Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 5 Aug 2016 13:57:28 -0300
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: Read out-of-bounds parsing bash code in GNU Bash 4.3

Hi,

We recently found a read out-of-bounds parsing bash code in GNU Bash
4.3. I tested this issue in Ubuntu 14.04.3 (x86_64) but other
configurations could be affected. To reproduce:

1. Recompile bash with ASAN:

  $ ./configure --without-bash-malloc CFLAGS="-fsanitize=address -g
-ggdb"  LDFLAGS="-fsanitize=address"
  $ make

(using valgrind will *not* expose this issue)

2. Execute:

$ echo 5RzxHp0o0qmZ | base64 -d | ./bash -n

==27143== ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60040000b8b4 at pc 0x5614be bp 0x7fffffffcad0 sp 0x7fffffffcac8
READ of size 4 at 0x60040000b8b4 thread T0
...

Using gdb we can obtain a clear backtrace:

Program received signal SIGABRT, Aborted.
0x00007ffff468fcc9 in __GI_raise (sig=sig@...ry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
56    ../nptl/sysdeps/unix/sysv/linux/raise.c: No existe el archivo o
el directorio.
(gdb) bt
#0  0x00007ffff468fcc9 in __GI_raise (sig=sig@...ry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff46930d8 in __GI_abort () at abort.c:89
#2  0x00007ffff4e66829 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#3  0x00007ffff4e5d3ec in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#4  0x00007ffff4e64012 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#5  0x00007ffff4e63121 in __asan_report_error () from
/usr/lib/x86_64-linux-gnu/libasan.so.0
#6  0x00007ffff4e5d704 in __asan_report_load4 () from
/usr/lib/x86_64-linux-gnu/libasan.so.0
#7  0x00000000005614be in ansic_wshouldquote (string=0x60040000b8d0
"ҩ\231") at strtrans.c:317
#8  0x000000000056152d in ansic_shouldquote (string=0x60040000b8d0
"ҩ\231") at strtrans.c:344
#9  0x0000000000440192 in report_syntax_error (message=0x0) at
/usr/src/local/bash/bash-4.3-patched/parse.y:5763
#10 0x000000000043f7ed in yyerror (msg=0x5bb440 "syntax error") at
/usr/src/local/bash/bash-4.3-patched/parse.y:5637
#11 0x000000000042cecd in yyparse () at y.tab.c:3417
#12 0x0000000000423440 in parse_command () at eval.c:238
#13 0x0000000000423547 in read_command () at eval.c:282
#14 0x00000000004231aa in reader_loop () at eval.c:145
#15 0x000000000041f03c in main (argc=3, argv=0x7fffffffdfa8,
env=0x7fffffffdfc8) at shell.c:755

This issue was found using QuickFuzz. Please assign a CVE if suitable.

Regards,
Gustavo.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.