Readline's `capitalize-word' / bash read -e issue with UTF-8 multibyte character
dualbus@debian:~$ LC_ALL=en_US.UTF-8 ~/src/gnu/bash/bash -c 'read -e; declare -p REPLY' Ñu woops declare -- REPLY="�w�u" I typed: <ñ><\C-a><\ec>...
Bash parser abort on `realloc: start and end chunk sizes differ'
dualbus@debian:~/bash-fuzzing/bash-parser$ cat -v malloc-read_token_word P[$(0^A^A000$(00 d0=(^?00^?0^?>000^?^A00)000^?00^?0)00^?000)00^A00^A00^?00^A^?000^?0^A0^?00^?00^?0^?0^?^?000^?^?0]0=00^?0^A0 dualbus@debian:~/bash-fuzzing/bash-parser$ base64 malloc-read_token_word UFswMDAwMDAwMCQoMAEwMDAwMDAwMDAwMDAwMDAwATAwMCQoMDAwMDAwMDAwMApkMD0ofzAwfzAw MDAwfzAwMDAwMDAwPjAwMDAwMDB/MDAwMAEwMCkwMDAwMDAwMDAwMDAwMDB/MDB/MDAwMDAwMDAw MDAwMCkwMDAwMDB/MDAwMDAwMDAwMDApMDAwMDAwMDAwMAEwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAB MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMH8wMDAwMDAwMDAwMDAwMAEwMDAwMDAw MDAwMDAwMDAwMDAwMH8wMDB/MAEwfzAwMDAwMDAwMDAwMDAwfzAwMDAwMDAwMDAwMDAwMDAwMDAw MDB/MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMH8wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MH8wMDAwfzAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwfzAwMDB/MDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwXTA9MDB/MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwATAK dualbus@debian:~/bash-fuzzing/bash-parser$ md5sum malloc-read_token_word 2b926f1f4f79b55b02f13d421fe7443e malloc-read_token_word dualbus@debian:~/bash-fuzzing/bash-parser$ gdb ~/src/gnu/bash/bash [...] (gdb) r -n malloc-read_token_word Starting program: /home/dualbus/src/gnu/bash/bash -n malloc-read_token_word malloc-read_token_word: command substitution: line 4: syntax error near unexpected token `>' malloc-read_token_word: command substitution: line 4: `d0=(000>0)00)0)000]0=' TRACE: pid 31372: parse_string: longjmp executed: code = 2 malloc: ./parse.y:5101: assertion botched malloc: 0x829a08: allocated: last allocated from ./parse.y:4805 realloc: start and end chunk sizes differ Aborting... Program received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x776413fa in __GI_abort () at abort.c:89 #2 0x0045c745 in programming_error (format=0x551de4 "realloc: start and end chunk sizes differ") at error.c:175 #3 0x005335c2 in xbotch (mem=0x829a08, e=8, s=0x551de4 "realloc: start and end chunk sizes differ", file=0x538059 "./parse.y", line=5101) at malloc.c:329 #4 0x005324a5 in internal_realloc (mem=0x829a08, n=1008, file=0x538059 "./parse.y", line=5101, flags=1) at malloc.c:1036 #5 0x005321e1 in sh_realloc (ptr=0x829a08, size=1008, file=0x538059 "./parse.y", line=5101) at malloc.c:1262 #6 0x004b8093 in sh_xrealloc (pointer=0x829a08, bytes=1008, file=0x538059 "./parse.y", line=5101) at xmalloc.c:206 #7 0x004348fc in read_token_word (character=48) at ./parse.y:5100 #8 0x00431748 in read_token (command=0) at ./parse.y:3330 #9 0x0042c14e in yylex () at ./parse.y:2675 #10 0x00428abe in yyparse () at y.tab.c:1827 #11 0x004285ab in parse_command () at eval.c:294 #12 0x00428392 in read_command () at eval.c:338 #13 0x00428091 in reader_loop () at eval.c:140 #14 0x004253bb in main (argc=3, argv=0x7fffe458, env=0x7
Bash parser infinite loop in yy_getc
