asan report in bash_add_history

[Grisha Levit]

./bash --norc -in <<<$'\\\n.'

bashhist.c:899:8: runtime error: addition of unsigned offset to
0x00010700d190 overflowed to 0x00010700d18f

ERROR: AddressSanitizer: heap-buffer-overflow on address
0x00010700d18f at pc 0x0001045fe1b8 bp 0x00016bb1f350 sp
0x00016bb1f348
READ of size 1 at 0x00010700d18f thread T0

frame #5: 0x0001045fe1b8 bash`bash_add_history(line=".") at
bashhist.c:899:8
frame #6: 0x0001045fd0c8 bash`maybe_add_history(line=".") at
bashhist.c:759:2
frame #7: 0x0001045fca34 bash`pre_process_line(line=".",
print_changes=1, addit=1) at bashhist.c:628:5
frame #8: 0x00010432df50
bash`shell_getc(remove_quoted_newline=1) at parse.y:2508:17
frame #9: 0x00010432786c bash`read_token(command=0) at parse.y:3432:23

(lldb) fr s 5
frame #5: 0x0001045fe1b8 bash`bash_add_history(line=".") at bashhist.c:899:8
   896   curlen = strlen (current->line);
   897
   898   if (dstack.delimiter_depth == 0 && current->line[curlen - 1] == '\\' &&
-> 899   current->line[curlen - 2] != '\\')
   900 {
   901   current->line[curlen - 1] = '\0';
   902   curlen--;

(lldb) fr v current->line curlen
(char *) current->line = 0x00010700d190 "\\"
(size_t) curlen = 1

asan report in spname

[Grisha Levit]

happens when attempting spell-correct-word on an empty line

./bash --norc -in <<<$'\030s'

ERROR: AddressSanitizer: heap-buffer-overflow on address
0x000102e0d0d1 at pc 0x0001004ccf64 bp 0x00016fdf0e30 sp
0x00016fdf0e28
READ of size 1 at 0x000102e0d0d1 thread T0

frame #5: 0x0001004ccf64 bash`spname(oldname="", newname="")
at spell.c:78:8
frame #6: 0x0001004cde0c bash`dirspell(dirname="") at spell.c:195:11
frame #7: 0x000100335a10
bash`bash_spell_correct_shellword(count=1, key=115) at
bashline.c:1348:16
frame #8: 0x0001004fe830 bash`_rl_dispatch_subseq(key=115,
map=0x0001007e0360, got_subseq=0) at readline.c:922:8
frame #9: 0x0001005009dc bash`_rl_dispatch_subseq(key=24,
map=0x0001007ddb20, got_subseq=0) at readline.c:1068:8
frame #10: 0x0001004fc434 bash`_rl_dispatch(key=24,
map=0x0001007ddb20) at readline.c:866:10

(lldb) fr s 5
frame #5: 0x0001004ccf64 bash`spname(oldname="", newname="") at spell.c:78:8
   75if (*op == '\0')/* Exact or corrected */
   76  {
   77/* `.' is rarely the right thing. */
-> 78if (oldname[1] == '\0' && newname[1] == '\0' &&
   79  oldname[0] != '.' && newname[0] == '.')
   80  return -1;
   81return strcmp(oldname, newname) != 0;

(lldb) fr v oldname
(char *) oldname = 0x000102e0d0d0 ""

asan report+fix in sh_mkdoublequoted

[Grisha Levit]

mkdir -p /tmp/bin
>'/tmp/bin/$'
chmod +x '/tmp/bin/$'
PATH=/tmp/bin ./bash --norc -in <<<$'\e*'

ERROR: AddressSanitizer: heap-buffer-overflow on address
0x0001039a9913 at pc 0x0001004d57b4 bp 0x00016fdf1350 sp
0x00016fdf1348
WRITE of size 1 at 0x0001039a9913 thread T0

frame #5: 0x0001004d57b4 bash`sh_mkdoublequoted(s="", slen=1,
flags=1) at shquote.c:211:6
frame #6: 0x0001003410e4 bash`bash_quote_filename(s="$",
rtype=1, qcp="") at bashline.c:4301:15
frame #7: 0x000100554b30
bash`make_quoted_replacement(match="$", mtype=1, qc="") at
complete.c:1797:16
frame #8: 0x000100549aec
bash`insert_all_matches(matches=0x000106600200, point=0, qc="") at
complete.c:1945:9
frame #9: 0x00010053c63c
bash`rl_complete_internal(what_to_do=42) at complete.c:2144:7
frame #10: 0x00010053d450 bash`rl_insert_completions(ignore=1,
invoking_key=42) at complete.c:466:11

frame #5: 0x0001004d57b4 bash`sh_mkdoublequoted(s="", slen=1,
flags=1) at shquote.c:211:6
   208   *r++ = *s++;
   209 }
   210   *r++ = '"';
-> 211   *r = '\0';
   212
   213   return ret;
   214 }

(lldb) fr v ret rlen
(char *) ret = 0x0001039a9910 "\"$\""
(size_t) rlen = 3


diff --git a/lib/sh/shquote.c b/lib/sh/shquote.c
index a27b9202..98b3d927 100644
--- a/lib/sh/shquote.c
+++ b/lib/sh/shquote.c
@@ -188,7 +188,7 @@ sh_mkdoublequoted (const char *s, size_t slen, int flags)

   send = s + slen;
   mb_cur_max = flags ? MB_CUR_MAX : 1;
-  rlen = (flags == 0) ? slen + 3 : (2 * slen) + 1;
+  rlen = (flags == 0) ? slen + 3 : (2 * slen) + 3;
   ret = r = (char *)xmalloc (rlen);

   *r++ = '"';

Re: Vulnerability Report(UI Redressing)

[Elijah Conners]

Chet Ramey  writes:
> Why would you feel you're entitled to a reward? 
Because they're trying to take advantage of other people.

This particular person also left another report for a missing SPF record to 
this same website and attempted to extort them out of money as well. Rather 
poor behavior on their part, and I say that knowing that these reports aren't 
made in good faith. I know several people who have received these reports, 
often with the same formatting and syntax, overexaggerating the risk of having 
an improper SPF record or missing DKIM records. I, quite frankly, am tired of 
hearing about them, and ironically these reports can give a bad impression on 
security researchers who do truly want to report issues but may, for instance, 
link a course they teach in their signature. Quite the impact these "reports" 
leave.

I have no issue with informing a website owner that they could be vulnerable to 
clickjacking and the sort, but 1. the Bash Hackers Wiki is not at a serious 
risk for what Maaz is describing and 2. trying to make money off of a non-issue 
is extortion.

Re: Vulnerability Report(UI Redressing)

[Chet Ramey]

On 3/7/23 1:49 PM, Elijah Conners wrote:

Chet Ramey  writes:

Why would you feel you're entitled to a reward?

Because they're trying to take advantage of other people.


Exactly. I just want him to admit it, even if he doesn't do it in so
many words.

--
``The lyf so short, the craft so long to lerne.'' - Chaucer
 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRUc...@case.eduhttp://tiswww.cwru.edu/~chet/