Path: csiph.com!optima2.xanadu-bbs.net!xanadu-bbs.net!news.glorb.com!usenet.stanford.edu!not-for-mail From: Greg Wooledge Newsgroups: gnu.bash.bug Subject: Re: 4-byte script triggers null ptr deref and segfault Date: Thu, 17 Sep 2015 13:20:17 -0400 Lines: 25 Approved: bug-bash@gnu.org Message-ID: References: NNTP-Posting-Host: lists.gnu.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: usenet.stanford.edu 1442510426 930 208.118.235.17 (17 Sep 2015 17:20:26 GMT) X-Complaints-To: action@cs.stanford.edu Cc: bug-bash@gnu.org To: Brian Carpenter Envelope-to: bug-bash@gnu.org Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 139.137.100.1 X-BeenThere: bug-bash@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Bug reports for the GNU Bourne Again SHell List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Xref: csiph.com gnu.bash.bug:11497 On Thu, Sep 17, 2015 at 11:50:44AM -0500, Brian Carpenter wrote: > While fuzzing GNU bash version 4.3.42(1)-release > (x86_64-unknown-linux-gnu) with AFL(http://lcamtuf.coredump.cx/afl), I > stumbled upon a 4-byte 'script' that triggers a null ptr deref and causes a > segfault. > > https://savannah.gnu.org/support/index.php?108885 Well, that's an annoying web-to-mail interface. It didn't include the full bug report? The web page says the hexdump of the attached script is 3b21 2620 which I would normally interpret as `;!& '. But the attached script itself is actually `!; &'. Apparently the hex dump tool in question is doing some sort of 16-bit grouping with little endian byte swapping. After getting the correct content into the script, I can reproduce this on HP-UX in 4.3.39: imadev:~$ printf '!; &' > x imadev:~$ bash x Segmentation fault (core dumped)