The parser goes into an infinite loop with the following input: dualbus@debian:~/bash-fuzzing/bash-parser$ cat -v output/13/crashes/id:42,sig:11,src:005617,op:havoc,rep:4 for ((0funcM-^Nion;)); do :M->M-aM-RM->M->e& d^?^@e :; done&M-wd\\\cr$\osM-ac\\M-ac\\^\\M-]\^\\M-]\\\cr\^\\M-]\\\c'M-^?^ZM-a^@^P\^M-\SM-]\^O\HM-EsM-ac\\M-ac\\^\\M-]\^\\M-]\\\cr\^\\M-]\\\c'M-^?^ZM-a^@^P\^M-\\M-]\^O\H\^O\H\ dualbus@debian:~/bash-fuzzing/bash-parser$ base64 output/13/crashes/id:42,sig:11,src:005617,op:havoc,rep:4 Zm9yICgoMGZ1bmOOaW9uOykpOyBkbyA6vuHSvr5lJgpkfwBlIDo7IGRvbmUm92RcXFxjciRcb3Ph Y1xc4WNcXF5cXN1cXlxc3VxcXGNyXF5cXN1cXFxjJ/8a4QAQXF7cU91cXFxcXA9cSFxcXFzFc+Fj XFzhY1xcXlxc3VxeXFzdXFxcY3JcXlxc3VxcXGMn/xrhABBcXtxc3VxcXFxcD1xIXFxcXFwPXEhc dualbus@debian:~/bash-fuzzing/bash-parser$ md5sum output/13/crashes/id:42,sig:11,src:005617,op:havoc,rep:4 d68c7d167e171a2f42b6af52490eb2c8 output/13/crashes/id:42,sig:11,src:005617,op:havoc,rep:4 (gdb) r -n output/13/crashes/id:42,sig:11,src:005617,op:havoc,rep:4 Starting program: /home/dualbus/src/gnu/bash/bash -n output/13/crashes/id:42,sig:11,src:005617,op:havoc,rep:4 output/13/crashes/id:42,sig:11,src:005617,op:havoc,rep:4: line 1: syntax error: arithmetic expression required output/13/crashes/id:42,sig:11,src:005617,op:havoc,rep:4: line 1: syntax error: `((0func�ion;))' ^C Program received signal SIGINT, Interrupt. 0x776e8540 in __read_nocancel () at ../sysdeps/unix/syscall-template.S:84 84 ../sysdeps/unix/syscall-template.S: No such file or directory. (gdb) bt #0 0x776e8540 in __read_nocancel () at ../sysdeps/unix/syscall-template.S:84 #1 0x004e9393 in zread (fd=255, buf=0x829a08 "", len=171) at zread.c:56 #2 0x0048f8ec in b_fill_buffer (bp=0x828ec8) at input.c:499 #3 0x0048f76c in buffered_getchar () at input.c:563 #4 0x00431a8b in yy_getc () at ./parse.y:1389 #5 0x00432328 in shell_getc (remove_quoted_newline=1) at ./parse.y:2289 #6 0x00430bb7 in read_token (command=0) at ./parse.y:3138 #7 0x0042c14e in yylex () at ./parse.y:2675 #8 0x00428abe in yyparse () at y.tab.c:1827 #9 0x004285ab in parse_command () at eval.c:294 #10 0x00428392 in read_command () at eval.c:338 #11 0x00428091 in reader_loop () at eval.c:140 #12 0x004253bb in main (argc=3, argv=0x7fffe438, env=0x7fffe458) at shell.c:794
Bash read -r abort on `free: start and end chunk sizes differ'
(tested against the latest devel, i.e. May/8 push) dualbus@debian:~/src/gnu/bash$ git rev-parse HEAD af2a77fbbcf6e50edbc535eb3fd267bd3f4d1a14 dualbus@debian:~/bash-fuzzing/bash-read/read-r$ cat -v read_builtin 0M-lM-=M-=00M-| dualbus@debian:~/bash-fuzzing/bash-read/read-r$ base64 read_builtin MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDDsvb0wMPw= dualbus@debian:~/bash-fuzzing/bash-read/read-r$ md5sum read_builtin dd5d776c6dc83e57a64034bb6cfee574 read_builtin (gdb) r -c 'read -r < read_builtin' Starting program: /home/dualbus/src/gnu/bash/bash -c 'read -r < read_builtin' malloc: ./read.def:806: assertion botched malloc: 0x829f88: allocated: last allocated from ./read.def:361 free: start and end chunk sizes differ Aborting... Program received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x776413fa in __GI_abort () at abort.c:89 #2 0x0045c745 in programming_error (format=0x551e9b "free: start and end chunk sizes differ") at error.c:175 #3 0x005335c2 in xbotch (mem=0x829f88, e=8, s=0x551e9b "free: start and end chunk sizes differ", file=0x54c793 "./read.def", line=806) at malloc.c:329 #4 0x00532b6e in internal_free (mem=0x829f88, file=0x54c793 "./read.def", line=806, flags=1) at malloc.c:916 #5 0x00532888 in sh_free (mem=0x829f88, file=0x54c793 "./read.def", line=806) at malloc.c:1271 #6 0x004b811e in sh_xfree (string=0x829f88, file=0x54c793 "./read.def", line=806) at xmalloc.c:221 #7 0x004cc741 in read_builtin (list=0x0) at ./read.def:806 #8 0x0044efaf in execute_builtin (builtin=0x4cad80 , words=0x8297e8, flags=0, subshell=0) at execute_cmd.c:4605 #9 0x0044e3e0 in execute_builtin_or_function (words=0x8297e8, builtin=0x4cad80 , var=0x0, redirects=0x829988, fds_to_close=0x8299c8, flags=0) at execute_cmd.c:5103 #10 0x00447095 in execute_simple_command (simple_command=0x827f48, pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x8299c8) at execute_cmd.c:4391 #11 0x00444b71 in execute_command_internal (command=0x827f08, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x8299c8) at execute_cmd.c:812 #12 0x004c1fd7 in parse_and_execute (string=0x827b48 "read -r < read_builtin", from_file=0x535b6f "-c", flags=4) at evalstring.c:430 #13 0x004271af in run_one_command (command=0x7fffe6fc "read -r < read_builtin") at shell.c:1405 #14 0x004251fd in main (argc=3, argv=0x7fffe448, env=0x7fffe468) at shell.c:718
read -e allows execution of commands (edit-and-execute-command) as the shell's process user
I think `edit-and-execute-command' shouldn't be allowed under `read -e'. dualbus@debian:~$ cat prompt.sh #!/bin/bash declare -p UID EUID read -p '> ' -e declare -p REPLY dualbus@debian:~$ id -u 1000 dualbus@debian:~$ sudo ./prompt.sh declare -ir UID="0" declare -ir EUID="0" > id -u 0 > bye declare -- REPLY="bye" The user can protect against this specific problem with: dualbus@debian:~$ cat prompt.sh #!/bin/bash declare -p UID EUID VISUAL=: read -p '> ' -e declare -p REPLY Although I'm not sure. Perhaps it's better to just discourage the use of `read -e' if the input cannot be trusted. Since there are other problems inherent to this approach (enumerate files with glob-expand-word). The particular case where I think this could be a problem is in the situation where a system administrator allows a user to run a specific script (and that script only) with elevated privileges using sudo, and a malicious user abuses `edit-and-execute-command' to workaround the restriction.
Some readline functions can't be unbound with bind -u
dualbus@debian:~/src/gnu/bash$ for fn in edit-and-execute-command kill-line yank yank-pop; do echo $fn:; fn=$fn ./bash --noprofile --norc -ic 'bind -q $fn; bind -u $fn; bind -q $fn'|sed 's/^/ /'; done edit-and-execute-command: edit-and-execute-command can be invoked via "\C-x\C-e". edit-and-execute-command can be invoked via "\C-x\C-e". kill-line: kill-line can be invoked via "\C-k". kill-line is not bound to any keys. yank: yank can be invoked via "\C-y". yank is not bound to any keys. yank-pop: yank-pop can be invoked via "\ey". yank-pop can be invoked via "\ey". I was able to unbind edit-and-execute-command like this though: dualbus@debian:~/src/gnu/bash$ fn=edit-and-execute-command ./bash --noprofile --norc -ic 'bind -q $fn; bind -r "\C-x\C-e"; bind -q $fn' edit-and-execute-command can be invoked via "\C-x\C-e". edit-and-execute-command is not bound to any keys. Which leads me to think that the former is a bug.
