Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #11498
| Path | csiph.com!xmission!news.glorb.com!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Pádraig Brady <P@draigBrady.com> |
| Newsgroups | gnu.bash.bug |
| Subject | Re: 4-byte script triggers null ptr deref and segfault |
| Date | Thu, 17 Sep 2015 19:01:23 +0100 |
| Lines | 28 |
| Approved | bug-bash@gnu.org |
| Message-ID | <mailman.1333.1442513503.19560.bug-bash@gnu.org> (permalink) |
| References | <CANMVOuxZHorUcwPC2eKZ+cokFjsQLvJ7tw1V_xBnGoTG=z2cSQ@mail.gmail.com> <20150917172017.GC25574@eeg.ccf.org> |
| NNTP-Posting-Host | lists.gnu.org |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=windows-1252 |
| Content-Transfer-Encoding | 7bit |
| X-Trace | usenet.stanford.edu 1442513504 2565 208.118.235.17 (17 Sep 2015 18:11:44 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| Cc | bug-bash@gnu.org |
| To | Greg Wooledge <wooledg@eeg.ccf.org>, Brian Carpenter <brian.carpenter@gmail.com> |
| Envelope-to | bug-bash@gnu.org |
| User-Agent | Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 |
| In-Reply-To | <20150917172017.GC25574@eeg.ccf.org> |
| X-Scanned-By | MIMEDefang 2.68 on 10.5.11.26 |
| X-detected-operating-system | by eggs.gnu.org: GNU/Linux 3.x |
| X-Received-From | 209.132.183.28 |
| X-BeenThere | bug-bash@gnu.org |
| X-Mailman-Version | 2.1.14 |
| Precedence | list |
| List-Id | Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org> |
| List-Unsubscribe | <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe> |
| List-Archive | <http://lists.gnu.org/archive/html/bug-bash> |
| List-Post | <mailto:bug-bash@gnu.org> |
| List-Help | <mailto:bug-bash-request@gnu.org?subject=help> |
| List-Subscribe | <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe> |
| Xref | csiph.com gnu.bash.bug:11498 |
Show key headers only | View raw
On 17/09/15 18:20, Greg Wooledge wrote: > On Thu, Sep 17, 2015 at 11:50:44AM -0500, Brian Carpenter wrote: >> While fuzzing GNU bash version 4.3.42(1)-release >> (x86_64-unknown-linux-gnu) with AFL(http://lcamtuf.coredump.cx/afl), I >> stumbled upon a 4-byte 'script' that triggers a null ptr deref and causes a >> segfault. >> >> https://savannah.gnu.org/support/index.php?108885 > > Well, that's an annoying web-to-mail interface. It didn't include the > full bug report? > > The web page says the hexdump of the attached script is 3b21 2620 > which I would normally interpret as `;!& '. > > But the attached script itself is actually `!; &'. Apparently the > hex dump tool in question is doing some sort of 16-bit grouping with > little endian byte swapping. > > After getting the correct content into the script, I can reproduce > this on HP-UX in 4.3.39: > > imadev:~$ printf '!; &' > x > imadev:~$ bash x > Segmentation fault (core dumped) FWIW _not_ reproduced with bash-4.3.39-1.fc22.x86_64
Back to gnu.bash.bug | Previous | Next | Find similar
Re: 4-byte script triggers null ptr deref and segfault Pádraig Brady <P@draigBrady.com> - 2015-09-17 19:01 +0100
csiph-web