f9 f9 00 f9 f9 f= 9 01 f9 f9[f9]00 00 00 00
  0x0aabd22d6660: 00 00 00 00 00 00 f9 f= 9 f9 f9 f9 f9 00 f9 f9 f9
  0x0aabd22d6670: 00 f9 f9 f9 00 f9 f9 f= 9 04 f9 f9 f9 00 02 f9 f9
  0x0aabd22d6680: 00 00 00 00 00 00 00 0= 0 00 00 00 00 00 00 00 00
  0x0aabd22d6690: 00 00 00 00 00 00 00 0= 0 00 00 00 00 00 00 00 00
  0x0aabd22d66a0: 00 00 00 00 00 00 00 0= 0 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represent= s 8 application bytes):
  Addressable:       = ;    00
  Partially addressable: 01 02 03 04 05 = 06 07
  Heap left redzone:     =  fa
  Freed heap region:     =  fd
  Stack left redzone:     = ; f1
  Stack mid redzone:     =  f2
  Stack right redzone:    &nbs= p;f3
  Stack after return:     = ; f5
  Stack use after scope:   f8<= /div>
  Global redzone:      &n= bsp;   f9
  Global init order:     =  f6
  Poisoned by user:      =   f7
  Container overflow:     = ; fc
  Array cookie:      &nbs= p;     ac
  Intra object redzone:    bb<= /div>
  ASan internal:      &nb= sp;    fe
  Left alloca redzone:    &nbs= p;ca
  Right alloca redzone:    cb<= /div>
=3D=3D16469=3D=3DABORTING
[Inferior 1 (process 16469) exited with code = 01]

bug_17
Reading symbols from zsh...
(gdb) r < /src/fuzzResult/zsh_crashes/cras= hes/bug_17
Starting program: /src/zsh/Src/zsh < /src/= fuzzResult/zsh_crashes/crashes/bug_17
warning: Error disabling address space random= ization: Operation not permitted
[Thread debugging using libthread_db enabled]=
Using host libthread_db library "/lib/x8= 6_64-linux-gnu/libthread_db.so.1".
[Detaching after fork from child process 1646= 8]
zsh: no such file or directory: 1dI\M-^^

Program received signal SIGILL, Illegal instr= uction.
0x00005593ef6e5401 in addfd (forked=3D<opt= imized out>, save=3D<optimized out>, mfds=3D<optimized out>,= fd1=3D<optimized out>, fd2=3D<optimized out>, rflag=3D<opti= mized out>, varid=3D<optimized out>) at exec.c:2462
2462           =     mfds[fd1]->pipe =3D pipes[1 - rflag];
(gdb) bt
#0  0x00005593ef6e5401 in addfd (forked= =3D<optimized out>, save=3D<optimized out>, mfds=3D<optimize= d out>, fd1=3D<optimized out>, fd2=3D<optimized out>,
    rflag=3D<optimized out>, = varid=3D<optimized out>) at exec.c:2462
#1  0x00005593ef6d9831 in execcmd_exec (= state=3D<optimized out>, eparams=3D<optimized out>, input=3D<= ;optimized out>, output=3D<optimized out>,
    how=3D<optimized out>, la= st1=3D2, close_if_forked=3D<optimized out>) at exec.c:3897
#2  0x00005593ef6d13b9 in execpline2 (st= ate=3D<optimized out>, pcode=3D<optimized out>, how=3D<optim= ized out>, input=3D<optimized out>, output=3D<optimized out>= ,
    last1=3D<optimized out>) = at exec.c:2003
#3  0x00005593ef6af03f in execpline (sta= te=3D0x7ffd09cfc540, slcode=3D<optimized out>, how=3D18, last1=3D-272= 253408) at exec.c:1728
#4  0x00005593ef6abd98 in execlist (stat= e=3D<optimized out>, dont_change_job=3D<optimized out>, exiting= =3D0) at exec.c:1482
#5  0x00005593ef6a9de0 in execode (p=3D&= lt;optimized out>, dont_change_job=3D<optimized out>, exiting=3D&l= t;optimized out>, context=3D<optimized out>) at exec.c:1263
#6  0x00005593ef74a336 in loop (toplevel= =3D<optimized out>, justonce=3D<optimized out>) at init.c:212
#7  0x00005593ef7599f2 in zsh_main (argc= =3D<optimized out>, argv=3D<optimized out>) at init.c:1928
#8  0x00007ff227c98d90 in ?? () from /li= b/x86_64-linux-gnu/libc.so.6
#9  0x00007ff227c98e40 in __libc_start_m= ain () from /lib/x86_64-linux-gnu/libc.so.6
#10 0x00005593ef56ca85 in _start ()

exit command
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D27287=3D=3DERROR: LeakSanitizer: detect= ed memory leaks

