Re: Heap-buffer-overflow in valid_parameter_transform
On 8/31/22 3:34 PM, Ivan Kapranov wrote: Are you sure? The patch i have attached fixes a buffer overflow if the xform is a single character string. The xform is always a single-character string. xform[1] had better be the '\0' that terminates it. If it's not, the xform is invalid. Nothing you've sent me demonstrates a case where that function gets a null string as its argument. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRUc...@case.eduhttp://tiswww.cwru.edu/~chet/
Re: Heap-buffer-overflow in valid_parameter_transform
Are you sure? The patch i have attached fixes a buffer overflow if the xform is a single character string. 31.08.2022, 22:26, "Chet Ramey" : On 8/30/22 1:02 PM, Иван Капранов wrote: Configuration Information [Automatically generated, do not change]: Machine: x86_64 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D> uname output: Linux fedora 5.18.13-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Jul 22 14:03:36 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux Machine Type: x86_64-redhat-linux-gnu Bash Version: 5.1 Patch Level: 16 Release Status: release Hi! I was fuzzing bash with AFL++ and found heap-buffer-overflow in valid_parameter_transform function. Description: ASAN report: ==3430898==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602018 b1 at pc 0x563102ad26cf bp 0x7ffc38fef8d0 sp 0x7ffc38fef8c8 READ of size 1 at 0x602018b1 thread T0 #0 0x563102ad26ce in valid_parameter_transform /root/rpmbuild/BUILD/bash-5.1 /subst.c:7919:7 #1 0x563102ad26ce in parameter_brace_transform /root/rpmbuild/BUILD/bash-5.1 /subst.c:7965:7 #2 0x563102ab1bfc in parameter_brace_expand /root/rpmbuild/BUILD/bash-5.1/su bst.c:9306:15 #3 0x563102ab1bfc in param_expand /root/rpmbuild/BUILD/bash-5.1/subst.c:9765 :15 #4 0x563102a95295 in expand_word_internal /root/rpmbuild/BUILD/bash-5.1/subs t.c:10334:12 #5 0x563102a93c3a in expand_word_internal /root/rpmbuild/BUILD/bash-5.1/subs t.c:10518:15 #6 0x563102af2ffb in shell_expand_word_list /root/rpmbuild/BUILD/bash-5.1/su bst.c:11895:18 #7 0x563102af2ffb in expand_word_list_internal /root/rpmbuild/BUILD/bash-5.1 /subst.c:12019:14 #8 0x5631029c357a in expand_words /root/rpmbuild/BUILD/bash-5.1/subst.c:1136 2:11 #9 0x5631029c357a in execute_simple_command /root/rpmbuild/BUILD/bash-5.1/ex ecute_cmd.c:4393:15 #10 0x5631029b3972 in execute_command_internal /root/rpmbuild/BUILD/bash-5.1 /execute_cmd.c:858:4 #11 0x5631029adf52 in execute_command /root/rpmbuild/BUILD/bash-5.1/execute_ cmd.c:399:12 #12 0x56310293ec72 in reader_loop /root/rpmbuild/BUILD/bash-5.1/eval.c:171:8 #13 0x563102937925 in main /root/rpmbuild/BUILD/bash-5.1/shell.c:821:3 #14 0x7ff11dbeed8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 6938 9d485a9793dbe873f0ea2c93e02efaa9aa3d) #15 0x7ff11dbeee3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2 9e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d) #16 0x56310286e6c4 in _start (/root/rpmbuild/BUILD/bash-5.1/bash+0x14d6c4) ( BuildId: 3f6aa27b1f7ac560) 0x602018b1 is located 0 bytes to the right of 1-byte region [0x602018b0, 0x602018b1) allocated by thread T0 here: #0 0x5631028f150e in malloc (/root/rpmbuild/BUILD/bash-5.1/bash+0x1d050e) (B uildId: 3f6aa27b1f7ac560) #1 0x563102b8eaee in xmalloc /root/rpmbuild/BUILD/bash-5.1/xmalloc.c:114:10 #2 0x563102b8eaee in substring /root/rpmbuild/BUILD/bash-5.1/stringlib.c:135 :20 Repeat-By: 1. Build bash with asan 2. Run with AFL++ crafted input (in attachment) After receiving the attachment, this is the same issue as the previous message: specifying a parameter transformation that causes recursive expansion on a variable whose value contains the same parameter transformation. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRU [1]c...@case.edu [2]http://tiswww.cwru.edu/~chet/ References 1. mailto:c...@case.edu 2. http://tiswww.cwru.edu/~chet/
