Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-unknown-linux-gnu' -D
CONF_VENDOR='unknown' -DLOCALEDIR='/usr/local/share/locale'
-DPACKAGE='bash' -DSHELL -DHAVE_CONFIG_H -I. -I. -I./include -I./lib
-g -O2
uname output: Linux work 3.18.19-1-tresor #1 SMP PREEMPT Wed Aug 5 08:03:47
UTC 2015 x86_64 GNU/Linux
Machine Type: x86_64-unknown-linux-gnu
/t
Bash Version: 4.3
Patch Level: 42
Release Status: release
Description:
Integer Overflow can be achieved resulting in a segmentation fault from
braces.c when using {..}.
(gdb) r -c "for x in {1..9223372036854775805}; do echo overflow; done"
Starting program: /home/pasha/bash/bash -c "for x in
> {1..9223372036854775805}; do echo overflow; done"
> Program received signal SIGSEGV, Segmentation fault.
0x00007ffff771b4f8 in __memset_avx2 () from /usr/lib/libc.so.6
(gdb) i r
rax 0xdfdfdfdf 3755991007
rbx 0x1 1
rcx 0xffffffffffff8248 -32184
rdx 0xfffffffffffffff0 -16
rsi 0x700248 7340616
rdi 0x708000 7372800
rbp 0x1 0x1
rsp 0x7fffffffe3f8 0x7fffffffe3f8
r8 0x1 1
r9 0x70759b 7370139
r10 0x0 0
r11 0x1999999999999999 1844674407370955161
r12 0x0 0
r13 0x0 0
r14 0x700258 7340632
r15 0xfffffffffffffff0 -16
rip 0x7ffff771b4f8 0x7ffff771b4f8 <__memset_avx2+392>
eflags 0x10287 [ CF PF SF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
> (gdb) x/50x $rip
0x7ffff771b4f8 <__memset_avx2+392>: 0x8948aaf3 0xd02948f0 0xc377f8c5
> 0x00000000
0x7ffff771b508: 0x00000000 0x00000000 0x54415541 0x55fd8949
0x7ffff771b518 <free_derivation+8>: 0xec834853 0x7f834808 0x8b480018
> 0x52741057
0x7ffff771b528 <free_derivation+24>: 0x3145ed31 0x001f0fe4 0x2a048d48
> 0x8510488b
0x7ffff771b538 <free_derivation+40>: 0x48317ec9 0x4840588b 0x2874db85
> 0x00388348
0x7ffff771b548 <free_derivation+56>: 0xc1487674 0x486411cb 0x30251c33
> 0x48000000
0x7ffff771b558 <free_derivation+72>: 0x71e8df89 0x48fffd12 0x0349ef89
> 0xd3ff107d
0x7ffff771b568 <free_derivation+88>: 0x10558b49 0x01c48349 0x68c58348
> 0x1865394d
0x7ffff771b578 <free_derivation+104>: 0x8548b677 0x482f74d2 0xe8187a8b
> 0xffed3f18
0x7ffff771b588 <free_derivation+120>: 0x18458b49 0x40148d48 0x90048d48
> 0x10558b49
0x7ffff771b598 <free_derivation+136>: 0xc2048d48 0xb8788b48 0xed3efbe8
> 0x7d8b49ff
0x7ffff771b5a8 <free_derivation+152>: 0x3ef2e810 0x8348ffed 0x894c08c4
> 0x415d5bef
0x7ffff771b5b8 <free_derivation+168>: 0xe95d415c 0xffed3ee0
> (gdb) disas $rip-40,$rip
Dump of assembler code from 0x7ffff771b4d0 to 0x7ffff771b4f8:
0x00007ffff771b4d0 <__memset_avx2+352>: mov %esi,%eax
0x00007ffff771b4d2 <__memset_avx2+354>: vmovdqu %ymm0,-0x80(%rsi)
0x00007ffff771b4d7 <__memset_avx2+359>: vmovdqu %ymm0,-0x60(%rsi)
0x00007ffff771b4dc <__memset_avx2+364>: vmovdqu %ymm0,-0x40(%rsi)
0x00007ffff771b4e1 <__memset_avx2+369>: vmovdqu %ymm0,-0x20(%rsi)
0x00007ffff771b4e6 <__memset_avx2+374>: sub %rdx,%rax
0x00007ffff771b4e9 <__memset_avx2+377>: vzeroupper
0x00007ffff771b4ec <__memset_avx2+380>: retq
0x00007ffff771b4ed <__memset_avx2+381>: nopl (%rax)
0x00007ffff771b4f0 <__memset_avx2+384>: sub $0xffffffffffffff80,%rcx
0x00007ffff771b4f4 <__memset_avx2+388>: vmovd %xmm0,%eax
End of assembler dump.
> $ $(which bash) --version
GNU bash, version 4.3.42(1)-release (x86_64-unknown-linux-gnu)
>
Repeat-By:
$(which bash) -c "for x in {1..9223372036854775805}; do echo
overflow; done"
Fix:
Make sure your overflow checks are done right after input is taken
instead of before writing to memory.
Thank you,
Pasha Kravtsov
