[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ksh / CVE-2019-14868

I meant to include this test run:

(stretch-amd64-default)root@silverfish:/home/brian# SHLVL='2#11+x[$(/bin/echo DANGER WILL ROBINSON >&2)0]' /usr/bin/ksh 
Segmentation fault
DANGER WILL ROBINSON

As in no echo command is required.


Below is the full stack trace of the segfault (recompiled without the
strip=0 option).

(stretch-i386-default)root@silverfish:/tmp/brian/tmpf2btue5q/build/i386# ulimit -c unlimited
(stretch-i386-default)root@silverfish:/tmp/brian/tmpf2btue5q/build/i386# SHLVL='2#11+x[$(/bin/echo DANGER WILL ROBINSON >&2)0]' /usr/bin/ksh
DANGER WILL ROBINSON
Segmentation fault (core dumped)
(stretch-i386-default)root@silverfish:/tmp/brian/tmpf2btue5q/build/i386# ls core
core
(stretch-i386-default)root@silverfish:/tmp/brian/tmpf2btue5q/build/i386# gdb /usr/bin/ksh core                                              
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/ksh...Reading symbols from /usr/lib/debug/.build-id/5f/77fa7b40ec10980eebf65a2ba1cebac53d8894.debug...done.
done.

warning: core file may not match specified executable file.
[New LWP 15788]
Core was generated by `/usr/bin/ksh'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  job_alloc () at ./src/cmd/ksh93/sh/jobs.c:1871
1871    ./src/cmd/ksh93/sh/jobs.c: No such file or directory.
(gdb) bt
#0  job_alloc () at ./src/cmd/ksh93/sh/jobs.c:1871
#1  job_post (shp=0x56772fa0 <sh>, pid=15789, join=<optimized out>) at ./src/cmd/ksh93/sh/jobs.c:1353
#2  0x5663b25a in _sh_fork (shp=0x56772fa0 <sh>, parent=15789, flags=0, jobid=0xffa15798) at ./src/cmd/ksh93/sh/xec.c:3142
#3  0x5663bcc2 in sh_ntfork (shp=shp@entry=0x56772fa0 <sh>, argv=0xf7caf334, jobid=0xffa15798, flag=<optimized out>, t=<optimized out>, t=<optimized out>) at ./src/cmd/ksh93/sh/xec.c:4034
#4  0x56640ed7 in sh_exec (t=<optimized out>, flags=<optimized out>) at ./src/cmd/ksh93/sh/xec.c:1686
#5  0x56638291 in sh_subshell (shp=0x56772fa0 <sh>, t=0xf7caf298, flags=<optimized out>, comsub=1) at ./src/cmd/ksh93/sh/subshell.c:625
#6  0x56619654 in comsubst (mp=0xf7cb1880, t=<optimized out>, t@entry=0x0, type=type@entry=1) at ./src/cmd/ksh93/sh/macro.c:2135
#7  0x56615af7 in varsub (mp=mp@entry=0xf7cb1880) at ./src/cmd/ksh93/sh/macro.c:1168
#8  0x56618d14 in copyto (mp=mp@entry=0xf7cb1880, endch=endch@entry=0, newquote=<optimized out>) at ./src/cmd/ksh93/sh/macro.c:633
#9  0x56619108 in sh_mactrim (shp=0x56772fa0 <sh>, str=0xf7cb1034 "[$(/bin/echo DANGER WILL ROBINSON >&2)0]", mode=0) at ./src/cmd/ksh93/sh/macro.c:183
#10 0x565ef8d7 in scope (np=0xf7cbb390, lvalue=lvalue@entry=0xffa16598, assign=assign@entry=0) at ./src/cmd/ksh93/sh/arith.c:161
#11 0x565f0288 in arith (ptr=0xffa16594, lvalue=0xffa16598, type=2, n=<optimized out>) at ./src/cmd/ksh93/sh/arith.c:444
#12 0x56634bd2 in arith_exec (ep=0xf7caf248) at ./src/cmd/ksh93/sh/streval.c:249
#13 0x56636441 in strval (shp=0x56772fa0 <sh>, s=0xf7cb102e "2#11+x[$(/bin/echo DANGER WILL ROBINSON >&2)0]", end=0xffa16778, conv=0x565eff40 <arith>, emode=1) at ./src/cmd/ksh93/sh/streval.c:964
#14 0x565ef560 in sh_strnum (str=0xf7cb102e "2#11+x[$(/bin/echo DANGER WILL ROBINSON >&2)0]", ptr=0x0, mode=1) at ./src/cmd/ksh93/sh/arith.c:525
#15 0x565f0e70 in sh_arith (shp=0x56772fa0 <sh>, str=0xf7cb102e "2#11+x[$(/bin/echo DANGER WILL ROBINSON >&2)0]") at ./src/cmd/ksh93/sh/arith.c:538
#16 0x5661d0ae in nv_putval (np=0xf7cb0bf4, string=0xf7cb102e "2#11+x[$(/bin/echo DANGER WILL ROBINSON >&2)0]", flags=0) at ./src/cmd/ksh93/sh/name.c:1783
#17 0x566015ed in env_init (shp=0x56772fa0 <sh>) at ./src/cmd/ksh93/sh/init.c:2036
#18 sh_init (argc=1, argv=0xffa18a74, userinit=0x0) at ./src/cmd/ksh93/sh/init.c:1380
#19 0x565e4da6 in sh_main ()
#20 0x565e4af9 in main (argc=1, argv=0xffa18a74) at ./src/cmd/ksh93/sh/pmain.c:45


I am guessing this segfault might be because we are attempting to access
job.freejobs[x] before job.freejobs has been initialised because we
weren't expecting to run jobs yet.

Yes, this appears to be the case:

/*
 * initialize the shell
 */
Shell_t *sh_init(register int argc,register char *argv[], Shinit_f userinit)      
{
[...]
    env_init(shp);   /* function that causes the error */
[...]
    /* initialize jobs table */
    job_clear();
[...]
}
--
Brian May <bam@debian.org>
Reply to: