-DSYS_BASHRC flag causes segfault on OpenBSD

[cybertailor]

Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: openbsd6.8
Compiler: tested with GCC and Clang
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64' 
-DCONF_OSTYPE='openbsd6.8' -DCONF_MACHTYPE='x86_64-pc-openbsd6.8' 
-DCONF_VENDOR='pc' -DLOCALEDIR='/home/sysrq/bash2/usr/share/locale' 
-DPACKAGE='bash' -DSHELL  -DHAVE_CONFIG_H   -I.  -I. -I./include -I./lib 
-I./lib/intl -I/home/sysrq/bash/bash-build/bash-4.2/lib/intl 
-DSYS_BASHRC='/home/sysrq/bash2/etc/bash/bashrc' -g -O2
uname output: OpenBSD tilde.institute 6.8 GENERIC.MP#4 amd64
Machine Type: x86_64-pc-openbsd6.8

Bash Version: 4.2 through 5.1
Patch Level: 0
Release Status: release

Description:
It doesn't matter how SYS_BASHRC is named or whether it exists or not. 
ALways segfaults.

Backtrace:
#0  bash_tilde_expand (s=0x73687263 , 
assign_p=0) at general.c:990
#1  0x0e7d0d1edbc7 in maybe_execute_file (fname=Variable "fname" is 
not available.) at evalfile.c:308
#2  0x0e7d0d19e889 in run_startup_files () at shell.c:1110
#3  0x0e7d0d19ff48 in main (argc=1, argv=0x7f7c19a8, 
env=0x7f7c19b8) at shell.c:649

Repeat-By:
1. export CPPFLAGS="-DSYS_BASHRC='/home/sysrq/bash2/etc/bash/bashrc'"
2. ./configure && make && make install
3. Run "bash"

Re: -DSYS_BASHRC flag causes segfault on OpenBSD

[Andreas Schwab]

On Jun 03 2022, Anna (cybertailor) Vyalkova wrote:

>   1. export CPPFLAGS="-DSYS_BASHRC='/home/sysrq/bash2/etc/bash/bashrc'"

SYS_BASHRC must be a string, not a multi-character constant.

-- 
Andreas Schwab, sch...@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510  2552 DF73 E780 A9DA AEC1
"And now for something completely different."

Re: BASH recursion segfault, FUNCNEST doesn't help

[Ángel]

On 2022-06-02 at 20:00 +, Gergely wrote:
> Well, the issue is not the fact that this is a resource exhaustion,
> but rather the fact that it's entirely OS-dependent and the
> programmer has zero control over it.

The programmer could have avoided creating an infinite source file
recursion.

I don't think it would be hard to add a SOURCENEST limit, but I find it
would mostly help to catch programming errors, not as a normal
exceptional case for a valid program that the programmer should be
expecting.
Can you provide an example where a sensible program would need to
source a large chain of files sourcing one another or even recursively 
sourcing themselves?

I cannot think of a good use case for that. Someone might choose to do
"recursive file programming", but that would come with the need to
avoid infinite recursion, somehow.
For a normal programmer which simply has two library functions
requiring one another, a simple "#ifndef X / #define X" pattern is easy
to produce by adding at the top something like
 > if [ "$LIBRARY_FOO_INCLUDED" = 1 ]; then return; fi; 
> LIBRARY_FOO_INCLUDED=1.


A case for a program that needs to create hundreds of files sourcing one 
another.
And there is little you could do to recover other than abruptly
terminating the program. It would just be able to provide a nicer error
message.

I don't think it's even a vulnerability since the number of included
files would need to be controlled by the attacker (but only the
*number* of sourced files, if he also controlled the contents, he would
already be able to execute its own code).
Note that the fact you may get the crash to happen on different
functions doesn't really matter here, since it's really an out of
memory.
You may produce similar results by changing the value of ulimit -s


Regards