Re: Light weight support for JSON

[Dale R. Worley]

Greg Wooledge  writes:
> The standard idiom for this sort of thing is
>
> eval "$(external-tool)"
>
> This means you need to *trust* the external-tool to produce safe code.

True.  And I use that idiom with ssh-agent routinely.  But it still
strikes me as unnatural.

Dale

Heap-buffer-overflow in valid_parameter_transform

[Иван Капранов]

   Configuration Information [Automatically generated, do not change]:

   Machine: x86_64

   OS: linux-gnu

   Compiler: gcc

   Compilation CFLAGS: -O2 -flto=auto -ffat-lto-objects -fexceptions -g
   -grecord-gcc-switches -pipe -Wall -Werror=format-security
   -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D>

   uname output: Linux fedora 5.18.13-200.fc36.x86_64 #1 SMP
   PREEMPT_DYNAMIC Fri Jul 22 14:03:36 UTC 2022 x86_64 x86_64 x86_64
   GNU/Linux

   Machine Type: x86_64-redhat-linux-gnu



   Bash Version: 5.1

   Patch Level: 16

   Release Status: release





   Hi! I was fuzzing bash with AFL++ and found heap-buffer-overflow in
   valid_parameter_transform function.



   Description:
ASAN report:
==3430898==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602018
b1 at pc 0x563102ad26cf bp 0x7ffc38fef8d0 sp 0x7ffc38fef8c8
READ of size 1 at 0x602018b1 thread T0
#0 0x563102ad26ce in valid_parameter_transform /root/rpmbuild/BUILD/bash-5.1
/subst.c:7919:7
#1 0x563102ad26ce in parameter_brace_transform /root/rpmbuild/BUILD/bash-5.1
/subst.c:7965:7
#2 0x563102ab1bfc in parameter_brace_expand /root/rpmbuild/BUILD/bash-5.1/su
bst.c:9306:15
#3 0x563102ab1bfc in param_expand /root/rpmbuild/BUILD/bash-5.1/subst.c:9765
:15
#4 0x563102a95295 in expand_word_internal /root/rpmbuild/BUILD/bash-5.1/subs
t.c:10334:12
#5 0x563102a93c3a in expand_word_internal /root/rpmbuild/BUILD/bash-5.1/subs
t.c:10518:15
#6 0x563102af2ffb in shell_expand_word_list /root/rpmbuild/BUILD/bash-5.1/su
bst.c:11895:18
#7 0x563102af2ffb in expand_word_list_internal /root/rpmbuild/BUILD/bash-5.1
/subst.c:12019:14
#8 0x5631029c357a in expand_words /root/rpmbuild/BUILD/bash-5.1/subst.c:1136
2:11
#9 0x5631029c357a in execute_simple_command /root/rpmbuild/BUILD/bash-5.1/ex
ecute_cmd.c:4393:15
#10 0x5631029b3972 in execute_command_internal /root/rpmbuild/BUILD/bash-5.1
/execute_cmd.c:858:4
#11 0x5631029adf52 in execute_command /root/rpmbuild/BUILD/bash-5.1/execute_
cmd.c:399:12
#12 0x56310293ec72 in reader_loop /root/rpmbuild/BUILD/bash-5.1/eval.c:171:8
#13 0x563102937925 in main /root/rpmbuild/BUILD/bash-5.1/shell.c:821:3
#14 0x7ff11dbeed8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 6938
9d485a9793dbe873f0ea2c93e02efaa9aa3d)
#15 0x7ff11dbeee3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2
9e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#16 0x56310286e6c4 in _start (/root/rpmbuild/BUILD/bash-5.1/bash+0x14d6c4) (
BuildId: 3f6aa27b1f7ac560)

0x602018b1 is located 0 bytes to the right of 1-byte region [0x602018b0,
0x602018b1)
allocated by thread T0 here:
#0 0x5631028f150e in malloc (/root/rpmbuild/BUILD/bash-5.1/bash+0x1d050e) (B
uildId: 3f6aa27b1f7ac560)
#1 0x563102b8eaee in xmalloc /root/rpmbuild/BUILD/bash-5.1/xmalloc.c:114:10
#2 0x563102b8eaee in substring /root/rpmbuild/BUILD/bash-5.1/stringlib.c:135
:20



   Repeat-By:
   1. Build bash with asan 2. Run with AFL++ crafted input (in attachment)
   Fix:
diff -uprN bash-5.1-orig/subst.c bash-5.1/subst.c
--- bash-5.1-orig/subst.c   2022-08-29 18:56:11.071802865 +
+++ bash-5.1/subst.c2022-08-29 18:56:48.187435415 +
@@ -7916,7 +7916,7 @@ static int
 valid_parameter_transform (xform)
  char *xform;
 {
-  if (xform[1])
+  if (xform[0] && xform[1])
 return 0;

   /* check for valid values of xform[0] */

   Kind regards, Ivan Kapranov.

Stack overflow

[Иван Капранов]

   Configuration Information [Automatically generated, do not change]:

   Machine: x86_64

   OS: linux-gnu

   Compiler: gcc

   Compilation CFLAGS: -O2 -flto=auto -ffat-lto-objects -fexceptions -g
   -grecord-gcc-switches -pipe -Wall -Werror=format-security
   -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D>

   uname output: Linux fedora 5.18.13-200.fc36.x86_64 #1 SMP
   PREEMPT_DYNAMIC Fri Jul 22 14:03:36 UTC 2022 x86_64 x86_64 x86_64
   GNU/Linux

   Machine Type: x86_64-redhat-linux-gnu



   Bash Version: 5.1

   Patch Level: 16

   Release Status: release



   Hi! I was fuzzing bash with AFL++ and found stack overflow.



   Description:

   A recursive call to a chain of functions leads to a stack overflow and
   a program crash (segmentation fault).

   Asan report:

