Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #14088
| Path | csiph.com!goblin2!goblin1!goblin.stu.neva.ru!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Koichi Murase <myoga.murase@gmail.com> |
| Newsgroups | gnu.bash.bug |
| Subject | [PATCH] `bind -x' inside `bind -x' bindings causes execution of random strings |
| Date | Fri, 4 May 2018 00:27:29 +0900 |
| Lines | 91 |
| Approved | bug-bash@gnu.org |
| Message-ID | <mailman.13355.1525361254.27995.bug-bash@gnu.org> (permalink) |
| NNTP-Posting-Host | lists.gnu.org |
| Mime-Version | 1.0 |
| Content-Type | multipart/mixed; boundary="0000000000007013b9056b4ed76c" |
| X-Trace | usenet.stanford.edu 1525361254 26931 208.118.235.17 (3 May 2018 15:27:34 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| To | bug-bash@gnu.org |
| Envelope-to | bug-bash@gnu.org |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=GdBBts+tH5+F6gD8nIWt69HqLWs67KjgNt7Klbq18Xw=; b=dYkqI4Jkv8Rug8AY96q7TQbuoeA0Xkaif/NM9Kyk4HJ8Fump2TTp41FvP4clK+ALvd x/6NoMxJSsUVUy962lPZ12QggI4gLWlnjQRSBkNbUrYNOagg12YjZ9zBW0ls+nA8J0Rf weDWkUctdVsXlfPj6JPT7Sc1JxUzvvJBz40JICclheDXXj46DXTesY+3WE5XJIiZ+cvf TTDU595/yenziozT2YVm5lfd5RsP16hPDHbqW9G04VSjN8DDeViFqyMsXdzFTOODZmaN lCGpCzUdrhYRsczji4A4oCVdobM5zLUcoyslI3TzhUNb85h1aku9Ybyg7xnU2fnB9EX1 IyuA== |
| X-Google-DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=GdBBts+tH5+F6gD8nIWt69HqLWs67KjgNt7Klbq18Xw=; b=GoEmUb9vMDlDKIvkxt9V8v0+jsp8aq1tFLG4BMw0xV+7J7AYoMCOMZ6l+kygKSoDAt Tm+wrOCZaZXMYPcNpyjo6DAdo/qIw8uMwKorlE8LU374tbpjeAEurfdLTvAjtWMFSVU5 yFNufA4l+bnEAa2xjQYdZFiJtC14mISt+Kq29aynki83inP2T1rVuqOf7uEWw4IYaotm 93NFnpGmzs57WxgTlS5E9PNSGqTr7S2d/vD/iGq/7iaHC9h4vuIgTI8aqJjBcXv6TtD0 ly6Ry4cZl6j7Edcmvwx2RqMnAAN+YEji9QCC4HdFZBaABEsStNme+sQmG+fkpN+cBU7W RkvA== |
| X-Gm-Message-State | ALQs6tB0d6wvwqTdQq0ov1JaqMaMO1sfj1tmNn1z/5edJJCox2ulGvHV ivLtlt0eEDz4xTjFRbS1+Sq2ZKkwcLn2LZvdLdTyrA== |
| X-Google-Smtp-Source | AB8JxZpGnTPY1g9MBGAe2wI2KUENUQDkzAjTUUFPPYEhen3cZfq5W9urjLIhreGgYnCXsv5muMmyk7XcmftVU8+/K/c= |
| X-Received | by 2002:aed:3b2e:: with SMTP id p43-v6mr19388599qte.240.1525361249603; Thu, 03 May 2018 08:27:29 -0700 (PDT) |
| X-detected-operating-system | by eggs.gnu.org: Genre and OS details not recognized. |
| X-Received-From | 2607:f8b0:400d:c0d::22c |
| X-BeenThere | bug-bash@gnu.org |
| X-Mailman-Version | 2.1.21 |
| Precedence | list |
| List-Id | Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org> |
| List-Unsubscribe | <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe> |
| List-Archive | <http://lists.gnu.org/archive/html/bug-bash/> |
| List-Post | <mailto:bug-bash@gnu.org> |
| List-Help | <mailto:bug-bash-request@gnu.org?subject=help> |
| List-Subscribe | <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe> |
| Xref | csiph.com gnu.bash.bug:14088 |
Show key headers only | View raw
[Multipart message — attachments visible in raw view] - view raw
Configuration Information [Automatically generated, do not change]:
Machine: i686
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='i686'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='i686-pc-linux-gnu'
-DCONF_VENDOR='pc'
-DLOCALEDIR='/home/murase/opt/bash-4.4.19/share/locale' -DPACKAGE=\
'bash' -DSHELL -DHAVE_CONFIG_H -I. -I. -I./include -I./lib -O2
-march=native -Wno-parentheses -Wno-format-security
uname output: Linux padparadscha 4.13.13-100.fc25.i686 #1 SMP Wed Nov
15 18:24:19 UTC 2017 i686 i686 i386 GNU/Linux
Machine Type: i686-pc-linux-gnu
Bash Version: 4.4
Patch Level: 19
Release Status: release
Description:
After calls of `bind -x' inside functions called via `bind -x',
random strings are executed as a command.
This happens in the following way: When the binding is overwritten
using `bind -x' inside the function called through `bind -x' bindings,
the original string registered for the binding is deallocated although
it is still under evaluation. Then the memory block will be allocated
for other purposes and the content will be rewritten. Finally the new
data written to the memory block is evaluated.
Repeat-By:
The following example is a minimal example that reproduces the problem.
$ bash-4.4 --norc
$ f1() { bind -x '"\C-t": f1'; }; f1
After this, on typing `C-t', a random string is executed as a
command string and produces error messages like:
bash-4.4: $'\317\003': command not found
At least all the versions from Bash 4.0 to Bash 4.4 have the same
problem. I haven't checked for Bash 3.2 or older versions.
Fix:
Maybe the usage in the above example seems useless to some people,
but it's just a reduced example. In my complex scripts I do need to
rebind key bindings in `bind -x' functions. I attach a patch for devel
branch to allow safe `bind -x' inside the function called through
`bind -x' bindings.
Also the execution of random memory contents can generally be a
security issue although I'm not sure if this problem can really be
used for attacks. Basically the content written to the deallocated
strings is not under control, but it's difficult to ensure that there
is no way for other user to control the content. So maybe it's better
to apply this fix also to older versions of Bash.
Best regards,
Koichi
Back to gnu.bash.bug | Previous | Next | Find similar | Unroll thread
[PATCH] `bind -x' inside `bind -x' bindings causes execution of random strings Koichi Murase <myoga.murase@gmail.com> - 2018-05-04 00:27 +0900
csiph-web