Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Zsh - Multiple DoS Vulnerabilities

X-seq: zsh-workers 44315
From: Mikael Magnusson <mikachu@xxxxxxxxx>
To: Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx>
Subject: Re: Zsh - Multiple DoS Vulnerabilities
Date: Fri, 17 May 2019 16:28:39 +0200
Cc: zsh-workers@xxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=GW88wP55FtpVtz2DFvdJTkn03qztlJJnw3aHB5jIGrQ=; b=feDrppaLql3pTpiCEhe82CXzsHrnK0amXHmGiQmxY9puU1fm3q85goJt6eTtCJ30uF Vb3sgPeJZa/4fXiZXsUlnuE2DCW5i4H4OZ1wck9WEazJrih8Qxm2TaDEQ+Kovo8RZzJP 0HJC5fqPnljprXpXm3c/OnwXkikOQMdI/nB+qExLbt9jXMpJrxjWS3DT+Yv4KdDaL1H2 +6YudX0xB7/B6cun1AhVOnpL12WwHoUn0V4Km+1PeGJv/xIb2yiBCypnYWOyH21wi9eF EOzUil5rwKTXr3OrRF6IfhTHiRERGaKInGxW0eXnJMhaBMhg4+R4YtHKz7YEhZ8cyBcS 2o+w==
In-reply-to: <CAHYJk3SZquBSFVgjH3K3hnoiaGGPZDtoT8ejzHJxJHb8XBUXFA@mail.gmail.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <CAAOKOsfSAR5aRBvEcyQKRzDCvOgRJdyRvVb9AXMq6d22RaUozQ@mail.gmail.com> <CAH+w=7Y8d0h43rM_dHhbiT8nvL3-zxF8DUWTjn--hPX8sF7iaA@mail.gmail.com> <21436-1557865831.121649@2P7I.HAU9.QsaG> <889eb5518ad0f98899ba24c2f3e95a87f7cc3df6.camel@ntlworld.com> <CAHYJk3RSLsKXXWJW8zLvd2w7nFJxtXHNy26UJcYpgBY2NE_ZRA@mail.gmail.com> <CAHYJk3SZquBSFVgjH3K3hnoiaGGPZDtoT8ejzHJxJHb8XBUXFA@mail.gmail.com>

On 5/17/19, Mikael Magnusson <mikachu@xxxxxxxxx> wrote:
> On 5/17/19, Mikael Magnusson <mikachu@xxxxxxxxx> wrote:
>> On 5/16/19, Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx> wrote:
>>> On Tue, 2019-05-14 at 22:30 +0200, Oliver Kiddle wrote:
>>>> I'm finding this one will crash on Linux but hang on FreeBSD. And not
>>>> crash with true as the condition. A variety of things can be used in
>>>> the
>>>> condition. while .. do .. done can be used in place of if .. then ..
>>>> fi,
>>>> && or ||. The me > you part can be cut down to :. Try the following:
>>>>
>>>>   if [[ m -eq y ]]; then
>>>>     : && !
>>>>     :
>>>>   fi
>>>>
>>>> Where I had a crash, it was interpreting the wordcode in ecgetstr().
>>>> Where it does r = s->strs + (c >> 2), c had an infeasibly large value
>>>> causing it to index well beyond the range of s->strs. I'd be inclined
>>>> to
>>>> suspect the problem comes earlier when parsing this into wordcode.
>>>
>>> I'm starting to wonder if this is an allocation rather than a parsing
>>> problem --- the parsing is OK but something goes wrong with the final
>>> pointer / afterwards / in building or copying the word code, so
>>> that gettext2() or the exec code ends up trying to interpret garbage at
>>> the end.
>>
>> FWIW I ran this under valgrind, and the first invalid read is the one
>> that causes the segfault, so no help there.
>
> Played with gdb reverse debugging a bit and found that at one point
> before the crash, we have this somewhat incorrect string built up:
> (gdb) p tptr-48
> $28 = 0x6e7560 <jbuf> "if [[ m -eq y ]]; then; : && ! :; select G\305\305 in
> "

If I save the above code in a file, named crash.zsh and run zsh -fc
'source crash.zsh' then it will crash. If I run zcompile on it, and
then run the same command, I instead get the infinite loop in text.c:

420		if (stack) {
(gdb)
421		    if (!(s = tstack))
(gdb)
423		    if (s->pop) {
(gdb)
428		    code = s->code;
(gdb)
429		    stack = 0;
(gdb)
434		switch (wc_code(code)) {
(gdb)
458		    if (!s) {
(gdb)
468			if (!(stack = (WC_SUBLIST_TYPE(code) == WC_SUBLIST_END))) {
(gdb)
479		    if (stack < 1 && (WC_SUBLIST_FLAGS(s->code) & WC_SUBLIST_SIMPLE))
(gdb)
481		    break;
(gdb)
420		if (stack) {


-- 
Mikael Magnusson

References:
- Zsh - Multiple DoS Vulnerabilities
  - From: David Wells
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Bart Schaefer
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Oliver Kiddle
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Peter Stephenson
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Mikael Magnusson
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Mikael Magnusson

Messages sorted by: Reverse Date, Date, Thread, Author