mksh R50f was released with the fix, and it has been stewing in CVS HEAD
for a while.
** Information type changed from Private Security to Public Security
** Changed in: mksh
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of mksh
Mailing List, which is subscribed to mksh.
Matching subscriptions: mkshlist-to-mksh-bugmail
https://bugs.launchpad.net/bugs/1440685
Title:
mksh memory corruption / segmentation fault
Status in The MirBSD Korn Shell:
Fix Released
Bug description:
Tested on the newest version @ Ubuntu (46-2) and compiled from source
(mksh-R50e). Also tested on Android 5.0.1 with same results.
It seems to crash at exec.c:1415 in function iosetup() if
(e->savefd[iop->unit] == 0) {
By manipulating the value on the left from '>' (works the same with
'<), we can set values of EAX and EBP.
howl@overflow:~$ gdb -q /bin/mksh
Reading symbols from /bin/mksh...(no debugging symbols found)...done.
(gdb) r
Starting program: /bin/mksh
$ 1000200887800>1
Program received signal SIGSEGV, Segmentation fault.
0x80009c92 in ?? ()
(gdb) i r
eax 0xe09e5df8 -526492168
ecx 0x3 3
edx 0x0 0
ebx 0x8003be50 -2147238320
esp 0xbffff210 0xbffff210
ebp 0x41414344 0x41414344
esi 0x80044a54 -2147202476
edi 0x2 2
eip 0x80009c92 0x80009c92
eflags 0x10206 [ PF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb) bt
#0 0x80009c92 in ?? ()
Backtrace stopped: Cannot access memory at address 0x41414348
(gdb) info frame 0
Stack frame at 0x4141434c:
eip = 0x80009c92;
saved eip = <error: Cannot access memory at address 0x41414348>
Outermost frame: Cannot access memory at address 0x41414348
Arglist at 0x41414344, args:
Locals at 0x41414344, Previous frame's sp is 0x4141434c
Cannot access memory at address 0x41414344
(gdb)
To manage notifications about this bug go to:
https://bugs.launchpad.net/mksh/+bug/1440685/+subscriptions