Re: 0day in zsh through history expression

[Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>]

On Sat, Jul 12, 2025 at 1:36 PM Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx> wrote:
>
> This was reported to zsh-security a couple of hours earlier and I already sent a patch there

Given this has now been posted to zsh-workers, I'll repeat my patch below.

> On Sat, Jul 12, 2025, 12:53 PM Mikael Magnusson <mikachu@xxxxxxxxx> wrote:
>>
>> On Sat, Jul 12, 2025 at 8:33 PM Pwn <ranasinanadil@xxxxxxxxx> wrote:
>> >
>> > POC is in this link:  https://livepwn.github.io/ZshShock
>>
>> This seems to be mostly nonsense, maybe ai generated[1]?

The examples of the crash also use more than 11 digits despite the
"exactly 11" in the description.  Any combination of digits that cause
an integer overflow can trigger the bug.

>> But the crash
>> does happen, this patch fixes it but I don't use history substitution
>> much,
>>
>> -getargs(Histent elist, int arg1, int arg2)
>> +getargs(Histent elist, unsigned int arg1, unsigned int arg2)

Changing the integer type of getargs() does fix the specific reported
crash but the erroneous code is called from other places as well, so
better to detect the bad integer and report error.

The following patch uses the same error message as is generated (by a
different part of the code) for a 10- or 12- digit number.

I'm not even sure the reported example is meant to be valid history
syntax? "!!" followed by a word designator isn't documented, and
doesn't seem to do anything except verify that the previous event has
at least that many words.  The entire event is still repeated as far
as I can tell.

diff --git a/Src/hist.c b/Src/hist.c
index 00bdbb2b8..4e4a20e31 100644
--- a/Src/hist.c
+++ b/Src/hist.c
@@ -1800,6 +1800,11 @@ getargspec(int argc, int marg, int evset)
     ret = 0;
     while (idigit(c)) {
         ret = ret * 10 + c - '0';
+        if (ret < 0) {
+            herrflush();
+            zerr("no such word in event");
+            return -2;
+        }
         c = ingetc();
     }
     inungetc(c);