bash-4.3_p39 Segfaults in array_flush at array.c:111 after incorrect conversion from indexed to associative array

2015-08-15 Thread Sergey Tselikh 
Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: x86_64-pc-linux-gnu-gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64' 
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-pc-linux-gnu' 
-DCONF_VENDOR='pc' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL 
-DHAVE_CONFIG_H   -I. -I./include -I. -I./include -I./lib  
-DDEFAULT_PATH_VALUE='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
 -DSTANDARD_UTILS_PATH='/bin:/usr/bin:/sbin:/usr/sbin' 
-DSYS_BASHRC='/etc/bash/bashrc' -DSYS_BASH_LOGOUT='/etc/bash/bash_logout' 
-DNON_INTERACTIVE_LOGIN_SHELLS -DSSH_SOURCE_BASHRC -pipe -march=corei7-avx 
-mno-aes -mfpmath=sse,387 -O2 -finline-functions -fomit-frame-pointer
uname output: Linux laptop 3.10.77-gentoo-stselikh #1 SMP PREEMPT Mon May 18 
12:45:11 VLAT 2015 x86_64 Intel(R) Core(TM) i3-2310M CPU @ 2.10GHz GenuineIntel 
GNU/Linux
Machine Type: x86_64-pc-linux-gnu

Bash Version: 4.3
Patch Level: 39
Release Status: release


Configuration Information of bash-4.3_p39 recompiled with debug information 
[Automatically generated by bashbug, of course]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64' 
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-unknown-linux-gnu' 
-DCONF_VENDOR='unknown' 
-DLOCALEDIR='/home/stselikh/untars/bash-43-39/bash-4.3/root/share/locale' 
-DPACKAGE='bash' -DSHELL -DHAVE_CONFIG_H   -I.  -I. -I./include -I./lib   -g
uname output: Linux laptop 3.10.77-gentoo-stselikh #1 SMP PREEMPT Mon May 18 
12:45:11 VLAT 2015 x86_64 Intel(R) Core(TM) i3-2310M CPU @ 2.10GHz GenuineIntel 
GNU/Linux
Machine Type: x86_64-unknown-linux-gnu

Bash Version: 4.3
Patch Level: 39
Release Status: release



Description:
An incorrect conversion from indexed to associative array in bash script leads
bash interpreter to segfault (bash still gives a useful error report in this 
situation,
which is good).

As seen in the output of GDB, bash terminates in array_flush function:

Core was generated by `../untars/bash-43-39/bash-4.3/root/bin/bash -x repro'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00470879 in array_flush (a=0x19de728) at array.c:111
111 for (r = element_forw(a->head); r != a->head; ) {



Repeat-By:
The following script may be used to repeat the problem:

#!/bin/bash
aaa() {
declare -g -a unique=()
}
bbb() {
declare -g -A unique=()
}
aaa
bbb


When run with -x, it gives the following output:

+ aaa
+ unique=()
+ declare -g -a unique
+ bbb
repro: line 8: bbb: unique: cannot convert indexed to associative array
+ unique=()
Segmentation fault (core dumped)


-- 
Sergey Tselikh

Integer Overflow in braces

2015-08-15 Thread Pasha K 
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-unknown-linux-gnu' -D
CONF_VENDOR='unknown' -DLOCALEDIR='/usr/local/share/locale'
-DPACKAGE='bash' -DSHELL -DHAVE_CONFIG_H   -I.  -I. -I./include -I./lib
-g -O2
uname output: Linux work 3.18.19-1-tresor #1 SMP PREEMPT Wed Aug 5 08:03:47
UTC 2015 x86_64 GNU/Linux
Machine Type: x86_64-unknown-linux-gnu
/t
Bash Version: 4.3
Patch Level: 42
Release Status: release

Description:
Integer Overflow can be achieved resulting in a segmentation fault from
braces.c when using {..}.



