I found another script that triggers a null ptr deref and then segfaults bash 4.4.0(1)-beta.
hexdump -C -v test25
00000000 5f 3d 20 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 3d |_=
____________=|
00000010 24 7b 5f 5b 30 5d 7d 20 5f 3d 24 7b 5f 5f 5f 5f |${_[0]}
_=${____|
00000020 5f 5f 5f 5f 5f 5f 5f 5f 2f 2a 7d |________/*}|
0000002b
Starting program: /home/geeknik/bash/bash test25
Program received signal SIGSEGV, Segmentation fault.
__strcpy_ssse3 () at ../sysdeps/x86_64/multiarch/strcpy.S:94
94 ../sysdeps/x86_64/multiarch/strcpy.S: No such file or directory.
(gdb) bt
#0 __strcpy_ssse3 () at ../sysdeps/x86_64/multiarch/strcpy.S:94
#1 0x0000000000590d64 in pat_subst () at
/usr/include/x86_64-linux-gnu/bits/string3.h:105
#2 0x000000000059af39 in parameter_brace_expand () at subst.c:7339
#3 0x00000000005a1eec in param_expand () at subst.c:8384
#4 0x00000000005a94a7 in expand_word_internal () at subst.c:8936
#5 0x00000000005b2b94 in expand_string_assignment () at subst.c:3348
#6 0x00000000005b4585 in do_assignment_internal () at subst.c:3139
#7 0x00000000005c8712 in expand_word_list_internal () at subst.c:2956
#8 0x00000000004a9965 in execute_simple_command () at execute_cmd.c:4079
#9 0x00000000004b497e in execute_command_internal () at execute_cmd.c:813
#10 0x00000000004bcf1d in execute_command () at execute_cmd.c:416
#11 0x00000000004317e0 in reader_loop ()
#12 0x0000000000429bdb in main () at shell.c:767
==15522== Invalid read of size 1
==15522== at 0x4C29BD7: strcpy (vg_replace_strmem.c:467)
==15522== by 0x590D63: strcpy (string3.h:105)
==15522== by 0x590D63: pat_subst (subst.c:7113)
==15522== by 0x59AF38: parameter_brace_patsub (subst.c:7339)
==15522== by 0x59AF38: parameter_brace_expand (subst.c:7959)
==15522== by 0x5A1EEB: param_expand (subst.c:8384)
==15522== by 0x5A94A6: expand_word_internal (subst.c:8936)
==15522== by 0x5B2B93: call_expand_word_internal (subst.c:3348)
==15522== by 0x5B2B93: expand_string_assignment (subst.c:3436)
==15522== by 0x5B4584: expand_string_if_necessary (subst.c:3139)
==15522== by 0x5B4584: do_assignment_internal (subst.c:2867)
==15522== by 0x5C8711: do_word_assignment (subst.c:2956)
==15522== by 0x5C8711: expand_word_list_internal (subst.c:10267)
==15522== by 0x4A9964: execute_simple_command (execute_cmd.c:4079)
==15522== by 0x4B497D: execute_command_internal (execute_cmd.c:813)
==15522== by 0x4BCF1C: execute_command (execute_cmd.c:416)
==15522== by 0x4317DF: reader_loop (eval.c:163)
==15522== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==15522==
==15522==
==15522== Process terminating with default action of signal 11 (SIGSEGV)
==15522== Access not within mapped region at address 0x0
==15522== at 0x4C29BD7: strcpy (vg_replace_strmem.c:467)
==15522== by 0x590D63: strcpy (string3.h:105)
==15522== by 0x590D63: pat_subst (subst.c:7113)
==15522== by 0x59AF38: parameter_brace_patsub (subst.c:7339)
==15522== by 0x59AF38: parameter_brace_expand (subst.c:7959)
==15522== by 0x5A1EEB: param_expand (subst.c:8384)
==15522== by 0x5A94A6: expand_word_internal (subst.c:8936)
==15522== by 0x5B2B93: call_expand_word_internal (subst.c:3348)
==15522== by 0x5B2B93: expand_string_assignment (subst.c:3436)
==15522== by 0x5B4584: expand_string_if_necessary (subst.c:3139)
==15522== by 0x5B4584: do_assignment_internal (subst.c:2867)
==15522== by 0x5C8711: do_word_assignment (subst.c:2956)
==15522== by 0x5C8711: expand_word_list_internal (subst.c:10267)
==15522== by 0x4A9964: execute_simple_command (execute_cmd.c:4079)
==15522== by 0x4B497D: execute_command_internal (execute_cmd.c:813)
==15522== by 0x4BCF1C: execute_command (execute_cmd.c:416)
==15522== by 0x4317DF: reader_loop (eval.c:163)
==15522== If you believe this happened as a result of a stack
==15522== overflow in your program's main thread (unlikely but
==15522== possible), you can try to increase the size of the
==15522== main thread stack using the --main-stacksize= flag.
==15522== The main thread stack size used in this run was 8388608.
Segmentation fault
Regards,
Brian 'geeknik' Carpenter
test25
Description: Binary data
