Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 8 Aug 2016 09:06:00 -0300
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Read out-of-bounds parsing bash code in GNU Bash 4.3

Another read out-of-bounds was found but in the token_is_assignment
function. Backtrace is here:

==15811== ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60640001b6f0 at pc 0x438bb1 bp 0x7fffffffca00 sp 0x7fffffffc9f8
READ of size 1 at 0x60640001b6f0 thread T0
...
==15811== ABORTING

Program received signal SIGABRT, Aborted.
0x00007ffff468fcc9 in __GI_raise (sig=sig@...ry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
56    ../nptl/sysdeps/unix/sysv/linux/raise.c: No existe el archivo o
el directorio.
(gdb) bt
#0  0x00007ffff468fcc9 in __GI_raise (sig=sig@...ry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff46930d8 in __GI_abort () at abort.c:89
#2  0x00007ffff4e66829 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#3  0x00007ffff4e5d3ec in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#4  0x00007ffff4e64012 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#5  0x00007ffff4e63121 in __asan_report_error () from
/usr/lib/x86_64-linux-gnu/libasan.so.0
#6  0x00007ffff4e5d6a4 in __asan_report_load1 () from
/usr/lib/x86_64-linux-gnu/libasan.so.0
#7  0x0000000000438bb1 in token_is_assignment (
    t=0x60640001a500
"a[\"${#a[@...]}\"][\"${#a[@...]}\"]=~a[\"${#a[@...]}\"\"${#a[@..."]=~a[\"${#a[@..."]=~a[\"${#a[@...]}\"][\"${#a[@...]}\"]=~a[\"${#a[@...]}\"\"${#a[@..."]=~a[\"${#a[@..."]=~a[\"${#a[@...]}\"][\"${#a[@...]}\"]=~a[\"${#a[@...]}\""...,
i=4591)
    at /usr/src/local/bash/bash-4.3-patched/parse.y:4449
#8  0x000000000043ad9c in read_token_word (character=61) at
/usr/src/local/bash/bash-4.3-patched/parse.y:4753
#9  0x00000000004327ed in read_token (command=0) at
/usr/src/local/bash/bash-4.3-patched/parse.y:3217
#10 0x0000000000430a06 in yylex () at
/usr/src/local/bash/bash-4.3-patched/parse.y:2637
#11 0x0000000000423ba7 in yyparse () at y.tab.c:2020
#12 0x0000000000423440 in parse_command () at eval.c:238
#13 0x0000000000423547 in read_command () at eval.c:282
#14 0x00000000004231aa in reader_loop () at eval.c:145
#15 0x000000000041f03c in main (argc=2, argv=0x7fffffffdfe8,
env=0x7fffffffe000) at shell.c:755


A test case to reproduce this issue is attached (also parsing a bash
file as the previous one). Please assign a CVE if suitable.


Regards,
Gustavo.

2016-08-05 13:57 GMT-03:00 Gustavo Grieco <gustavo.grieco@...il.com>:
> Hi,
>
> We recently found a read out-of-bounds parsing bash code in GNU Bash
> 4.3. I tested this issue in Ubuntu 14.04.3 (x86_64) but other
> configurations could be affected. To reproduce:
>
> 1. Recompile bash with ASAN:
>
>   $ ./configure --without-bash-malloc CFLAGS="-fsanitize=address -g
> -ggdb"  LDFLAGS="-fsanitize=address"
>   $ make
>
> (using valgrind will *not* expose this issue)
>
> 2. Execute:
>
> $ echo 5RzxHp0o0qmZ | base64 -d | ./bash -n
>
> ==27143== ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x60040000b8b4 at pc 0x5614be bp 0x7fffffffcad0 sp 0x7fffffffcac8
> READ of size 4 at 0x60040000b8b4 thread T0
> ...
>
> Using gdb we can obtain a clear backtrace:
>
> Program received signal SIGABRT, Aborted.
> 0x00007ffff468fcc9 in __GI_raise (sig=sig@...ry=6) at
> ../nptl/sysdeps/unix/sysv/linux/raise.c:56
> 56    ../nptl/sysdeps/unix/sysv/linux/raise.c: No existe el archivo o
> el directorio.
> (gdb) bt
> #0  0x00007ffff468fcc9 in __GI_raise (sig=sig@...ry=6) at
> ../nptl/sysdeps/unix/sysv/linux/raise.c:56
> #1  0x00007ffff46930d8 in __GI_abort () at abort.c:89
> #2  0x00007ffff4e66829 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
> #3  0x00007ffff4e5d3ec in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
> #4  0x00007ffff4e64012 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
> #5  0x00007ffff4e63121 in __asan_report_error () from
> /usr/lib/x86_64-linux-gnu/libasan.so.0
> #6  0x00007ffff4e5d704 in __asan_report_load4 () from
> /usr/lib/x86_64-linux-gnu/libasan.so.0
> #7  0x00000000005614be in ansic_wshouldquote (string=0x60040000b8d0
> "ҩ\231") at strtrans.c:317
> #8  0x000000000056152d in ansic_shouldquote (string=0x60040000b8d0
> "ҩ\231") at strtrans.c:344
> #9  0x0000000000440192 in report_syntax_error (message=0x0) at
> /usr/src/local/bash/bash-4.3-patched/parse.y:5763
> #10 0x000000000043f7ed in yyerror (msg=0x5bb440 "syntax error") at
> /usr/src/local/bash/bash-4.3-patched/parse.y:5637
> #11 0x000000000042cecd in yyparse () at y.tab.c:3417
> #12 0x0000000000423440 in parse_command () at eval.c:238
> #13 0x0000000000423547 in read_command () at eval.c:282
> #14 0x00000000004231aa in reader_loop () at eval.c:145
> #15 0x000000000041f03c in main (argc=3, argv=0x7fffffffdfa8,
> env=0x7fffffffdfc8) at shell.c:755
>
> This issue was found using QuickFuzz. Please assign a CVE if suitable.
>
> Regards,
> Gustavo.

Download attachment "token_is_assignement.sh" of type "application/x-sh" (25624 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