Basically, after doing a bunch of unset -f, I can crash Bash, version GNU bash, version 4.3.42(1)-release (x86_64-apple-darwin15.0.0), which could possibly be an attack vector. Here's the info from /var/log/system.log
Apr 21 15:45:00 NikolayKolev-mac iTerm2[87962]: ReceiveMessageAndFileDescriptor Apr 21 15:45:00 NikolayKolev-mac iTerm2[87962]: calling recvmsg... Apr 21 15:45:00 NikolayKolev-mac iTerm2-Server[87965]: Installing SIGHUP handler. Apr 21 15:45:00 NikolayKolev-mac iTerm2-Server[87965]: Installing SIGCHLD handler. Apr 21 15:45:00 NikolayKolev-mac iTerm2-Server[87965]: Unblocking SIGCHLD. Apr 21 15:45:00 NikolayKolev-mac iTerm2-Server[87965]: Sending file descriptor and waiting on initial connection Apr 21 15:45:00 NikolayKolev-mac iTerm2-Server[87965]: send master fd and child pid 87966 Apr 21 15:45:00 NikolayKolev-mac iTerm2-Server[87965]: All done. Waiting for client to disconnect or child to die. Apr 21 15:45:00 NikolayKolev-mac iTerm2-Server[87965]: Calling select... Apr 21 15:45:00 NikolayKolev-mac iTerm2[87962]: recvmsg returned 4, errno=n/a Apr 21 15:45:00 NikolayKolev-mac iTerm2[87962]: recvmsg returned 4 Apr 21 15:45:00 NikolayKolev-mac iTerm2[87962]: Got a fd Apr 21 15:45:00 NikolayKolev-mac iTerm2[87962]: Return 4 Apr 21 15:45:00 NikolayKolev-mac login[87966]: USER_PROCESS: 87966 ttys000 Apr 21 15:45:07 NikolayKolev-mac -bash[87967]: -bash(87967,0x7fff79c34000) malloc: *** error for object 0x7: pointer being freed was not allocated *** set a breakpoint in malloc_error_break to debug Apr 21 15:45:07 NikolayKolev-mac diagnosticd[71728]: error evaluating process info - pid: 87967, punique: 187665 Apr 21 15:45:07 NikolayKolev-mac login[87966]: DEAD_PROCESS: 87966 ttys000 Apr 21 15:45:07 NikolayKolev-mac iTerm2-Server[87965]: select returned -1, error = Interrupted system call Apr 21 15:45:07 NikolayKolev-mac iTerm2-Server[87965]: Calling select... Apr 21 15:45:07 NikolayKolev-mac iTerm2-Server[87965]: select returned 1, error = Interrupted system call Apr 21 15:45:07 NikolayKolev-mac iTerm2-Server[87965]: select returned. child dead=2, connection closed=0 Apr 21 15:45:07 NikolayKolev-mac iTerm2-Server[87965]: Connection closed. Apr 21 15:45:07 NikolayKolev-mac iTerm2-Server[87965]: Unlink /var/tmp/iTerm2.socket.87965 Apr 21 15:45:07 NikolayKolev-mac iTerm2[87962]: File descriptor server exited with status 0 Apr 21 15:45:07 NikolayKolev-mac ReportCrash[87670]: Saved crash report for bash[87967] version 0 to /Users/NikolayKolev/Library/Logs/DiagnosticReports/bash_2016-04-21-154507_NikolayKolev-mac.crash
