Bug#879060: marked as done (ksh -n: out-of-bounds read in sfstack())

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 24 Sep 2019 11:42:26 -0400
with message-id <29137336ee81b724664fb3aff5c686083adb3256.camel@debian.org>
and subject line Re: ksh -n: out-of-bounds read in sfstack()
has caused the Debian Bug report #879060,
regarding ksh -n: out-of-bounds read in sfstack()
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
879060: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879060
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: ksh -n: out-of-bounds read in sfstack()
• From: Jakub Wilk <jwilk@jwilk.net>
• Date: Wed, 18 Oct 2017 21:52:43 +0200
• Message-id: <20171018195243.ojfp2qpjgpsm377g@jwilk.net>

Package: ksh
Version: 93u+20120801-3.1

ksh crashes when checking syntax of some scripts, for example:

  $ ksh -n -c ' N() { N() { '
  ksh: syntax error at line 1: `{' unmatched
  Segmentation fault

GDB says:

  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  0x56667049 in sfstack (f1=<optimized out>, f2=0x567293d4 <_Dtoset>) at ./src/lib/libast/sfio/sfstack.c:85
  85              if(f2->pool && f2->pool != &_Sfpool && f2 != f2->pool->sf[0])
  (gdb) print f2->pool->sf[0]
  Cannot access memory at address 0x28212
  (gdb) bt
  #0  0x56667049 in sfstack (f1=<optimized out>, f2=0x567293d4 <_Dtoset>) at ./src/lib/libast/sfio/sfstack.c:85
  #1  0x5665d651 in sfclose (f=0xf7ee9e18) at ./src/lib/libast/sfio/sfclose.c:54
  #2  0x5663dc99 in stkclose (stream=0xf7ee9e18) at ./src/lib/libast/misc/stk.c:317
  #3  0x565e1815 in funct (lexp=lexp@entry=0xf7ee08e8) at ./src/cmd/ksh93/sh/parse.c:915
  #4  0x565e2c55 in simple (lexp=lexp@entry=0xf7ee08e8, flag=0, flag@entry=133, io=io@entry=0x0) at ./src/cmd/ksh93/sh/parse.c:1544
  #5  0x565e2d44 in item (lexp=lexp@entry=0xf7ee08e8, flag=flag@entry=133) at ./src/cmd/ksh93/sh/parse.c:1354
  #6  0x565e3d04 in term (lexp=0xf7ee08e8, flag=132) at ./src/cmd/ksh93/sh/parse.c:577
  #7  0x565e3ee2 in list (flag=132, lexp=0xf7ee08e8) at ./src/cmd/ksh93/sh/parse.c:547
  #8  sh_cmd (lexp=lexp@entry=0xf7ee08e8, sym=sym@entry=10, flag=132) at ./src/cmd/ksh93/sh/parse.c:497
  #9  0x565e42c7 in sh_parse (shp=0x5672afa0 <sh>, iop=0xf7eedaf8, flag=0) at ./src/cmd/ksh93/sh/parse.c:386
  #10 0x5659e773 in exfile ()
  #11 0x5659dad6 in sh_main ()
  #12 0x5659caf9 in main (argc=4, argv=0xff8e73f4) at ./src/cmd/ksh93/sh/pmain.c:45


Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Architecture: i386

Versions of packages ksh depends on:
ii  libc6           2.24-17
ii  binfmt-support  2.1.8-1

--
Jakub Wilk

--- End Message ---

--- Begin Message ---

• To: 879060-done@bugs.debian.org
• Subject: Re: ksh -n: out-of-bounds read in sfstack()
• From: Boyuan Yang <byang@debian.org>
• Date: Tue, 24 Sep 2019 11:42:26 -0400
• Message-id: <29137336ee81b724664fb3aff5c686083adb3256.camel@debian.org>
• In-reply-to: <20171018195243.ojfp2qpjgpsm377g@jwilk.net>
• References: <20171018195243.ojfp2qpjgpsm377g@jwilk.net>

Version: 2020.0.0~beta1-1

Seems that this bug is gone in the new 2020 version.

Thanks,
Boyuan Yang

On Wed, 18 Oct 2017 21:52:43 +0200 Jakub Wilk <jwilk@jwilk.net> wrote:
> Package: ksh
> Version: 93u+20120801-3.1
> 
> ksh crashes when checking syntax of some scripts, for example:
> 
>    $ ksh -n -c ' N() { N() { '
>    ksh: syntax error at line 1: `{' unmatched
>    Segmentation fault
> 
> GDB says:
> 
>    Program terminated with signal SIGSEGV, Segmentation fault.
>    #0  0x56667049 in sfstack (f1=<optimized out>, f2=0x567293d4 <_Dtoset>)
at ./src/lib/libast/sfio/sfstack.c:85
>    85              if(f2->pool && f2->pool != &_Sfpool && f2 != f2->pool-
>sf[0])
>    (gdb) print f2->pool->sf[0]
>    Cannot access memory at address 0x28212
>    (gdb) bt
>    #0  0x56667049 in sfstack (f1=<optimized out>, f2=0x567293d4 <_Dtoset>)
at ./src/lib/libast/sfio/sfstack.c:85
>    #1  0x5665d651 in sfclose (f=0xf7ee9e18) at
./src/lib/libast/sfio/sfclose.c:54
>    #2  0x5663dc99 in stkclose (stream=0xf7ee9e18) at
./src/lib/libast/misc/stk.c:317
>    #3  0x565e1815 in funct (lexp=lexp@entry=0xf7ee08e8) at
./src/cmd/ksh93/sh/parse.c:915
>    #4  0x565e2c55 in simple (lexp=lexp@entry=0xf7ee08e8, flag=0, flag@entry=
133, io=io@entry=0x0) at ./src/cmd/ksh93/sh/parse.c:1544
>    #5  0x565e2d44 in item (lexp=lexp@entry=0xf7ee08e8, flag=flag@entry=133)
at ./src/cmd/ksh93/sh/parse.c:1354
>    #6  0x565e3d04 in term (lexp=0xf7ee08e8, flag=132) at
./src/cmd/ksh93/sh/parse.c:577
>    #7  0x565e3ee2 in list (flag=132, lexp=0xf7ee08e8) at
./src/cmd/ksh93/sh/parse.c:547
>    #8  sh_cmd (lexp=lexp@entry=0xf7ee08e8, sym=sym@entry=10, flag=132) at
./src/cmd/ksh93/sh/parse.c:497
>    #9  0x565e42c7 in sh_parse (shp=0x5672afa0 <sh>, iop=0xf7eedaf8, flag=0)
at ./src/cmd/ksh93/sh/parse.c:386
>    #10 0x5659e773 in exfile ()
>    #11 0x5659dad6 in sh_main ()
>    #12 0x5659caf9 in main (argc=4, argv=0xff8e73f4) at
./src/cmd/ksh93/sh/pmain.c:45
> 
> 
> Found using American Fuzzy Lop:
> http://lcamtuf.coredump.cx/afl/
> 
> -- System Information:
> Architecture: i386
> 
> Versions of packages ksh depends on:
> ii  libc6           2.24-17
> ii  binfmt-support  2.1.8-1
> 
> -- 
> Jakub Wilk
> 
> 

Attachment: signature.asc
Description: This is a digitally signed message part

--- End Message ---