bug-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

null ptr deref + segfault bash 4.4.0(1)-beta

From: Brian Carpenter
Subject: null ptr deref + segfault bash 4.4.0(1)-beta
Date: Sat, 19 Sep 2015 15:02:00 -0500
I found another script that triggers a null ptr deref and then segfaults bash 4.4.0(1)-beta.

hexdump -C -v test25
00000000  5f 3d 20 5f 5f 5f 5f 5f  5f 5f 5f 5f 5f 5f 5f 3d  |_= ____________=|
00000010  24 7b 5f 5b 30 5d 7d 20  5f 3d 24 7b 5f 5f 5f 5f  |${_[0]} _=${____|
00000020  5f 5f 5f 5f 5f 5f 5f 5f  2f 2a 7d                 |________/*}|
0000002b

Starting program: /home/geeknik/bash/bash test25

Program received signal SIGSEGV, Segmentation fault.
__strcpy_ssse3 () at ../sysdeps/x86_64/multiarch/strcpy.S:94
94 ../sysdeps/x86_64/multiarch/strcpy.S: No such file or directory.
(gdb) bt
#0  __strcpy_ssse3 () at ../sysdeps/x86_64/multiarch/strcpy.S:94
#1  0x0000000000590d64 in pat_subst () at /usr/include/x86_64-linux-gnu/bits/string3.h:105
#2  0x000000000059af39 in parameter_brace_expand () at subst.c:7339
#3  0x00000000005a1eec in param_expand () at subst.c:8384
#4  0x00000000005a94a7 in expand_word_internal () at subst.c:8936
#5  0x00000000005b2b94 in expand_string_assignment () at subst.c:3348
#6  0x00000000005b4585 in do_assignment_internal () at subst.c:3139
#7  0x00000000005c8712 in expand_word_list_internal () at subst.c:2956
#8  0x00000000004a9965 in execute_simple_command () at execute_cmd.c:4079
#9  0x00000000004b497e in execute_command_internal () at execute_cmd.c:813
#10 0x00000000004bcf1d in execute_command () at execute_cmd.c:416
#11 0x00000000004317e0 in reader_loop ()
#12 0x0000000000429bdb in main () at shell.c:767

==15522== Invalid read of size 1
==15522==    at 0x4C29BD7: strcpy (vg_replace_strmem.c:467)
==15522==    by 0x590D63: strcpy (string3.h:105)
==15522==    by 0x590D63: pat_subst (subst.c:7113)
==15522==    by 0x59AF38: parameter_brace_patsub (subst.c:7339)
==15522==    by 0x59AF38: parameter_brace_expand (subst.c:7959)
==15522==    by 0x5A1EEB: param_expand (subst.c:8384)
==15522==    by 0x5A94A6: expand_word_internal (subst.c:8936)
==15522==    by 0x5B2B93: call_expand_word_internal (subst.c:3348)
==15522==    by 0x5B2B93: expand_string_assignment (subst.c:3436)
==15522==    by 0x5B4584: expand_string_if_necessary (subst.c:3139)
==15522==    by 0x5B4584: do_assignment_internal (subst.c:2867)
==15522==    by 0x5C8711: do_word_assignment (subst.c:2956)
==15522==    by 0x5C8711: expand_word_list_internal (subst.c:10267)
==15522==    by 0x4A9964: execute_simple_command (execute_cmd.c:4079)
==15522==    by 0x4B497D: execute_command_internal (execute_cmd.c:813)
==15522==    by 0x4BCF1C: execute_command (execute_cmd.c:416)
==15522==    by 0x4317DF: reader_loop (eval.c:163)
==15522==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==15522== 
==15522== 
==15522== Process terminating with default action of signal 11 (SIGSEGV)
==15522==  Access not within mapped region at address 0x0
==15522==    at 0x4C29BD7: strcpy (vg_replace_strmem.c:467)
==15522==    by 0x590D63: strcpy (string3.h:105)
==15522==    by 0x590D63: pat_subst (subst.c:7113)
==15522==    by 0x59AF38: parameter_brace_patsub (subst.c:7339)
==15522==    by 0x59AF38: parameter_brace_expand (subst.c:7959)
==15522==    by 0x5A1EEB: param_expand (subst.c:8384)
==15522==    by 0x5A94A6: expand_word_internal (subst.c:8936)
==15522==    by 0x5B2B93: call_expand_word_internal (subst.c:3348)
==15522==    by 0x5B2B93: expand_string_assignment (subst.c:3436)
==15522==    by 0x5B4584: expand_string_if_necessary (subst.c:3139)
==15522==    by 0x5B4584: do_assignment_internal (subst.c:2867)
==15522==    by 0x5C8711: do_word_assignment (subst.c:2956)
==15522==    by 0x5C8711: expand_word_list_internal (subst.c:10267)
==15522==    by 0x4A9964: execute_simple_command (execute_cmd.c:4079)
==15522==    by 0x4B497D: execute_command_internal (execute_cmd.c:813)
==15522==    by 0x4BCF1C: execute_command (execute_cmd.c:416)
==15522==    by 0x4317DF: reader_loop (eval.c:163)
==15522==  If you believe this happened as a result of a stack
==15522==  overflow in your program's main thread (unlikely but
==15522==  possible), you can try to increase the size of the
==15522==  main thread stack using the --main-stacksize= flag.
==15522==  The main thread stack size used in this run was 8388608.
Segmentation fault

Regards,

Brian 'geeknik' Carpenter

Attachment: test25
Description: Binary data

reply via email to
[Prev in Thread] Current Thread [Next in Thread]