Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Buffer overflow with long fd numbers in redirects

X-seq: zsh-workers 33368
From: Mikael Magnusson <mikachu@xxxxxxxxx>
To: zsh workers <zsh-workers@xxxxxxx>
Subject: Re: Buffer overflow with long fd numbers in redirects
Date: Mon, 6 Oct 2014 16:55:44 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=ErgB5T25+XG0Wdm79FHC7CleQ1W8KrgBKde+2B2tTwo=; b=VoX7mnHtAbdn6NU1kjc67hDDZ+e/gsJT6kSH/5beLbOHZHsHpwNbEovmJhCmM84Mbi k9AHANzPraA2c/vLrJeqbpZ9TIxzErf/B0ZCjfMEKp+EaHX9EMCxXy1SVQ5UKgPsbk+a yC8vPSabbvAsbNR3mneyhYhSgAk/g9NOFj8W4OqYy9t2iO/bejmJCMf/gRoBuZd5NoEs TGvxb+2/y3leLh66Cr+ypCZxYAzgV4pFiltSVkGIRMyLUpMtmMPlNQQalKw26zYYmAFH y1ZI3Fot8tefomaPmqBciSSYTf4pN+SthN3YpYyE76tyn8RNTbypljcYp0p614H0co1Z CaHA==
In-reply-to: <20141006142434.GC5405@sym.noone.org>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <CAHYJk3QeCiKGuohbduaFa9cct48oL4c2+weEQKsWpr91EM_YkQ@mail.gmail.com> <20141006142434.GC5405@sym.noone.org>

On 6 October 2014 16:24, Axel Beckert <abe@xxxxxxxxxxxxxxx> wrote:
> Hi,
>
> On Mon, Oct 06, 2014 at 04:00:44PM +0200, Mikael Magnusson wrote:
>> Someone reported this on IRC the other day,
>> % >&333333333333333333333
>> zsh: number truncated after 20 digits: 333333333333333333333
>> *** buffer overflow detected ***: zsh terminated
>>
>> At least one place where this is mishandled is in exec.c around line 3215,
>
> I can reproduce this in 5.0.6.
>
> But I can't reproduce this in 4.3.17 as in Debian Wheezy. There it
> looks exactly like this:
>
>> Output with the patch,
>> % >&333333333333333333333
>> zsh: number truncated after 20 digits: 333333333333333333333
>> zsh: 553997653: bad file descriptor
>
> !518 Z7 ?0 L2 abe@snidget:~ (pts/40 zsh 4.3.17 wheezy) 16:22:44
> ~ → echo $ZSH_VERSION
> 4.3.17
> !518 Z7 ?0 L2 abe@snidget:~ (pts/40 zsh 4.3.17 wheezy) 16:22:44
> ~ → >&333333333333333333333
> zsh: number truncated after 20 digits: 333333333333333333333
> zsh: 553997653: bad file descriptor
> !519 Z8 ?1 L2 abe@snidget:~ (pts/40 zsh 4.3.17 wheezy) 16:22:50
> ~ →

You'll only see this error if zsh was compiled with buffer overflow
checking enabled (or against a glibc that has it enabled, not 100%
sure on the implementation details), probably it wasn't for the older
package. Overflowing the buffer doesn't write on any unallocated
memory so it won't segfault (fdstr is the last variable on the stack).

-- 
Mikael Magnusson

References:
- Buffer overflow with long fd numbers in redirects
  - From: Mikael Magnusson
- Re: Buffer overflow with long fd numbers in redirects
  - From: Axel Beckert

Messages sorted by: Reverse Date, Date, Thread, Author