Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Zsh parser buffer overflow - xsymlink

X-seq: zsh-workers 41081
From: Peter Stephenson <p.stephenson@xxxxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: Re: Zsh parser buffer overflow - xsymlink
Date: Tue, 09 May 2017 17:01:15 +0100
Cc: Eduardo Bustamante <dualbus@xxxxxxxxx>
Cms-type: 201P
In-reply-to: <CAOSMAuvX2gSv5JqLjPYgWGWmwSPtWvsP0wPhYzkEZsGS8aX=uw@mail.gmail.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
Organization: Samsung Cambridge Solution Centre
References: <CGME20170509150713epcas2p44208e6e20c198797cd2d39b88ef70942@epcas2p4.samsung.com> <CAOSMAuvX2gSv5JqLjPYgWGWmwSPtWvsP0wPhYzkEZsGS8aX=uw@mail.gmail.com>

On Tue, 9 May 2017 10:05:38 -0500
Eduardo Bustamante <dualbus@xxxxxxxxx> wrote:
> The following seems to cause some sort of recursive expansion:
> 
> dualbus@debian:~/bash-fuzzing/zsh-parser$ cat -v xsymlinks
> ${(r0$0)}
> $_:P

It's exceeding a fixed buffer length without checking.

The test is a bit brittle --- it assumes PATH_MAX isn't much longer than
the usual value.  It could be cleverer about checking.

By the way, I'm leaving the couple of crashes I haven't looked at for
others.

pws

diff --git a/Src/utils.c b/Src/utils.c
index ea4b34b..5eb936b 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -886,7 +886,7 @@ xsymlinks(char *s, int full)
     char **pp, **opp;
     char xbuf2[PATH_MAX*3+1], xbuf3[PATH_MAX*2+1];
     int t0, ret = 0;
-    zulong xbuflen = strlen(xbuf);
+    zulong xbuflen = strlen(xbuf), pplen;
 
     opp = pp = slashsplit(s);
     for (; xbuflen < sizeof(xbuf) && *pp && ret >= 0; pp++) {
@@ -907,10 +907,18 @@ xsymlinks(char *s, int full)
 	    xbuflen--;
 	    continue;
 	}
-	sprintf(xbuf2, "%s/%s", xbuf, *pp);
+	/* Includes null byte. */
+	pplen = strlen(*pp) + 1;
+	if (xbuflen + pplen + 1 > sizeof(xbuf2)) {
+	    *xbuf = 0;
+	    ret = -1;
+	    break;
+	}
+	memcpy(xbuf2, xbuf, xbuflen);
+	xbuf2[xbuflen] = '/';
+	memcpy(xbuf2 + xbuflen + 1, *pp, pplen);
 	t0 = readlink(unmeta(xbuf2), xbuf3, PATH_MAX);
 	if (t0 == -1) {
-	    zulong pplen = strlen(*pp) + 1;
 	    if ((xbuflen += pplen) < sizeof(xbuf)) {
 		strcat(xbuf, "/");
 		strcat(xbuf, *pp);
diff --git a/Test/D02glob.ztst b/Test/D02glob.ztst
index 413381f..0ff6968 100644
--- a/Test/D02glob.ztst
+++ b/Test/D02glob.ztst
@@ -687,6 +687,14 @@
 0:modifier ':P' resolves symlinks before '..' components
 *>*glob.tmp/hello/world
 
+ # This is a bit brittle as it depends on PATH_MAX.
+ # We could use sysconf..
+ bad_pwd="/${(l:16000:: :):-}"
+ print ${bad_pwd:P}
+0:modifier ':P' with path too long
+?(eval):2: path expansion failed, using root directory
+>/
+
  foo=a
  value="ac"
  print ${value//[${foo}b-z]/x}

References:
- Zsh parser buffer overflow - xsymlink
  - From: Eduardo Bustamante

Messages sorted by: Reverse Date, Date, Thread, Author