read -e malloc assertion botched
This doesn't seem to be related to the other read memory corruption issues, since it doesn't crash normal read/read -r. dualbus@afl-bash-history-fncm:~$ md5sum malloc 0edd8a721e52362d0aeeb30bae22c4f5 malloc dualbus@afl-bash-history-fncm:~$ base64 malloc /TAw/wHw8DAw8DAwMDAw8PD19fUw9fX19fX1MP9//PX19fX1/PWAMAT1MDDr8PDqDzAwMDCA I patched read_builtin's -e to allow fuzzing from file: dualbus@afl-bash-history-fncm:/bash$ git diff -- builtins/ diff --git a/builtins/read.def b/builtins/read.def index 14da6a2f..bd636b0b 100644 --- a/builtins/read.def +++ b/builtins/read.def @@ -381,7 +381,7 @@ read_builtin (list) sync_buffered_stream (default_buffered_input); #endif - input_is_tty = isatty (fd); + input_is_tty = 1; if (input_is_tty == 0) #ifndef __CYGWIN__ input_is_pipe = (lseek (fd, 0L, SEEK_CUR) < 0) && (errno == ESPIPE); (gdb) r -c 'read -e < malloc' Starting program: /bash/bash -c 'read -e < malloc' ��00�0���0���0�0�00���0� malloc: ./read.def:612: assertion botched malloc: 0x90e108: allocated: last allocated from ./read.def:361 realloc: start and end chunk sizes differ Aborting... Program received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58 58 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58 #1 0x7761a37a in __GI_abort () at abort.c:89 #2 0x00487913 in programming_error (format=) at error.c:175 #3 0x005fe454 in xbotch (e=0, mem=, s=, file=, line=) at malloc.c:329 #4 internal_realloc (mem=, n=, file=0x6219de "./read.def", line=, flags=) at malloc.c:1036 #5 0x00524283 in sh_xrealloc (pointer=0x90e108, bytes=240, file=0x6219de "./read.def", line=612) at xmalloc.c:206 #6 0x00545afa in read_builtin (list=) at ./read.def:612 #7 0x0046bcad in execute_builtin (builtin=0x5440f0 , words=0x90bce8, flags=, subshell=0) at execute_cmd.c:4605 #8 0x004624d9 in execute_builtin_or_function (words=0x90bce8, builtin=0x5440f0 , var=0x0, redirects=0x90b3c8, fds_to_close=, flags=) at execute_cmd.c:5103 #9 execute_simple_command (simple_command=, pipe_in=-1, pipe_out=-1, async=, fds_to_close=) at execute_cmd.c:4391 #10 execute_command_internal (command=, asynchronous=, pipe_in=, pipe_out=, fds_to_close=) at execute_cmd.c:812 #11 0x005348bd in parse_and_execute (string=, from_file=, flags=) at evalstring.c:430 #12 0x00429c84 in run_one_command (command=) at shell.c:1405 #13 0x00427e28 in main (argc=, argv=, env=) at shell.c:718
Re: Readline's `capitalize-word' / bash read -e issue with UTF-8 multibyte character
On 5/8/17 10:24 AM, Eduardo Bustamante wrote: > dualbus@debian:~$ LC_ALL=en_US.UTF-8 ~/src/gnu/bash/bash -c 'read -e; > declare -p REPLY' > Ñu > woops > declare -- REPLY="�w�u" > > I typed: <ñ><\C-a><\ec>... Thanks for the report. This is a genuine bug that people using the devel brach are likely to encounter when mixing read -e and multibyte chars. Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/
Bash segmentation fault in bash_directory_completion_hook
I can't reproduce this one reliably, since it seems to depend on the
files present in the system. Please let me know what other information
you may need for this one.
dualbus@afl-bash-history-fncm:~$ md5sum
output/8/crashes/id:00,sig:11,src:001386+007877,op:splice,rep:8
415cbe0afff4b13b3134c78e0a750557
output/8/crashes/id:00,sig:11,src:001386+007877,op:splice,rep:8
dualbus@afl-bash-history-fncm:~$ base64
output/8/crashes/id:00,sig:11,src:001386+007877,op:splice,rep:8
MjIbMvqbfGJkf2jZAxtkUVFRUf38AJYEG/oAAPoCG1MkKHkO/yLgFBAbGxsoAKEUJHt7e3t73i76
lgEbe3t7e3veLvqWARsbGynoA1T/ARsZEAR7e3t7e3t7EJb8AHkO/yLgDBQQGxsbKAChAQCampqa
mpY8gBR/GxsZVPbe17hTJC2WIFMT+hob3i8Alf2WEBsbG/9///8ke3t7aXveLxQAAP//GyoA
ofECf//yG5AhJPowA1T/GxtvABsCG1MkKHkb/xr6QBSUAAQCG2QAG1QAQAAUl+2WEBsbGwrqdwAR
+nx8PYB/aNkDG2RRUVFR/fwAlgQbAhtdGxsfAIAUAACiEPwAlgQbAv1TGxUbABsbGVT//3//lgTe
lhR7+iADVP8bG1MkCnkb/xoMFJQABHv/e3t7+gwUlAAEe3t7e7/eERSWFBsbGyoAoRQCgAA2Gxs4
Gx8bGwT/7QU=
dualbus@afl-bash-history-fncm:~$ cat env
