Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Zsh parser segmentation fault on taddstr

X-seq: zsh-workers 41052
From: Eduardo Bustamante <dualbus@xxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: Zsh parser segmentation fault on taddstr
Date: Sun, 7 May 2017 11:45:57 -0500
Cc: Eduardo A. Bustamante López <dualbus@xxxxxxxxx>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc :content-transfer-encoding; bh=skXDOWSo8EXW9v0wUPnp/3BYkQD11T2YsMbUdmGHY/g=; b=UwbSc/SnCwIOLqeJNjPmsoqTJjlW2nlpuy4Wyi2E6LOQmn1htwTPuZBOyut44DvpOW lBk56AgJAAjBQxuEyfeBzJvgu3UvF5q/QGh5M+DTgSJcECqmhwrRInwQHInw2GL3lFnJ vM4bmyvd2sUOy//MuLlhkDBbPZagZCV+9pRsOhW6pVb3CN+pN+zTe0+zLEacB9TrH7tG 2VGrplcuvSo9IRdQwSWiKO6tJ7ftTUVq6SvchH+BM0UXLksp0Gg9Ms1tiT1H5acQud6w 7EAe1Hfo/1eaPDpC1f1KFTVMpqMKNsTS6RjPX76s8wHhimhz6WuQQxw5a3+8Tmz1jilu e2wA==
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm

(please keep me CC'ed, since I'm not subscribed)

Hi all, the following file crashes Zsh when run with noexec:

dualbus@mksh-parser-4pxg:~$ cat -A
cmin-zsh-crashes/output_16_crashes_id:000392,sig:11,src:016511+011323,op:splice,rep:2
if (a)M-^?^@^@<<^EM-^?^I^F|&^D\

dualbus@mksh-parser-4pxg:~$ xxd
cmin-zsh-crashes/output_16_crashes_id:000392,sig:11,src:016511+011323,op:splice,rep:2
00000000: 6966 2028 6129 ff00 003c 3c05 ff09 067c  if (a)...<<....|
00000010: 2604 5c                                  &.\

(gdb) r -nv cmin-zsh-crashes/output_16_crashes_id:000392,sig:11,src:016511+011323,op:splice,rep:2
Starting program: /home/dualbus/zsh/Src/zsh -nv
cmin-zsh-crashes/output_16_crashes_id:000392,sig:11,src:016511+011323,op:splice,rep:2
if (a)�<<�      |&\
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106     ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x000055555560480c in taddstr (s=0x800006cb54c4 <error: Cannot
access memory at address 0x800006cb54c4>) at text.c:148
#2  0x000055555560698b in gettext2 (state=0x7fffffffdd60) at text.c:949
#3  0x0000555555604f43 in getjobtext (prog=0x7ffff7ff13f8,
c=0x7ffff7ff143c) at text.c:337
#4  0x000055555558c394 in execpline2 (state=0x7fffffffe260, pcode=131,
how=18, input=0, output=0, last1=0) at exec.c:1865
#5  0x000055555558b08a in execpline (state=0x7fffffffe260,
slcode=32770, how=18, last1=0) at exec.c:1602
#6  0x000055555558a39e in execlist (state=0x7fffffffe260,
dont_change_job=0, exiting=0) at exec.c:1360
#7  0x0000555555589a44 in execode (p=0x7ffff7ff13f8,
dont_change_job=0, exiting=0, context=0x55555561a27f "toplevel") at
exec.c:1141
#8  0x00005555555aeb6b in loop (toplevel=1, justonce=0) at init.c:208
#9  0x00005555555b29bb in zsh_main (argc=3, argv=0x7fffffffe558) at init.c:1692
#10 0x000055555556a320 in main (argc=3, argv=0x7fffffffe558) at ./main.c:93

Bug found by fuzzing `zsh -nv @@' with AFL.

Follow-Ups:
- Re: Zsh parser segmentation fault on taddstr
  - From: Peter Stephenson

Messages sorted by: Reverse Date, Date, Thread, Author