Direct leak of 16 byte(s) in 1 object(s) allo= cated from:
    #0 0x55a248dac8ce in __intercep= tor_malloc (/usr/local/bin/zsh+0x1688ce) (BuildId: c199c076f6fac1efdb3142a0= 8f2ffe511ebca5a0)
    #1 0x55a248f6c517 in zalloc /sr= c/zsh/Src/mem.c:966:26
    #2 0x55a248f6b97f in pushheap /= src/zsh/Src/mem.c:304:19
    #3 0x55a248f067c3 in loop /src/= zsh/Src/init.c:113:5
    #4 0x55a248f169f1 in zsh_main /= src/zsh/Src/init.c:1928:6
    #5 0x7f0d29ea1d8f  (/lib/x= 86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e0= 2efaa9aa3d)

SUMMARY: AddressSanitizer: 16 byte(s) leaked = in 1 allocation(s).
I would appreciate it if you could a= llocate appropriate CVE numbers for these issues and get back to me as soon= as possible.

Thank you for your attention to this= matter.

Sincerely,
MiniPython

--_000_SY4P282MB22172C2E89EB590BB4A6E6D4B8619SY4P282MB2217AUSP_-- --_004_SY4P282MB22172C2E89EB590BB4A6E6D4B8619SY4P282MB2217AUSP_ Content-Type: application/x-zip-compressed; name="bug_4_17.zip" Content-Description: bug_4_17.zip Content-Disposition: attachment; filename="bug_4_17.zip"; size=713; creation-date="Sat, 22 Apr 2023 17:44:22 GMT"; modification-date="Sat, 22 Apr 2023 17:44:35 GMT" Content-Transfer-Encoding: base64 UEsDBBQAAAAIANgMl1aRyTnibAEAABQDAAAFABUAYnVnXzRVVAkAA6gbRGSoG0RkVXgEAOgDZACF ks1O5DAMx09c/BSVWIlTa0ZIHLihXSFm0a6WD4kjyqQuzZImmTjtUB6GN+QZIJkWZhgGkKrUdn7+ x3bCwG1pMydkI0yWX/YtuD7U1hyAGgzoVJMV0ppK3SIvRI+DDa8557xmZkE16+58DsksiZwy+UIZ yhOx6fNwygPXXoJmuPOtMeRBllmhrRQauRaeUDinlRRBWcOJ8yKt26jsPRURbNlvkdl5ft6JwFDz 7tO5/lBs3L2a/oHIx3aKkvguWJctfWmbIsZsVSlJxZC4It7m8FEz1WNdGKt/dG6scy1lQQ1RyGfK wI9/x1enX/SwTKaZtQGwtg1hL8ztTGJhugY78pwgNLYk7CaHRfz2MeoeLeXGyW34b+4qrmb4P+qV VIlWh3cEsgp048jrVagjU1q/EZTWD9wnnX4zslEGNOgI8XKGaRKM224CK6WJMb6lguv0MuMPfl9P f00v/jp/35+c7dHPpAvjXjTzCbwAUEsDBBQAAAAIANkMl1bUbBZwVQAAAH0AAAAGABUAYnVnXzE3 VVQJAAOpG0RkqRtEZFV4BADoA2QAq0sqVmT9/5/h/7uU1kS7LzaGKZ7z7K7Wd/h0vWBmYLD76ptl CJL4WvdfQa9YT/azmp6dsJ3v7MxgsPAXiCKwwiKIQqB0Jpo0TErREGgTK4QNsigRAFBLAQIXAxQA AAAIANgMl1aRyTnibAEAABQDAAAFAA0AAAAAAAAAAACkgQAAAABidWdfNFVUBQADqBtEZFV4AABQ SwECFwMUAAAACADZDJdW1GwWcFUAAAB9AAAABgANAAAAAAAAAAAApIGkAQAAYnVnXzE3VVQFAAOp G0RkVXgAAFBLBQYAAAAAAgACAIEAAAAyAgAAAAA= --_004_SY4P282MB22172C2E89EB590BB4A6E6D4B8619SY4P282MB2217AUSP_--