Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Zsh - Multiple DoS Vulnerabilities

X-seq: zsh-workers 44313
From: Mikael Magnusson <mikachu@xxxxxxxxx>
To: Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx>
Subject: Re: Zsh - Multiple DoS Vulnerabilities
Date: Fri, 17 May 2019 15:41:25 +0200
Cc: zsh-workers@xxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4iLG5cZpAAfxA9vkln4nUprdqiVvEa531QRYPUJBMLo=; b=VAzNCAHCcsg2Yjvc6x/hIm7VZKJPFLibLrMKEvGCKiYvdBQl67Lxl2FwBBK4icsAMV gR7TgaiXD6CrE3ujh9L4f97siuDKEk1tmT3IL9E2S6aWQC6eUsGR6j78m7rfPxmSg+vK QiOXmhR2pz5lLnXZ9znjJmmmQ43SNzkk7Hjse+iqFk6F3lO7sL5o6MNKzUh5jmuq5/bx 0nA2Qex5ON45E0yOjdpFr1eK8EX7GlIxyGLPQYfvCN/8g+IJlBpompNEQ4iYia1Ya9Rg cgmHHzm8lBVtgr4LQSU/CXVxRu6ig0joOIPwL1XRg200idFyiuGufISg9scbyI/W/t/F vu5w==
In-reply-to: <889eb5518ad0f98899ba24c2f3e95a87f7cc3df6.camel@ntlworld.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <CAAOKOsfSAR5aRBvEcyQKRzDCvOgRJdyRvVb9AXMq6d22RaUozQ@mail.gmail.com> <CAH+w=7Y8d0h43rM_dHhbiT8nvL3-zxF8DUWTjn--hPX8sF7iaA@mail.gmail.com> <21436-1557865831.121649@2P7I.HAU9.QsaG> <889eb5518ad0f98899ba24c2f3e95a87f7cc3df6.camel@ntlworld.com>

On 5/16/19, Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx> wrote:
> On Tue, 2019-05-14 at 22:30 +0200, Oliver Kiddle wrote:
>> I'm finding this one will crash on Linux but hang on FreeBSD. And not
>> crash with true as the condition. A variety of things can be used in the
>> condition. while .. do .. done can be used in place of if .. then .. fi,
>> && or ||. The me > you part can be cut down to :. Try the following:
>>
>>   if [[ m -eq y ]]; then
>>     : && !
>>     :
>>   fi
>>
>> Where I had a crash, it was interpreting the wordcode in ecgetstr().
>> Where it does r = s->strs + (c >> 2), c had an infeasibly large value
>> causing it to index well beyond the range of s->strs. I'd be inclined to
>> suspect the problem comes earlier when parsing this into wordcode.
>
> I'm starting to wonder if this is an allocation rather than a parsing
> problem --- the parsing is OK but something goes wrong with the final
> pointer / afterwards / in building or copying the word code, so
> that gettext2() or the exec code ends up trying to interpret garbage at
> the end.

FWIW I ran this under valgrind, and the first invalid read is the one
that causes the segfault, so no help there.

-- 
Mikael Magnusson

Follow-Ups:
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Mikael Magnusson

References:
- Zsh - Multiple DoS Vulnerabilities
  - From: David Wells
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Bart Schaefer
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Oliver Kiddle
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Peter Stephenson

Messages sorted by: Reverse Date, Date, Thread, Author