PATH=
VISUAL=:
EDITOR=:
bind -r "\C-x\C-e"
bind -q edit-and-execute-command
Core was generated by `/bash/bash -rc read -e'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x004a62b8 in skip_to_delim (string=0x234af96
"$(y\226\"\374\377\372${\340.\241/\375\226${{{i{\377\336/",
start=143,
delims=0x7fff20689bba ")", flags=257) at subst.c:1842
#2 0x0050caa7 in bash_directory_completion_hook
(dirname=) at bashline.c:3250
#3 0x005b1f66 in rl_filename_completion_function
(text=, state=) at complete.c:2506
#4 0x005b5297 in rl_completion_matches (
text=0x234ab08
"S{{\350\377y\226\"T\374\377\226{.{bash{_{history,logout},rc},cache,lesshst,profile,ssh,viminfo},env,input,malloc,output,parallel-afl.sh}\372.\226\336\062\062|bh\372\233\331\375$(y\226\"\374\377\372${\340.\241/\375\226${{{i{\377\336/\377",
, entry_function=0x5b1bc0
) at complete.c:2183
#5 0x005b3527 in gen_completion_matches (text=, start=, end=,
our_func=, found_quote=,
quote_char=) at complete.c:1226
#6 0x005addbc in rl_complete_internal (what_to_do=42) at
complete.c:2019
#7 0x0059e637 in _rl_dispatch_subseq (key=,
map=0x84aa00 , got_subseq=0) at readline.c:851
#8 0x0059ed3b in _rl_dispatch_subseq (key=,
map=, got_subseq=0) at readline.c:985
#9 0x0059d694 in _rl_dispatch (key=37007397, map=0x8f) at
readline.c:797
#10 readline_internal_char () at readline.c:629
#11 0x0059c5a0 in readline_internal_charloop () at readline.c:656
#12 readline_internal () at readline.c:670
#13 readline (prompt=) at readline.c:374
#14 0x005458b3 in edit_line (p=,
itext=) at ./read.def:1070
#15 read_builtin (list=) at ./read.def:550
#16 0x0046bcad in execute_builtin (builtin=0x5440f0
, words=0x22ec8a8, flags=, subshell=0)
at execute_cmd.c:4605
#17 0x004624d9 in execute_builtin_or_function
(words=0x22ec8a8, builtin=0x5440f0 , var=0x0,
redirects=0x0,
fds_to_close=, flags=) at execute_cmd.c:5103
#18 execute_simple_command (simple_command=,
pipe_in=-1, pipe_out=-1, async=,
fds_to_close=) at execute_cmd.c:4391
#19 execute_command_internal (command=,
asynchronous=, pipe_in=,
pipe_out=, fds_to_close=) at execute_cmd.c:812
#20 0x005348bd in parse_and_execute (string=,
from_file=, flags=)
at evalstring.c:430
#21 0x00429c84 in run_one_command (command=) at
shell.c:1405
#22 0x00427e28 in main (argc=, argv=, env=) at shell.c:718
(gdb) frame 2
#2 0x0050caa7 in bash_directory_completion_hook
(dirname=) at bashline.c:3250
3250 p = skip_to_delim (t, t - local_dirname + 1, delims,
SD_NOJMP|SD_COMPLETE);
(gdb) l
3245{
3246 int p;
3247 char delims[2];
3248
3249 delims[0] = closer; delims[1] = 0;
3250 p = skip_to_delim (t, t - local_dirname + 1, delims,
SD_NOJMP|SD_COMPLETE);
3251 if (t[p] != closer)
3252should_expand_dirname = 0;
3253}
3254}
(gdb) p t
$1 = 0x234af96 "$(y\226\"\374\377\372${\340.\241/\375\226${{{i{\377\336/"
(gdb) p local_dirname
$2 = 0x234af08
"S{{\350\377y\226\"T\374\377\226{.{bash{_{history,logout},rc},cache,lesshst,profile,ssh,viminfo},env,input,malloc,output,parallel-afl.sh}\372.\226\336\062\062|bh\372\233\331\375$(y\226\"\374\377\372${\340.\241/\375\226${{{i{\377\336/"
Re: Some readline functions can't be unbound with bind -u
On 5/8/17 2:18 PM, Eduardo Bustamante wrote: > dualbus@debian:~/src/gnu/bash$ for fn in edit-and-execute-command > kill-line yank yank-pop; do echo $fn:; fn=$fn ./bash --noprofile > --norc -ic 'bind -q $fn; bind -u $fn; bind -q $fn'|sed 's/^/ /'; done > edit-and-execute-command: > edit-and-execute-command can be invoked via "\C-x\C-e". > edit-and-execute-command can be invoked via "\C-x\C-e". This is more of a documentation problem. Unless you use the `-m' option, the commands act on the current keymap, which is either `emacs' or (usually) `vi-insert'. The man page isn't clear on that. Using 'bind -u -m emacs-ctlx edit-and-execute-command' works. Similarly for 'bind -u -m emacs-meta yank-pop'. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/
