[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Buffer overflow in bash's readline
|
From: |
Chet Ramey |
|
Subject: |
Re: Buffer overflow in bash's readline |
|
Date: |
Tue, 27 Sep 2022 11:12:51 -0400 |
|
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.3.0 |
On 9/23/22 3:24 PM, srobertson@peratonlabs.com wrote:
Bash Version: 5.1
Patch Level: 8
Release Status: release
Description:
Repeatable buffer overflow core-dump in bash's readline
due to rl_forced_update_display trying to zeroize a
string that is not NUL terminated.
Repeat-By:
Create a small window with a new 2x1 bash inside of it.
Resize that window. Type a command. Get a memory error.
Full annotated debugging session showing the
target, smoke, gun, and bullet included below.
Fix:
There may be a second bug which prevents the buffer from being
NUL terminated in the first place, but I urge you to apply
this patch no matter what, since the code as written is very
dangerous without the bounds check.
The bug report was also submitted to the libreadline people
since it still appears to show up there.
--- display.c.orig 2022-09-23 12:23:36.282214239 -0400
+++ display.c 2022-09-23 12:28:17.028118101 -0400
@@ -2644,11 +2644,13 @@
rl_forced_update_display (void)
{
register char *temp;
+ register int templen;
if (visible_line)
{
temp = visible_line;
- while (*temp)
+ templen = vis_lbsize;
+ while (*temp && templen--)
*temp++ = '\0';
}
rl_on_new_line ();
Thanks for the report. This patch isn't the right way to do it; vis_lbsize
is the size of a different buffer (which happens to be the same size, but
still).
It's easier and probably faster to use
memset (visible_line, 0, line_size);
instead of the loop. See if that works for you.
Chet
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU chet@case.edu http://tiswww.cwru.edu/~chet/