Bug#879548: zsh -n: use-after-free in patcompile()

Jakub Wilk Sun, 22 Oct 2017 12:16:10 -0700

Package: zsh
Version: 5.4.2-1

zsh uses memory that has been already freed when checking syntax of some scripts:


  $ valgrind --quiet -- zsh -n uaf.sh
  ==6749== Invalid read of size 4
  ==6749==    at 0x4832F70: memcpy (in 
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
  ==6749==    by 0x18B0C6: memcpy (string3.h:53)
  ==6749==    by 0x18B0C6: dupstring_wlen (string.c:55)
  ==6749==    by 0x1802F8: patcompile (pattern.c:673)
  ==6749==    by 0x13BA6F: compgetmatch (glob.c:2625)
  ==6749==    by 0x142923: getmatch (glob.c:2665)
  ==6749==    by 0x1915F2: paramsubst (subst.c:3045)
  ==6749==    by 0x1915F2: stringsubst (subst.c:247)
  ==6749==    by 0x194648: prefork (subst.c:85)
  ==6749==    by 0x12DAE9: execcmd_getargs (exec.c:2676)
  ==6749==    by 0x132009: execcmd_exec (exec.c:2782)
  ==6749==    by 0x1356C9: execpline2 (exec.c:1887)
  ==6749==    by 0x135ABF: execpline (exec.c:1616)
  ==6749==    by 0x1370C0: execlist (exec.c:1371)
  ==6749==  Address 0x4ab3ae8 is 48 bytes inside a block of size 256 free'd
  ==6749==    at 0x483047C: realloc (in 
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
  ==6749==    by 0x1638A9: zrealloc (mem.c:1000)
  ==6749==    by 0x17D900: patadd (pattern.c:414)
  ==6749==    by 0x1802E2: patcompile (pattern.c:671)
  ==6749==    by 0x13BA6F: compgetmatch (glob.c:2625)
  ==6749==    by 0x142923: getmatch (glob.c:2665)
  ==6749==    by 0x1915F2: paramsubst (subst.c:3045)
  ==6749==    by 0x1915F2: stringsubst (subst.c:247)
  ==6749==    by 0x194648: prefork (subst.c:85)
  ==6749==    by 0x12DAE9: execcmd_getargs (exec.c:2676)
  ==6749==    by 0x132009: execcmd_exec (exec.c:2782)
  ==6749==    by 0x1356C9: execpline2 (exec.c:1887)
  ==6749==    by 0x135ABF: execpline (exec.c:1616)
  ==6749==  Block was alloc'd at
  ==6749==    at 0x482E2BC: malloc (in 
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
  ==6749==    by 0x163988: zrealloc (mem.c:1015)
  ==6749==    by 0x17FC7E: patcompile (pattern.c:549)
  ==6749==    by 0x13BA6F: compgetmatch (glob.c:2625)
  ==6749==    by 0x142923: getmatch (glob.c:2665)
  ==6749==    by 0x1915F2: paramsubst (subst.c:3045)
  ==6749==    by 0x1915F2: stringsubst (subst.c:247)
  ==6749==    by 0x194648: prefork (subst.c:85)
  ==6749==    by 0x12DAE9: execcmd_getargs (exec.c:2676)
  ==6749==    by 0x132009: execcmd_exec (exec.c:2782)
  ==6749==    by 0x1356C9: execpline2 (exec.c:1887)
  ==6749==    by 0x135ABF: execpline (exec.c:1616)
  ==6749==    by 0x1370C0: execlist (exec.c:1371)
  ...


Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Architecture: i386

Versions of packages zsh depends on:
ii  zsh-common  5.4.2-1
ii  libc6       2.24-17
ii  libcap2     1:2.25-1.1
ii  libtinfo5   6.0+20170902-1

Versions of packages zsh recommends:
ii  libncursesw5  6.0+20170902-1
ii  libpcre3      2:8.39-5

--
Jakub Wilk

uaf.sh
Description: Bourne shell script

Bug#879548: zsh -n: use-after-free in patcompile()

Reply via email to