(gdb) r -c "for x in {1..9223372036854775805}; do echo overflow; done"

Starting program: /home/pasha/bash/bash -c "for x in
> {1..9223372036854775805}; do echo overflow; done"


> Program received signal SIGSEGV, Segmentation fault.

0x7771b4f8 in __memset_avx2 () from /usr/lib/libc.so.6

(gdb) i r

rax0xdfdfdfdf 3755991007

rbx0x1 1

rcx0x8248 -32184

rdx0xfff0 -16

rsi0x700248 7340616

rdi0x708000 7372800

rbp0x1 0x1

rsp0x7fffe3f8 0x7fffe3f8

r8 0x1 1

r9 0x70759b 7370139

r100x0 0

r110x1999 1844674407370955161

r120x0 0

r130x0 0

r140x700258 7340632

r150xfff0 -16

rip0x7771b4f8 0x7771b4f8 <__memset_avx2+392>

eflags 0x10287 [ CF PF SF IF RF ]

cs 0x33 51

ss 0x2b 43

ds 0x0 0

es 0x0 0

fs 0x0 0

gs 0x0 0



> (gdb) x/50x $rip

0x7771b4f8 <__memset_avx2+392>: 0x8948aaf3 0xd02948f0 0xc377f8c5
> 0x

0x7771b508: 0x 0x 0x54415541 0x55fd8949

0x7771b518 : 0xec834853 0x7f834808 0x8b480018
> 0x52741057

0x7771b528 : 0x3145ed31 0x001f0fe4 0x2a048d48
> 0x8510488b

0x7771b538 : 0x48317ec9 0x4840588b 0x2874db85
> 0x00388348

0x7771b548 : 0xc1487674 0x486411cb 0x30251c33
> 0x4800

0x7771b558 : 0x71e8df89 0x48fffd12 0x0349ef89
> 0xd3ff107d

0x7771b568 : 0x10558b49 0x01c48349 0x68c58348
> 0x1865394d

0x7771b578 : 0x8548b677 0x482f74d2 0xe8187a8b
> 0xffed3f18

0x7771b588 : 0x18458b49 0x40148d48 0x90048d48
> 0x10558b49

0x7771b598 : 0xc2048d48 0xb8788b48 0xed3efbe8
> 0x7d8b49ff

0x7771b5a8 : 0x3ef2e810 0x8348ffed 0x894c08c4
> 0x415d5bef

0x7771b5b8 : 0xe95d415c 0xffed3ee0



> (gdb) disas $rip-40,$rip

Dump of assembler code from 0x7771b4d0 to 0x7771b4f8:

   0x7771b4d0 <__memset_avx2+352>: mov%esi,%eax

   0x7771b4d2 <__memset_avx2+354>: vmovdqu %ymm0,-0x80(%rsi)

   0x7771b4d7 <__memset_avx2+359>: vmovdqu %ymm0,-0x60(%rsi)

   0x7771b4dc <__memset_avx2+364>: vmovdqu %ymm0,-0x40(%rsi)

   0x7771b4e1 <__memset_avx2+369>: vmovdqu %ymm0,-0x20(%rsi)

   0x7771b4e6 <__memset_avx2+374>: sub%rdx,%rax

   0x7771b4e9 <__memset_avx2+377>: vzeroupper

   0x7771b4ec <__memset_avx2+380>: retq

   0x7771b4ed <__memset_avx2+381>: nopl   (%rax)

   0x7771b4f0 <__memset_avx2+384>: sub$0xff80,%rcx

   0x7771b4f4 <__memset_avx2+388>: vmovd  %xmm0,%eax

End of assembler dump.


> $ $(which bash) --version

GNU bash, version 4.3.42(1)-release (x86_64-unknown-linux-gnu)


>
Repeat-By:
$(which bash) -c "for x in {1..9223372036854775805}; do echo
overflow; done"

Fix:
Make sure your overflow checks are done right after input is taken
instead of before writing to memory.

Thank you,
Pasha Kravtsov