Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

#7 (typeset -Tp) (was Re: Zsh - Multiple DoS Vulnerabilities)

X-seq: zsh-workers 44284
From: Oliver Kiddle <okiddle@xxxxxxxxxxx>
To: Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>
Subject: #7 (typeset -Tp) (was Re: Zsh - Multiple DoS Vulnerabilities)
Date: Sat, 11 May 2019 03:45:25 +0200
Authentication-results: amavisd4.gkg.net (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.co.uk
Cc: David Wells <bughunters@xxxxxxxxxxx>, "zsh-workers@xxxxxxx" <zsh-workers@xxxxxxx>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s2048; t=1557539129; bh=esU0JNibng8G3CzOjc3KCReZv3Pzm3W8U63D+YQC8Wg=; h=From:References:To:Subject:Date:From:Subject; b=e2G8vNhFxVf3qUrEXBgWF05igEv98C9Suqa5q2P+jSbz+voT0DXiKgFrBAm1AtANXkec7Ef5n4egpcDS1Yg+c8xcR7ghcRQFRaD5GSY6Ps/C3i+dNvzGjuUhwEkNFjggQVaLMWmIfIz2ftysBCBmBly2kC3V+krf2zbtM8ZZPiRfe11FDX639f29+ro69G5UrzTdJ+Ydl6q5FyIzBbmgZpU17aD7ywAlu3XrvztJFOQlF9lrcregGjk9N8S1NizHb2um1aowWWYZAKfzyXcifJYqpbAMUm/DDlfnf8YuC0qM9azzv+V9Z5tSDBtM2BnLaVdsTg5dk/A5U7g+t6/2Sw==
In-reply-to: <CAH+w=7Y8d0h43rM_dHhbiT8nvL3-zxF8DUWTjn--hPX8sF7iaA@mail.gmail.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <CAAOKOsfSAR5aRBvEcyQKRzDCvOgRJdyRvVb9AXMq6d22RaUozQ@mail.gmail.com> <CAH+w=7Y8d0h43rM_dHhbiT8nvL3-zxF8DUWTjn--hPX8sF7iaA@mail.gmail.com>

Bart wrote:
> >     #7 Invalid read from *hasher *in *hashtable.c*
> >     POC folder: *07_hasher_(hashtable.c_85)*

> +2> typeset -priTt CeE e
>
> and then just goes away until killed.  Only that final typeset is
> necessary to reproduce the bug, the rest is irrelevant.

Actually all it needs is the combination of -T and -p along with
variables that aren't already tied.

With other relevant branches of bin_typeset() for things like
typeset -pi, we check for OPT_ISSET(ops, 'p') early and don't call
typeset_single(). (-m is an exception to this).

An alternative to the following patch would be to simply print an error.
This would just involve the -p test joining the -m test on the next
lines after the final bit of context. However, the behaviour as per this
patch is more consistent with other meaningless typeset combinations
like -pi and -pF.

I'm fairly certain that the second part of the patch renders the lines
removed in the first part as dead code but it'd be good if someone else
could check my logic which is as follows: Given -p, typeset_single() is
only now called when -m is set. usepm will always then be true because
with -m, pm will always be set and never with PM_UNSET. So we go into
the if (usepm) block on line 2193 which has early returns on every
branch.

Oliver

diff --git a/Src/builtin.c b/Src/builtin.c
index 49f017046..ca0ce35f5 100644
--- a/Src/builtin.c
+++ b/Src/builtin.c
@@ -2583,9 +2583,6 @@ typeset_single(char *cname, char *pname, Param pm, UNUSED(int func),
     }
     pm->node.flags |= (on & PM_READONLY);

-    if (OPT_ISSET(ops,'p'))
-	paramtab->printnode(&pm->node, PRINT_TYPESET);
-
     return pm;
 }

@@ -2714,7 +2711,7 @@ bin_typeset(char *name, char **argv, LinkList assigns, Options ops, int func)
 	(!isset(GLOBALEXPORT) && !OPT_ISSET(ops,'g')))
 	on |= PM_LOCAL;

-    if (on & PM_TIED) {
+    if ((on & PM_TIED) && !OPT_ISSET(ops, 'p')) {
 	Param apm;
 	struct asgment asg0, asg2;
 	char *oldval = NULL, *joinstr;

Follow-Ups:
- Re: #7 (typeset -Tp) (was Re: Zsh - Multiple DoS Vulnerabilities)
  - From: Peter Stephenson

References:
- Zsh - Multiple DoS Vulnerabilities
  - From: David Wells
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Bart Schaefer

Messages sorted by: Reverse Date, Date, Thread, Author