Address sanitizer report:
==693300==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe7a72f970 (pc
0x7f1bc73f7620 bp 0x7ffe7a7301b0 sp 0x7ffe7a72f970 T0)
#0 0x7f1bc73f7620 in __interceptor_malloc (/lib64/libasan.so.8+0xba620)
#1 0x54e8a3 in xmalloc /root/rpmbuild/BUILD/bash-5.1/xmalloc.c:114
#2 0x449e72 in decode_prompt_string parse.y:5806
#3 0x4d9f15 in string_transform /root/rpmbuild/BUILD/bash-5.1/subst.c:7794
#4 0x4daa5e in parameter_brace_transform /root/rpmbuild/BUILD/bash-5.1/subst
.c:7988
#5 0x4e3d38 in parameter_brace_expand /root/rpmbuild/BUILD/bash-5.1/subst.c:
9306
#6 0x4e59ad in param_expand /root/rpmbuild/BUILD/bash-5.1/subst.c:9765
#7 0x4e90ac in expand_word_internal /root/rpmbuild/BUILD/bash-5.1/subst.c:10
334
#8 0x4c52d7 in expand_prompt_string /root/rpmbuild/BUILD/bash-5.1/subst.c:38
68
#9 0x44c166 in decode_prompt_string parse.y:6174
#10 0x4d9f15 in string_transform /root/rpmbuild/BUILD/bash-5.1/subst.c:7794
#11 0x4daa5e in parameter_brace_transform /root/rpmbuild/BUILD/bash-5.1/subs
t.c:7988
#12 0x4e3d38 in parameter_brace_expand /root/rpmbuild/BUILD/bash-5.1/subst.c
:9306
#13 0x4e59ad in param_expand /root/rpmbuild/BUILD/bash-5.1/subst.c:9765
#14 0x4e90ac in expand_word_internal /root/rpmbuild/BUILD/bash-5.1/subst.c:1
0334
#15 0x4c52d7 in expand_prompt_string /root/rpmbuild/BUILD/bash-5.1/subst.c:3
868
#16 0x44c166 in decode_prompt_string parse.y:6174
#17 0x4d9f15 in string_transform /root/rpmbuild/BUILD/bash-5.1/subst.c:7794
#18 0x4daa5e in parameter_brace_transform /root/rpmbuild/BUILD/bash-5.1/subs
t.c:7988
#19 0x4e3d38 in parameter_brace_expand /root/rpmbuild/BUILD/bash-5.1/subst.c
:9306
#20 0x4e59ad in param_expand /root/rpmbuild/BUILD/bash-5.1/subst.c:9765
#21 0x4e90ac in expand_word_internal /root/rpmbuild/BUILD/bash-5.1/subst.c:1
0334
#22 0x4c52d7 in expand_prompt_string /root/rpmbuild/BUILD/bash-5.1/subst.c:3
868
#23 0x44c166 in decode_prompt_string parse.y:6174
#24 0x4d9f15 in string_transform /root/rpmbuild/BUILD/bash-5.1/subst.c:7794
#25 0x4daa5e in parameter_brace_transform /root/rpmbuild/BUILD/bash-5.1/subs
t.c:7988
#26 0x4e3d38 in parameter_brace_expand /root/rpmbuild/BUILD/bash-5.1/subst.c
:9306
#27 0x4e59ad in param_expand /root/rpmbuild/BUILD/bash-5.1/subst.c:9765
#28 0x4e90ac in expand_word_internal /root/rpmbuild/BUILD/bash-5.1/subst.c:1
0334
#29 0x4c52d7 in expand_prompt_string /root/rpmbuild/BUILD/bash-5.1/subst.c:3
868
#30 0x44c166 in decode_prompt_string parse.y:6174
#31 0x4d9f15 in string_transform /root/rpmbuild/BUILD/bash-5.1/subst.c:7794
#32 0x4daa5e in parameter_brace_transform /root/rpmbuild/BUILD/bash-5.1/subs
t.c:7988
#33 0x4e3d38 in parameter_brace_expand /root/rpmbuild/BUILD/bash-5.1/subst.c
:9306
#34 0x4e59ad in param_expand /root/rpmbuild/BUILD/bash-5.1/subst.c:9765
#35 0x4e90ac in expand_word_internal /root/rpmbuild/BUILD/bash-5.1/subst.c:1
0334
#36 0x4c52d7 in expand_prompt_string /root/rpmbuild/BUILD/bash-5.1/subst.c:3
868
#37 0x44c166 in decode_prompt_string parse.y:6174
#38 0x4d9f15 in string_transform /root/rpmbuild/BUILD/bash-5.1/subst.c:7794
#39 0x4daa5e in parameter_brace_transform /root/rpmbuild/BUILD/bash-5.1/subs
t.c:7988
#40 0x4e3d38 in parameter_brace_expand /root/rpmbuild/BUILD/bash-5.1/subst.c
:9306
#41 0x4e59ad in param_expand /root/rpmbuild/BUILD/bash-5.1/subst.c:9765
#42 0x4e90ac in expand_word_internal /root/rpmbuild/BUILD/bash-5.1/subst.c:1
0334
#43 0x4c52d7 in expand_prompt_string /root/rpmbuild/BUILD/bash-5.1/subst.c:3
868
#44 0x44c166 in decode_prompt_string parse.y:6174
#45 0x4d9f15 in string_transform /root/rpmbuild/BUILD/bash-5.1/subst.c:7794
#46 0x4daa5e in parameter_brace_transform /root/rpmbuild/BUILD/bash-5.1/subs
t.c:7988
#47 0x4e3d38 in parameter_brace_expand /root/rpmbuild/BUILD/bash-5.1/subst.c
:9306
#48 0x4e59ad in param_expand /root/rpmbuild/BUILD/bash-5.1/subst.c:9765
#49 0x4e90ac in expand_word_internal /root/rpmbuild/BUILD/bash-5.1/subst.c:1
0334
#50 0x4c52d7 in expand_prompt_string /root/rpmbuild/BUILD/bash-5.1/subst.c:3
868
#51 0x44c166 in