Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: Zsh - Multiple DoS Vulnerabilities



On 5/16/19, Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx> wrote:
> On Tue, 2019-05-14 at 22:30 +0200, Oliver Kiddle wrote:
>> I'm finding this one will crash on Linux but hang on FreeBSD. And not
>> crash with true as the condition. A variety of things can be used in the
>> condition. while .. do .. done can be used in place of if .. then .. fi,
>> && or ||. The me > you part can be cut down to :. Try the following:
>>
>>   if [[ m -eq y ]]; then
>>     : && !
>>     :
>>   fi
>>
>> Where I had a crash, it was interpreting the wordcode in ecgetstr().
>> Where it does r = s->strs + (c >> 2), c had an infeasibly large value
>> causing it to index well beyond the range of s->strs. I'd be inclined to
>> suspect the problem comes earlier when parsing this into wordcode.
>
> I'm starting to wonder if this is an allocation rather than a parsing
> problem --- the parsing is OK but something goes wrong with the final
> pointer / afterwards / in building or copying the word code, so
> that gettext2() or the exec code ends up trying to interpret garbage at
> the end.

FWIW I ran this under valgrind, and the first invalid read is the one
that causes the segfault, so no help there.

-- 
Mikael Magnusson



Messages sorted by: Reverse Date, Date, Thread, Author