Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #11497
| From | Greg Wooledge <wooledg@eeg.ccf.org> |
|---|---|
| Newsgroups | gnu.bash.bug |
| Subject | Re: 4-byte script triggers null ptr deref and segfault |
| Date | 2015-09-17 13:20 -0400 |
| Message-ID | <mailman.1332.1442510425.19560.bug-bash@gnu.org> (permalink) |
| References | <CANMVOuxZHorUcwPC2eKZ+cokFjsQLvJ7tw1V_xBnGoTG=z2cSQ@mail.gmail.com> |
On Thu, Sep 17, 2015 at 11:50:44AM -0500, Brian Carpenter wrote: > While fuzzing GNU bash version 4.3.42(1)-release > (x86_64-unknown-linux-gnu) with AFL(http://lcamtuf.coredump.cx/afl), I > stumbled upon a 4-byte 'script' that triggers a null ptr deref and causes a > segfault. > > https://savannah.gnu.org/support/index.php?108885 Well, that's an annoying web-to-mail interface. It didn't include the full bug report? The web page says the hexdump of the attached script is 3b21 2620 which I would normally interpret as `;!& '. But the attached script itself is actually `!; &'. Apparently the hex dump tool in question is doing some sort of 16-bit grouping with little endian byte swapping. After getting the correct content into the script, I can reproduce this on HP-UX in 4.3.39: imadev:~$ printf '!; &' > x imadev:~$ bash x Segmentation fault (core dumped)
Back to gnu.bash.bug | Previous | Next | Find similar
Re: 4-byte script triggers null ptr deref and segfault Greg Wooledge <wooledg@eeg.ccf.org> - 2015-09-17 13:20 -0400
csiph-web