Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Buffer overflow with long fd numbers in redirects

X-seq: zsh-workers 33365
From: Mikael Magnusson <mikachu@xxxxxxxxx>
To: zsh workers <zsh-workers@xxxxxxx>
Subject: Buffer overflow with long fd numbers in redirects
Date: Mon, 6 Oct 2014 16:00:44 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=EhEnzuBbc6+IErGlr3X2c8YOYqJrd8tkn9hWa4z/rfI=; b=JBG/87V+miogDsXtQJjzAZufzwOJsfMrx8ohxQuzDbSPFWGfL3kwy+DL6TGfj6vW31 NGNAzEuv/KS1G2HSnSi/Tpkp28JfwjAHJwhIqpuwcMOeQ1lktPa7m5F6AWGi24gvnExJ FPu+9xj2Dk+JqSRakDcU+wOZ+Zmo1hc0ejs1ExFtqrYpT2u7ooOZeuxsUcNdIWs4UAAb 8MSIVP25fY+LHuTif/d8uLJPWDAilDZyzVbbNgD89g7FdDMpwpVw4dafzWiG+erQrEpI rQm0eCATDVhvEjkNNyGU0ydyCaeFs37nIYp0FS/fVVhtyVwV96a+KY8Xql1IwNAxHSQx l5AQ==
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm

Someone reported this on IRC the other day,
% >&333333333333333333333
zsh: number truncated after 20 digits: 333333333333333333333
*** buffer overflow detected ***: zsh terminated

At least one place where this is mishandled is in exec.c around line 3215,
        if (fil == -1) {
            char fdstr[4];

            closemnodes(mfds);
            fixfds(save);
            if (fn->fd2 != -2)
                sprintf(fdstr, "%d", fn->fd2);
            if (errno)
            zwarn("%s: %e", fn->fd2 == -2 ? "coprocess" : fdstr,
                  errno);
            execerr();
        }

Obviously anything over 999 will not fit in fdstr[]. I just checked
and it appears we do not use snprintf anywhere, is this for any
particular reason? The patch below just changes the array to [64], it
should be some time before any system uses a 256-bit type for fds. If
you guys have another preference for solving this, let me know. Note
however that just adding a check if (fn->fd2 != -2 && fn->fd2 < 1000
&& fn->fd2 > -100) is not sufficient since the zwarn attempts to use
fdstr for printing the error. (This is what I did first).

Output with the patch,
% >&333333333333333333333
zsh: number truncated after 20 digits: 333333333333333333333
zsh: 553997653: bad file descriptor

Arguably fdstr could be 21 because of that truncation but it would be
easy to miss if we lift that restriction at some point.

diff --git i/Src/exec.c w/Src/exec.c
index 499606f..906b6ca 100644
--- i/Src/exec.c
+++ w/Src/exec.c
@@ -3210,7 +3210,7 @@ execcmd()
                    fil = movefd(dup(fd));
                }
                if (fil == -1) {
-                   char fdstr[4];
+                   char fdstr[64];

                    closemnodes(mfds);
                    fixfds(save);


-- 
Mikael Magnusson

Follow-Ups:
- Re: Buffer overflow with long fd numbers in redirects
  - From: Axel Beckert
- Re: Buffer overflow with long fd numbers in redirects
  - From: Peter Stephenson

Messages sorted by: Reverse Date, Date, Thread, Author