oss-sec mailing list archives

Re: Read out-of-bounds parsing bash code in GNU Bash 4.3

From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Mon, 8 Aug 2016 09:06:00 -0300

Another read out-of-bounds was found but in the token_is_assignment
function. Backtrace is here:

==15811== ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60640001b6f0 at pc 0x438bb1 bp 0x7fffffffca00 sp 0x7fffffffc9f8
READ of size 1 at 0x60640001b6f0 thread T0
...
==15811== ABORTING

Program received signal SIGABRT, Aborted.
0x00007ffff468fcc9 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
56    ../nptl/sysdeps/unix/sysv/linux/raise.c: No existe el archivo o
el directorio.
(gdb) bt
#0  0x00007ffff468fcc9 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff46930d8 in __GI_abort () at abort.c:89
#2  0x00007ffff4e66829 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#3  0x00007ffff4e5d3ec in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#4  0x00007ffff4e64012 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#5  0x00007ffff4e63121 in __asan_report_error () from
/usr/lib/x86_64-linux-gnu/libasan.so.0
#6  0x00007ffff4e5d6a4 in __asan_report_load1 () from
/usr/lib/x86_64-linux-gnu/libasan.so.0
#7  0x0000000000438bb1 in token_is_assignment (
    t=0x60640001a500
"a[\"${#a[@][@]}\"][\"${#a[@][@]}\"]=~a[\"${#a[@][@]}\"\"${#a[@]}\"]=~a[\"${#a[@]}\"]=~a[\"${#a[@][@]}\"][\"${#a[@][@]}\"]=~a[\"${#a[@][@]}\"\"${#a[@]}\"]=~a[\"${#a[@]}\"]=~a[\"${#a[@][@]}\"][\"${#a[@][@]}\"]=~a[\"${#a[@][@]}\""...,
i=4591)
    at /usr/src/local/bash/bash-4.3-patched/parse.y:4449
#8  0x000000000043ad9c in read_token_word (character=61) at
/usr/src/local/bash/bash-4.3-patched/parse.y:4753
#9  0x00000000004327ed in read_token (command=0) at
/usr/src/local/bash/bash-4.3-patched/parse.y:3217
#10 0x0000000000430a06 in yylex () at
/usr/src/local/bash/bash-4.3-patched/parse.y:2637
#11 0x0000000000423ba7 in yyparse () at y.tab.c:2020
#12 0x0000000000423440 in parse_command () at eval.c:238
#13 0x0000000000423547 in read_command () at eval.c:282
#14 0x00000000004231aa in reader_loop () at eval.c:145
#15 0x000000000041f03c in main (argc=2, argv=0x7fffffffdfe8,
env=0x7fffffffe000) at shell.c:755


A test case to reproduce this issue is attached (also parsing a bash
file as the previous one). Please assign a CVE if suitable.


Regards,
Gustavo.

2016-08-05 13:57 GMT-03:00 Gustavo Grieco <gustavo.grieco () gmail com>:

Hi,

We recently found a read out-of-bounds parsing bash code in GNU Bash
4.3. I tested this issue in Ubuntu 14.04.3 (x86_64) but other
configurations could be affected. To reproduce:

1. Recompile bash with ASAN:

  $ ./configure --without-bash-malloc CFLAGS="-fsanitize=address -g
-ggdb"  LDFLAGS="-fsanitize=address"
  $ make

(using valgrind will *not* expose this issue)

2. Execute:

$ echo 5RzxHp0o0qmZ | base64 -d | ./bash -n

==27143== ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60040000b8b4 at pc 0x5614be bp 0x7fffffffcad0 sp 0x7fffffffcac8
READ of size 4 at 0x60040000b8b4 thread T0
...

Using gdb we can obtain a clear backtrace:

Program received signal SIGABRT, Aborted.
0x00007ffff468fcc9 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
56    ../nptl/sysdeps/unix/sysv/linux/raise.c: No existe el archivo o
el directorio.
(gdb) bt
#0  0x00007ffff468fcc9 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff46930d8 in __GI_abort () at abort.c:89
#2  0x00007ffff4e66829 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#3  0x00007ffff4e5d3ec in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#4  0x00007ffff4e64012 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#5  0x00007ffff4e63121 in __asan_report_error () from
/usr/lib/x86_64-linux-gnu/libasan.so.0
#6  0x00007ffff4e5d704 in __asan_report_load4 () from
/usr/lib/x86_64-linux-gnu/libasan.so.0
#7  0x00000000005614be in ansic_wshouldquote (string=0x60040000b8d0
"ҩ\231") at strtrans.c:317
#8  0x000000000056152d in ansic_shouldquote (string=0x60040000b8d0
"ҩ\231") at strtrans.c:344
#9  0x0000000000440192 in report_syntax_error (message=0x0) at
/usr/src/local/bash/bash-4.3-patched/parse.y:5763
#10 0x000000000043f7ed in yyerror (msg=0x5bb440 "syntax error") at
/usr/src/local/bash/bash-4.3-patched/parse.y:5637
#11 0x000000000042cecd in yyparse () at y.tab.c:3417
#12 0x0000000000423440 in parse_command () at eval.c:238
#13 0x0000000000423547 in read_command () at eval.c:282
#14 0x00000000004231aa in reader_loop () at eval.c:145
#15 0x000000000041f03c in main (argc=3, argv=0x7fffffffdfa8,
env=0x7fffffffdfc8) at shell.c:755

This issue was found using QuickFuzz. Please assign a CVE if suitable.

Regards,
Gustavo.

Attachment: token_is_assignement.sh
Description:

Current thread:

Read out-of-bounds parsing bash code in GNU Bash 4.3 Gustavo Grieco (Aug 05)
- Re: Read out-of-bounds parsing bash code in GNU Bash 4.3 Gustavo Grieco (Aug 08)