Re: Heap-buffer-overflow in valid_parameter_transform
On 8/30/22 1:02 PM, Иван Капранов wrote: Configuration Information [Automatically generated, do not change]: Machine: x86_64 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D> uname output: Linux fedora 5.18.13-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Jul 22 14:03:36 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux Machine Type: x86_64-redhat-linux-gnu Bash Version: 5.1 Patch Level: 16 Release Status: release Hi! I was fuzzing bash with AFL++ and found heap-buffer-overflow in valid_parameter_transform function. Description: ASAN report: ==3430898==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602018 b1 at pc 0x563102ad26cf bp 0x7ffc38fef8d0 sp 0x7ffc38fef8c8 READ of size 1 at 0x602018b1 thread T0 #0 0x563102ad26ce in valid_parameter_transform /root/rpmbuild/BUILD/bash-5.1 /subst.c:7919:7 #1 0x563102ad26ce in parameter_brace_transform /root/rpmbuild/BUILD/bash-5.1 /subst.c:7965:7 #2 0x563102ab1bfc in parameter_brace_expand /root/rpmbuild/BUILD/bash-5.1/su bst.c:9306:15 #3 0x563102ab1bfc in param_expand /root/rpmbuild/BUILD/bash-5.1/subst.c:9765 :15 #4 0x563102a95295 in expand_word_internal /root/rpmbuild/BUILD/bash-5.1/subs t.c:10334:12 #5 0x563102a93c3a in expand_word_internal /root/rpmbuild/BUILD/bash-5.1/subs t.c:10518:15 #6 0x563102af2ffb in shell_expand_word_list /root/rpmbuild/BUILD/bash-5.1/su bst.c:11895:18 #7 0x563102af2ffb in expand_word_list_internal /root/rpmbuild/BUILD/bash-5.1 /subst.c:12019:14 #8 0x5631029c357a in expand_words /root/rpmbuild/BUILD/bash-5.1/subst.c:1136 2:11 #9 0x5631029c357a in execute_simple_command /root/rpmbuild/BUILD/bash-5.1/ex ecute_cmd.c:4393:15 #10 0x5631029b3972 in execute_command_internal /root/rpmbuild/BUILD/bash-5.1 /execute_cmd.c:858:4 #11 0x5631029adf52 in execute_command /root/rpmbuild/BUILD/bash-5.1/execute_ cmd.c:399:12 #12 0x56310293ec72 in reader_loop /root/rpmbuild/BUILD/bash-5.1/eval.c:171:8 #13 0x563102937925 in main /root/rpmbuild/BUILD/bash-5.1/shell.c:821:3 #14 0x7ff11dbeed8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 6938 9d485a9793dbe873f0ea2c93e02efaa9aa3d) #15 0x7ff11dbeee3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2 9e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d) #16 0x56310286e6c4 in _start (/root/rpmbuild/BUILD/bash-5.1/bash+0x14d6c4) ( BuildId: 3f6aa27b1f7ac560) 0x602018b1 is located 0 bytes to the right of 1-byte region [0x602018b0, 0x602018b1) allocated by thread T0 here: #0 0x5631028f150e in malloc (/root/rpmbuild/BUILD/bash-5.1/bash+0x1d050e) (B uildId: 3f6aa27b1f7ac560) #1 0x563102b8eaee in xmalloc /root/rpmbuild/BUILD/bash-5.1/xmalloc.c:114:10 #2 0x563102b8eaee in substring /root/rpmbuild/BUILD/bash-5.1/stringlib.c:135 :20 Repeat-By: 1. Build bash with asan 2. Run with AFL++ crafted input (in attachment) After receiving the attachment, this is the same issue as the previous message: specifying a parameter transformation that causes recursive expansion on a variable whose value contains the same parameter transformation. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRUc...@case.eduhttp://tiswww.cwru.edu/~chet/
Re: Heap-buffer-overflow in valid_parameter_transform
On 8/30/22 1:02 PM, Иван Капранов wrote: Repeat-By: 1. Build bash with asan 2. Run with AFL++ crafted input (in attachment) There's no attachment. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRUc...@case.eduhttp://tiswww.cwru.edu/~chet/
