Null Pointer Dereference in wextglob_skipname

GwanYeong Kim Mon, 14 Aug 2017 06:09:44 -0700

Hello,

I found a Null Pointer Dereference bug in bash.


Please confirm.

Thanks.

Version: bash 4.4.12(1)-maint(cb8c37dc664c2c0c12772111d3cc3a560d50cb04)
OS: Ubuntu 16.04.2 64bit
Steps to reproduce:
 1.Download the PoC files.
 2.Execute the following command
   : ./bash $PoC

```
ASAN:SIGSEGV
=================================================================
==13050==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
(pc 0x000000576d66 bp 0x7ffeb47e0210 sp 0x7ffeb47e01c0 T0)
    #0 0x576d65 in wextglob_skipname /root/karas/bash/lib/glob/glob.c:345
    #1 0x576f54 in mbskipname /root/karas/bash/lib/glob/glob.c:380
    #2 0x576282 in extglob_skipname /root/karas/bash/lib/glob/glob.c:226
    #3 0x5763b8 in skipname /root/karas/bash/lib/glob/glob.c:257
    #4 0x576f9b in mbskipname /root/karas/bash/lib/glob/glob.c:382
    #5 0x578329 in glob_vector /root/karas/bash/lib/glob/glob.c:760
    #6 0x57b255 in glob_filename /root/karas/bash/lib/glob/glob.c:1363
    #7 0x57a34d in glob_filename /root/karas/bash/lib/glob/glob.c:1162
    #8 0x57a34d in glob_filename /root/karas/bash/lib/glob/glob.c:1162
    #9 0x57a34d in glob_filename /root/karas/bash/lib/glob/glob.c:1162
    #10 0x57a34d in glob_filename /root/karas/bash/lib/glob/glob.c:1162
    #11 0x57a34d in glob_filename /root/karas/bash/lib/glob/glob.c:1162
    #12 0x57a34d in glob_filename /root/karas/bash/lib/glob/glob.c:1162
    #13 0x57a34d in glob_filename /root/karas/bash/lib/glob/glob.c:1162
    #14 0x57a34d in glob_filename /root/karas/bash/lib/glob/glob.c:1162
    #15 0x57a34d in glob_filename /root/karas/bash/lib/glob/glob.c:1162
    #16 0x57a34d in glob_filename /root/karas/bash/lib/glob/glob.c:1162
    #17 0x57a34d in glob_filename /root/karas/bash/lib/glob/glob.c:1162
    #18 0x57a34d in glob_filename /root/karas/bash/lib/glob/glob.c:1162
    #19 0x57a34d in glob_filename /root/karas/bash/lib/glob/glob.c:1162
    #20 0x57a34d in glob_filename /root/karas/bash/lib/glob/glob.c:1162
    #21 0x57a34d in glob_filename /root/karas/bash/lib/glob/glob.c:1162
    #22 0x57a34d in glob_filename /root/karas/bash/lib/glob/glob.c:1162
    #23 0x57a34d in glob_filename /root/karas/bash/lib/glob/glob.c:1162
    #24 0x57a34d in glob_filename /root/karas/bash/lib/glob/glob.c:1162
    #25 0x57a34d in glob_filename /root/karas/bash/lib/glob/glob.c:1162
    #26 0x57a34d in glob_filename /root/karas/bash/lib/glob/glob.c:1162
    #27 0x4eb908 in shell_glob_filename /root/karas/bash/pathexp.c:427
    #28 0x4d979b in glob_expand_word_list /root/karas/bash/subst.c:10673
    #29 0x4dc001 in expand_word_list_internal /root/karas/bash/subst.c:11109
    #30 0x4d9602 in expand_words /root/karas/bash/subst.c:10622
    #31 0x468565 in execute_simple_command
/root/karas/bash/execute_cmd.c:4220
    #32 0x457492 in execute_command_internal
/root/karas/bash/execute_cmd.c:811
    #33 0x455c31 in execute_command /root/karas/bash/execute_cmd.c:393
    #34 0x4262a6 in reader_loop /root/karas/bash/eval.c:172
    #35 0x421818 in main /root/karas/bash/shell.c:794
    #36 0x7f362f9f982f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #37 0x4204b8 in _start (/root/karas/bash/bash+0x4204b8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/karas/bash/lib/glob/glob.c:345
wextglob_skipname
==13050==ABORTING
```

0000_null_PoC
Description: Binary data

Null Pointer Dereference in wextglob_skipname

Reply via email to