While fuzzing bash 4.4.0(1)-beta compiled from the devel branch, I came across another script which triggers a null ptr dereference and a segfault. This script seems to crash these other versions of bash as well:
4.2.37(1)-release on x86_64 Debian, 4.3.39(1)-release on x86_64 Red Hat
hexdump -v -C test00
00000000 5f 3d 28 7b 24 5b 3c 28 30 26 5f 3d 28 5d 29 0a
|_=({$[<(0&_=(]).|
00000010 30 29 |0)|
00000012
Valgrind:
valgrind -q ~/bash/bash test00
test00: command substitution: line 2: unexpected EOF while looking for
matching `)'
TRACE: pid 547: parse_string: longjmp executed: code = 2
==547== Invalid read of size 1
==547== at 0x46E899: rewind_input_string (parse.y:1581)
==547== by 0x46E899: yyparse (parse.y:1160)
==547== by 0x430B3E: parse_command (eval.c:241)
==547== by 0x430B3E: read_command (eval.c:285)
==547== by 0x431654: reader_loop (eval.c:148)
==547== by 0x429BDA: main (shell.c:767)
==547== Address 0xfe is not stack'd, malloc'd or (recently) free'd
==547==
==547==
==547== Process terminating with default action of signal 11 (SIGSEGV)
==547== Access not within mapped region at address 0xFE
==547== at 0x46E899: rewind_input_string (parse.y:1581)
==547== by 0x46E899: yyparse (parse.y:1160)
==547== by 0x430B3E: parse_command (eval.c:241)
==547== by 0x430B3E: read_command (eval.c:285)
==547== by 0x431654: reader_loop (eval.c:148)
==547== by 0x429BDA: main (shell.c:767)
==547== If you believe this happened as a result of a stack
==547== overflow in your program's main thread (unlikely but
==547== possible), you can try to increase the size of the
==547== main thread stack using the --main-stacksize= flag.
==547== The main thread stack size used in this run was 8388608.
Segmentation fault
GDB:
Starting program: /home/geeknik/bash/bash test00
test00: command substitution: line 2: unexpected EOF while looking for
matching `)'
TRACE: pid 15908: parse_string: longjmp executed: code = 2
Program received signal SIGSEGV, Segmentation fault.
yyparse () at ./parse.y:1581
1581 xchars++;
(gdb) bt
#0 yyparse () at ./parse.y:1581
#1 0x0000000000430b3f in read_command ()
#2 0x0000000000431655 in reader_loop ()
#3 0x0000000000429bdb in main () at shell.c:767
(gdb) i r
rax 0x0 0
rbx 0x2 2
rcx 0xffffff89 4294967177
rdx 0x0 0
rsi 0xff 255
rdi 0x0 0
rbp 0x95 0x95
rsp 0x7fffffffd220 0x7fffffffd220
r8 0x29 41
r9 0x0 0
r10 0x7fffffffd290 140737488343696
r11 0x0 0
r12 0x0 0
r13 0x7fffffffd290 140737488343696
r14 0xbaad48 12234056
r15 0x7fffffffd292 140737488343698
rip 0x46e899 0x46e899 <yyparse+33017>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
Regards,
Brian 'geeknik' Carpenter
test00
Description: Binary data
