On Thu, Feb 13, 2014 at 11:37:27AM -0500, Chet Ramey wrote: > On 2/13/14 11:33 AM, Eduardo A. Bustamante López wrote: > > Using an invalid byte sequence with printf %q segfaults bash, for a > > UTF-8 locale. > > http://lists.gnu.org/archive/html/bug-bash/2014-02/msg00033.html > Uhm, apparently the patch doesn't fix the issue entirely. It did fix the issue for the original payload, but I tested with new payloads, and it still fails. Found three ways to trigger it:
dualbus@debian:~/nbug$ ls command-name invalid-bytes payloads printf-q quote.patch set-x dualbus@debian:~/nbug$ cat command-name payload=$'\065\247\100\063\231\053\306\123\070\237\242\352\263' "$payload" dualbus@debian:~/nbug$ cat printf-q payload=$'\065\247\100\063\231\053\306\123\070\237\242\352\263' printf %q "$payload" dualbus@debian:~/nbug$ cat set-x payload=$'\065\247\100\063\231\053\306\123\070\237\242\352\263' (set -x; : "$payload") dualbus@debian:~/nbug$ gdb ~/local/bin/bash GNU gdb (GDB) 7.4.1-debian Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /home/dualbus/local/bin/bash...done. (gdb) r ./printf-q Starting program: /home/dualbus/local/bin/bash ./printf-q Program received signal SIGSEGV, Segmentation fault. 0x00000000004b4ba6 in ansic_quote (str=0x7b0ec8 '3' <repeats 200 times>..., flags=0, rlen=0x0) at strtrans.c:279 279 *r++ = c; (gdb) bt #0 0x00000000004b4ba6 in ansic_quote (str=0x7b0ec8 '3' <repeats 200 times>..., flags=0, rlen=0x0) at strtrans.c:279 #1 0x00000000004a4121 in printf_builtin (list=0x7b0dc8) at ./printf.def:567 #2 0x0000000000440e37 in execute_builtin (builtin=0x4a2e64 <printf_builtin>, words=0x7b0d88, flags=0, subshell=0) at execute_cmd.c:4337 #3 0x0000000000441a4a in execute_builtin_or_function (words=0x7b0d88, builtin=0x4a2e64 <printf_builtin>, var=0x0, redirects=0x0, fds_to_close=0x7b0ba8, flags=0) at execute_cmd.c:4758 #4 0x00000000004408e8 in execute_simple_command (simple_command=0x7b0708, pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x7b0ba8) at execute_cmd.c:4161 #5 0x000000000043a796 in execute_command_internal (command=0x7b0788, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x7b0ba8) at execute_cmd.c:787 #6 0x0000000000439d44 in execute_command (command=0x7b0788) at execute_cmd.c:390 #7 0x00000000004255e1 in reader_loop () at eval.c:160 #8 0x0000000000423431 in main (argc=2, argv=0x7fffffffeab8, env=0x7fffffffead0) at shell.c:755 (gdb) list 274 } 275 if (l) 276 *r++ = '\\'; 277 278 if (clen == 1) 279 *r++ = c; 280 else 281 { 282 for (b = 0; b < (int)clen; b++) 283 *r++ = (unsigned char)s[b]; (gdb) 284 s += clen - 1; /* -1 because of the increment above */ 285 } 286 } 287 288 *r++ = '\''; 289 *r = '\0'; 290 if (rlen) 291 *rlen = r - ret; 292 return ret; 293 } (gdb) info locals r = 0x7b2000 <Address 0x7b2000 out of bounds> ret = 0x7b0e48 "$'5\\247@", '3' <repeats 192 times>... s = 0x7b1fff "3" <Address 0x7b2000 out of bounds> l = 0 rsize = 56 c = 51 '3' clen = 1 b = 1 wc = 64 L'@' (gdb) quit A debugging session is active. Inferior 1 [process 2017] will be killed. Quit anyway? (y or n) y dualbus@debian:~/nbug$ As you can see from the gdb list command, the patch has been applied, and it still shows the issue. If you are interested, I have a list of payloads that trigger the bug differently for each of the three tests (some segfault, some not). You have to ''set follow-fork-mode child'' for the command-name example to trace it in gdb. -- Eduardo Alan Bustamante López
