oss-sec mailing list archives
Read out-of-bounds parsing bash code in GNU Bash 4.3
From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Fri, 5 Aug 2016 13:57:28 -0300
Hi, We recently found a read out-of-bounds parsing bash code in GNU Bash 4.3. I tested this issue in Ubuntu 14.04.3 (x86_64) but other configurations could be affected. To reproduce: 1. Recompile bash with ASAN: $ ./configure --without-bash-malloc CFLAGS="-fsanitize=address -g -ggdb" LDFLAGS="-fsanitize=address" $ make (using valgrind will *not* expose this issue) 2. Execute: $ echo 5RzxHp0o0qmZ | base64 -d | ./bash -n ==27143== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60040000b8b4 at pc 0x5614be bp 0x7fffffffcad0 sp 0x7fffffffcac8 READ of size 4 at 0x60040000b8b4 thread T0 ... Using gdb we can obtain a clear backtrace: Program received signal SIGABRT, Aborted. 0x00007ffff468fcc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No existe el archivo o el directorio. (gdb) bt #0 0x00007ffff468fcc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007ffff46930d8 in __GI_abort () at abort.c:89 #2 0x00007ffff4e66829 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0 #3 0x00007ffff4e5d3ec in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0 #4 0x00007ffff4e64012 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0 #5 0x00007ffff4e63121 in __asan_report_error () from /usr/lib/x86_64-linux-gnu/libasan.so.0 #6 0x00007ffff4e5d704 in __asan_report_load4 () from /usr/lib/x86_64-linux-gnu/libasan.so.0 #7 0x00000000005614be in ansic_wshouldquote (string=0x60040000b8d0 "ҩ\231") at strtrans.c:317 #8 0x000000000056152d in ansic_shouldquote (string=0x60040000b8d0 "ҩ\231") at strtrans.c:344 #9 0x0000000000440192 in report_syntax_error (message=0x0) at /usr/src/local/bash/bash-4.3-patched/parse.y:5763 #10 0x000000000043f7ed in yyerror (msg=0x5bb440 "syntax error") at /usr/src/local/bash/bash-4.3-patched/parse.y:5637 #11 0x000000000042cecd in yyparse () at y.tab.c:3417 #12 0x0000000000423440 in parse_command () at eval.c:238 #13 0x0000000000423547 in read_command () at eval.c:282 #14 0x00000000004231aa in reader_loop () at eval.c:145 #15 0x000000000041f03c in main (argc=3, argv=0x7fffffffdfa8, env=0x7fffffffdfc8) at shell.c:755 This issue was found using QuickFuzz. Please assign a CVE if suitable. Regards, Gustavo.
Current thread:
- Read out-of-bounds parsing bash code in GNU Bash 4.3 Gustavo Grieco (Aug 05)
- Re: Read out-of-bounds parsing bash code in GNU Bash 4.3 Gustavo Grieco (Aug 08)