Re: Segfault when closing piped stdin on 4.4.11

Mon, 15 May 2017 21:03:05 -0700 

On Mon, May 15, 2017 at 8:09 PM, Elliott Cable <m...@ell.io> wrote:
> I'm no shell-script master, but this is segfaulting my Bash, and I was
> able to reproduce it on a couple different systems (including the #bash
> shbot :P):
>
>     echo '_() { exec <&- ;}; _ "$0" "$@"' >bleh.sh
>     cat bleh.sh | bash

It's worth noting that this was fixed in the `devel' branch as a
result of the following report:
https://lists.gnu.org/archive/html/bug-bash/2017-03/msg00088.html

dualbus@debian:~/src/gnu/bash$ ./bash <<< 'exec <&-'
Segmentation fault (core dumped)

[New LWP 7237]
Core was generated by `./bash'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000563a97cb9b2b in buffered_getchar () at input.c:565
565       return (bufstream_getc (buffers[bash_input.location.buffered_fd]));
(gdb) bt
#0  0x0000563a97cb9b2b in buffered_getchar () at input.c:565
#1  0x0000563a97c6d23a in yy_getc () at
/usr/homes/chet/src/bash/src/parse.y:1390
#2  0x0000563a97c6e12b in shell_getc (remove_quoted_newline=1) at
/usr/homes/chet/src/bash/src/parse.y:2299
#3  0x0000563a97c6f654 in read_token (command=0) at
/usr/homes/chet/src/bash/src/parse.y:3115
#4  0x0000563a97c6ebed in yylex () at /usr/homes/chet/src/bash/src/parse.y:2675
#5  0x0000563a97c6a251 in yyparse () at y.tab.c:1834
#6  0x0000563a97c69ecd in parse_command () at eval.c:261
#7  0x0000563a97c69fb3 in read_command () at eval.c:305
#8  0x0000563a97c69bf7 in reader_loop () at eval.c:149
#9  0x0000563a97c677fa in main (argc=1, argv=0x7ffd0dc0b498,
env=0x7ffd0dc0b4a8) at shell.c:792

(gdb) p bash_input.location.buffered_fd
$1 = 0
(gdb) p buffers[0]
$2 = (BUFFERED_STREAM *) 0x0

i.e. the problem is that the `exec <&-' closes stdin, which is the
file descriptor bash is using to read the code. So the parser tries to
read more code, and ends up dereferencing a NULL pointer.

Commit f698849a75fc781472806182c3dc930077a5d828 in the `devel' branch
adds the NULL pointer check to bufstream_ungetc (`bp == 0') before
dereferencing the `bp' pointer.

dualbus@debian:~/src/gnu/bash$ git show
f698849a75fc781472806182c3dc930077a5d828 -- input.c
commit f698849a75fc781472806182c3dc930077a5d828
Author: Chet Ramey <chet.ra...@case.edu>
Date:   Mon Mar 20 16:30:10 2017 -0400

    commit bash-20170317 snapshot

diff --git a/input.c b/input.c
index ffd0c4b8..6d0e6871 100644
--- a/input.c
+++ b/input.c
@@ -525,7 +525,7 @@ bufstream_ungetc(c, bp)
      int c;
      BUFFERED_STREAM *bp;
 {
-  if (c == EOF || bp->b_inputp == 0)
+  if (c == EOF || bp == 0 || bp->b_inputp == 0)
     return (EOF);

   bp->b_buffer[--bp->b_inputp] = c;
@@ -556,6 +556,9 @@ buffered_getchar ()
 {
   CHECK_TERMSIG;

+  if (bash_input.location.buffered_fd < 0 ||
buffers[bash_input.location.buffered_fd] == 0)
+    return EOF;
+
 #if !defined (DJGPP)
   return (bufstream_getc (buffers[bash_input.location.buffered_fd]));
 #else

Reply via email to