Re: read -e allows execution of commands (edit-and-execute-command) as the shell's process user
On 5/8/17 1:31 PM, Eduardo Bustamante wrote: > I think `edit-and-execute-command' shouldn't be allowed under `read -e'. There's no compelling reason to disallow it. If a system administrator wants to unbind certain readline commands (and unset INPUTRC!) to protect against a specific use case, he is free to do that. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/
bash-4.2.53: HISTSIZE=-1 causes segfault on startup
Configuration Information [Automatically generated, do not change]: Machine: x86_64 OS: linux-gnu Compiler: gcc -I/home/abuild/rpmbuild/BUILD/bash-4.2 -L/home/abuild/rpmbuild/BUILD/bash-4.2/../readline-6.2 Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64' -DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-suse-linux-gnu' -DCONF_VENDOR='suse' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL -DHAVE_CONFIG_H -I. -I. -I./include -I./lib -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -D_GNU_SOURCE -DRECYCLES_PIDS -Wall -g -Wuninitialized -Wextra -Wno-unprototyped-calls -Wno-switch-enum -Wno-unused-variable -Wno-unused-parameter -ftree-loop-linear -pipe -DBNC382214=0 -DIMPORT_FUNCTIONS_DEF=0 -fprofile-use uname output: Linux harbinger 4.1.38-50-default #1 SMP PREEMPT Sun Feb 19 14:35:48 UTC 2017 (6b4d8cb) x86_64 x86_64 x86_64 GNU/Linux Machine Type: x86_64-suse-linux-gnu Bash Version: 4.2 Patch Level: 53 Release Status: release Description: Bash 4.3 introduced "-1" for unlimited history. Starting bash 4.2 with HISTSIZE=-1 in ~/.bashrc causes a segmentation fault (assuming you have a ~/.bash_history with at least one entry). This can easily happen if several systems (with different bash versions) mount the same home directory. Repeat-By: $ cat > poc-bashrc <
Re: bash-4.2.53: HISTSIZE=-1 causes segfault on startup
On 5/8/17 4:29 PM, tob...@ryara.net wrote: > Bash Version: 4.2 > Patch Level: 53 > Release Status: release > > Description: > Bash 4.3 introduced "-1" for unlimited history. > > Starting bash 4.2 with HISTSIZE=-1 in ~/.bashrc causes a segmentation > fault (assuming you have a ~/.bash_history with at least one entry). > This can easily happen if several systems (with different bash > versions) mount the same home directory. Thanks for the report. Bash-4.2 was released in 2011, is two versions old, and is no longer supported. If you want a workaround that should work in bash-4.2 and bash-4.3, try using some large number (people have used ) for HISTSIZE, giving you effectively unlimited history. Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/
Re: read -e allows execution of commands (edit-and-execute-command) as the shell's process user
On Mon, May 8, 2017 at 3:09 PM, Chet Ramey wrote: > There's no compelling reason to disallow it. If a system administrator > wants to unbind certain readline commands (and unset INPUTRC!) to protect > against a specific use case, he is free to do that. I agree. I changed my mind after sending that email. I still think it would be prudent to mention this in the docs somewhere. Perhaps a section on "security notes" in the manual/reference? or a mention in the FAQ? Similar to sudo's manual page: - http://manpages.ubuntu.com/manpages/xenial/man8/sudo.8.html#contenttoc5 - http://manpages.ubuntu.com/manpages/xenial/man8/sudo.8.html#contenttoc12 I couldn't find any decent reference online that mentions a few of the "traps" that bash has in regards to secure programming (e.g. "don't evaluate user supplied input in arithmetical contexts without sanitizing!", "be careful with SHELLOPTS/xtrace/PS4!", "don't use read -e unless you trust the user supplying the info or know how to plug the holes", "don't evaluate user supplied regular expressions!") And... I just realized this was discussed before here: https://lists.gnu.org/archive/html/bug-bash/2015-12/msg00098.html IMO, just having it documented somewhere is good enough.
