Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
Re: #3 typeset and braces (Re: Zsh - Multiple DoS Vulnerabilities)
- X-seq: zsh-workers 44294
- From: Mikael Magnusson <mikachu@xxxxxxxxx>
- To: Oliver Kiddle <okiddle@xxxxxxxxxxx>
- Subject: Re: #3 typeset and braces (Re: Zsh - Multiple DoS Vulnerabilities)
- Date: Tue, 14 May 2019 02:13:05 +0200
- Cc: "zsh-workers@xxxxxxx" <zsh-workers@xxxxxxx>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=G8sFlCImbms21V0HSuI9zfsbYLAU/GLUEyGgjFA6bAY=; b=de+Oy3/VFkTK1BRN4uX1UZVTpeiMWDkTXsDIQ8revWC7W7a3f7NNOCXg03jboHfQRf kfIJ8D3fFLjBz0ibYDCqLG3jtXnEXmIgSdvtAcRe5DfEGvxJgZYdtVj/Y0Dr1Ay3+mmh 2xF+HIrMS6RpZiwp6C2TMCg8sMbCPNq5Dm+hsBxeQX4dpIwcIpHlz0Wc2n+fsRMGlq2h hGm0Al8QJSdgCgrj05voqEDcl6vE291q7q88J9/4NC9vJyqWAcH5A9fsQ92YXZv49AB4 tUpQQCBHAOh3zMhAcx5vibxNH1YYbSVILXILP5JAfroQOhxgQ+GQG+1/rwWAFT3HWzH2 ueAA==
- In-reply-to: <10142-1557786965.820774@PTYq.v5pM.vFPY>
- List-help: <mailto:zsh-workers-help@zsh.org>
- List-id: Zsh Workers List <zsh-workers.zsh.org>
- List-post: <mailto:zsh-workers@zsh.org>
- List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
- Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
- References: <CAAOKOsfSAR5aRBvEcyQKRzDCvOgRJdyRvVb9AXMq6d22RaUozQ@mail.gmail.com> <CAH+w=7Y8d0h43rM_dHhbiT8nvL3-zxF8DUWTjn--hPX8sF7iaA@mail.gmail.com> <10142-1557786965.820774@PTYq.v5pM.vFPY>
On 5/14/19, Oliver Kiddle <okiddle@xxxxxxxxxxx> wrote:
> On 10 May, Bart wrote:
>> > #3 Invalid read from *dupstring *in *string.c*
>> > POC folder: *03_dupstring_(string.c_39)*
>>
>> This gives exactly the same errors as #2, and then exits with
>>
>> [long ugly filename]:87: parse error near `}'
>
> I've cut this one down to just:
>
> typeset Q= {X}
>
> That reliably seg faults for me. But that's about as far as I've
> been able to get - I'm not especially familiar with zsh's parsing
> code.
Yeah it looks like some stuff is not exactly going right here,
Breakpoint 2, taddassign (code=0, state=0x7fffffffcfc0, typeset=1) at text.c:187
187 char *s = ecgetstr(state, EC_NODUP, NULL);
(gdb) p *state
$11 = {prog = 0x7ffff7ff23a8, pc = 0x7ffff7ff240c, strs =
0x7ffff7ff240c "typeset"}
(gdb) step
ecgetstr (s=0x7fffffffcfc0, dup=0, tokflag=0x0) at parse.c:2772
2772 wordcode c = *s->pc++;
(gdb)
2775 if (c == 6 || c == 7)
(gdb)
2777 else if (c & 2) {
(gdb) p c
$12 = 1701869940
(gdb) p *s
$13 = {prog = 0x7ffff7ff23a8, pc = 0x7ffff7ff2410, strs =
0x7ffff7ff240c "typeset"}
(gdb) p *s->pc
$14 = 7628147
(gdb) p prog
No symbol "prog" in current context.
(gdb) p s->prog
$15 = (Eprog) 0x7ffff7ff23a8
(gdb) p *s->prog
$16 = {flags = 2, len = 52, npats = 0, nref = -1, pats = 0x7ffff7ff23e0,
prog = 0x7ffff7ff23e0, strs = 0x7ffff7ff240c "typeset", shf = 0x0, dump = 0x0}
(gdb) p *s->prog->prog
$17 = 577
(gdb) p s->strs
$18 = 0x7ffff7ff240c "typeset"
(gdb) p s->strs+1
$19 = 0x7ffff7ff240d "ypeset"
(gdb) list
2772 wordcode c = *s->pc++;
2773 char *r;
2774
2775 if (c == 6 || c == 7)
2776 r = "";
2777 else if (c & 2) {
2778 buf[0] = (char) ((c >> 3) & 0xff);
2779 buf[1] = (char) ((c >> 11) & 0xff);
2780 buf[2] = (char) ((c >> 19) & 0xff);
2781 buf[3] = '\0';
(gdb) p c
$21 = 1701869940
(gdb) p c&2
$22 = 0
(gdb) step
2785 r = s->strs + (c >> 2);
(gdb) p s->strs
$23 = 0x7ffff7ff240c "typeset"
(gdb) p c>>2
$24 = 425467485
(gdb) p c
$25 = 1701869940
(gdb) list
2780 buf[2] = (char) ((c >> 19) & 0xff);
2781 buf[3] = '\0';
2782 r = dupstring(buf);
2783 dup = EC_NODUP;
2784 } else {
2785 r = s->strs + (c >> 2);
2786 }
2787 if (tokflag)
2788 *tokflag = (c & 1);
2789
(gdb) step
2787 if (tokflag)
(gdb) p r
$26 = 0x8000115b4269 <error: Cannot access memory at address 0x8000115b4269>
--
Mikael Magnusson
Messages sorted by:
Reverse Date,
Date,
Thread,
Author