Path: csiph.com!goblin2!goblin1!goblin.stu.neva.ru!usenet.stanford.edu!not-for-mail From: Koichi Murase Newsgroups: gnu.bash.bug Subject: [PATCH] `bind -x' inside `bind -x' bindings causes execution of random strings Date: Fri, 4 May 2018 00:27:29 +0900 Lines: 91 Approved: bug-bash@gnu.org Message-ID: NNTP-Posting-Host: lists.gnu.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="0000000000007013b9056b4ed76c" X-Trace: usenet.stanford.edu 1525361254 26931 208.118.235.17 (3 May 2018 15:27:34 GMT) X-Complaints-To: action@cs.stanford.edu To: bug-bash@gnu.org Envelope-to: bug-bash@gnu.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=GdBBts+tH5+F6gD8nIWt69HqLWs67KjgNt7Klbq18Xw=; b=dYkqI4Jkv8Rug8AY96q7TQbuoeA0Xkaif/NM9Kyk4HJ8Fump2TTp41FvP4clK+ALvd x/6NoMxJSsUVUy962lPZ12QggI4gLWlnjQRSBkNbUrYNOagg12YjZ9zBW0ls+nA8J0Rf weDWkUctdVsXlfPj6JPT7Sc1JxUzvvJBz40JICclheDXXj46DXTesY+3WE5XJIiZ+cvf TTDU595/yenziozT2YVm5lfd5RsP16hPDHbqW9G04VSjN8DDeViFqyMsXdzFTOODZmaN lCGpCzUdrhYRsczji4A4oCVdobM5zLUcoyslI3TzhUNb85h1aku9Ybyg7xnU2fnB9EX1 IyuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=GdBBts+tH5+F6gD8nIWt69HqLWs67KjgNt7Klbq18Xw=; b=GoEmUb9vMDlDKIvkxt9V8v0+jsp8aq1tFLG4BMw0xV+7J7AYoMCOMZ6l+kygKSoDAt Tm+wrOCZaZXMYPcNpyjo6DAdo/qIw8uMwKorlE8LU374tbpjeAEurfdLTvAjtWMFSVU5 yFNufA4l+bnEAa2xjQYdZFiJtC14mISt+Kq29aynki83inP2T1rVuqOf7uEWw4IYaotm 93NFnpGmzs57WxgTlS5E9PNSGqTr7S2d/vD/iGq/7iaHC9h4vuIgTI8aqJjBcXv6TtD0 ly6Ry4cZl6j7Edcmvwx2RqMnAAN+YEji9QCC4HdFZBaABEsStNme+sQmG+fkpN+cBU7W RkvA== X-Gm-Message-State: ALQs6tB0d6wvwqTdQq0ov1JaqMaMO1sfj1tmNn1z/5edJJCox2ulGvHV ivLtlt0eEDz4xTjFRbS1+Sq2ZKkwcLn2LZvdLdTyrA== X-Google-Smtp-Source: AB8JxZpGnTPY1g9MBGAe2wI2KUENUQDkzAjTUUFPPYEhen3cZfq5W9urjLIhreGgYnCXsv5muMmyk7XcmftVU8+/K/c= X-Received: by 2002:aed:3b2e:: with SMTP id p43-v6mr19388599qte.240.1525361249603; Thu, 03 May 2018 08:27:29 -0700 (PDT) X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:400d:c0d::22c X-BeenThere: bug-bash@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Bug reports for the GNU Bourne Again SHell List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Xref: csiph.com gnu.bash.bug:14088 --0000000000007013b9056b4ed76c Content-Type: text/plain; charset="UTF-8" Configuration Information [Automatically generated, do not change]: Machine: i686 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='i686' -DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='i686-pc-linux-gnu' -DCONF_VENDOR='pc' -DLOCALEDIR='/home/murase/opt/bash-4.4.19/share/locale' -DPACKAGE=\ 'bash' -DSHELL -DHAVE_CONFIG_H -I. -I. -I./include -I./lib -O2 -march=native -Wno-parentheses -Wno-format-security uname output: Linux padparadscha 4.13.13-100.fc25.i686 #1 SMP Wed Nov 15 18:24:19 UTC 2017 i686 i686 i386 GNU/Linux Machine Type: i686-pc-linux-gnu Bash Version: 4.4 Patch Level: 19 Release Status: release Description: After calls of `bind -x' inside functions called via `bind -x', random strings are executed as a command. This happens in the following way: When the binding is overwritten using `bind -x' inside the function called through `bind -x' bindings, the original string registered for the binding is deallocated although it is still under evaluation. Then the memory block will be allocated for other purposes and the content will be rewritten. Finally the new data written to the memory block is evaluated. Repeat-By: The following example is a minimal example that reproduces the problem. $ bash-4.4 --norc $ f1() { bind -x '"\C-t": f1'; }; f1 After this, on typing `C-t', a random string is executed as a command string and produces error messages like: bash-4.4: $'\317\003': command not found At least all the versions from Bash 4.0 to Bash 4.4 have the same problem. I haven't checked for Bash 3.2 or older versions. Fix: Maybe the usage in the above example seems useless to some people, but it's just a reduced example. In my complex scripts I do need to rebind key bindings in `bind -x' functions. I attach a patch for devel branch to allow safe `bind -x' inside the function called through `bind -x' bindings. Also the execution of random memory contents can generally be a security issue although I'm not sure if this problem can really be used for attacks. Basically the content written to the deallocated strings is not under control, but it's difficult to ensure that there is no way for other user to control the content. So maybe it's better to apply this fix also to older versions of Bash. Best regards, Koichi --0000000000007013b9056b4ed76c Content-Type: application/octet-stream; name="0001-fix-a-bug-that-random-commands-are-executed-after-bi.patch" Content-Disposition: attachment; filename="0001-fix-a-bug-that-random-commands-are-executed-after-bi.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: f_jgqokqxt0 RnJvbSBmYjdjYzAyZmMxY2E4YTA5NmVjNmZmZjBkYzBhMTFiODgwZWFiZTlmIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBLb2ljaGkgTXVyYXNlIDxteW9nYS5tdXJhc2VAZ21haWwuY29t PgpEYXRlOiBNb24sIDE2IEFwciAyMDE4IDIzOjUwOjEzICswOTAwClN1YmplY3Q6IFtQQVRDSF0g Zml4IGEgYnVnIHRoYXQgcmFuZG9tIGNvbW1hbmRzIGFyZSBleGVjdXRlZCBhZnRlciAiYmluZCIg aW4gYQogImJpbmQgLXgiIGZ1bmN0aW9uCgotLS0KIGJhc2hsaW5lLmMgfCAyICstCiAxIGZpbGUg Y2hhbmdlZCwgMSBpbnNlcnRpb24oKyksIDEgZGVsZXRpb24oLSkKCmRpZmYgLS1naXQgYS9iYXNo bGluZS5jIGIvYmFzaGxpbmUuYwppbmRleCA5MWQ0NDQ2Li5lODAwYzdjIDEwMDY0NAotLS0gYS9i YXNobGluZS5jCisrKyBiL2Jhc2hsaW5lLmMKQEAgLTQxNDcsNyArNDE0Nyw3IEBAIGJhc2hfZXhl Y3V0ZV91bml4X2NvbW1hbmQgKGNvdW50LCBrZXkpCiAgIGFycmF5X25lZWRzX21ha2luZyA9IDE7 CiAKICAgc2F2ZV9wYXJzZXJfc3RhdGUgKCZwcyk7Ci0gIHIgPSBwYXJzZV9hbmRfZXhlY3V0ZSAo Y21kLCAiYmFzaF9leGVjdXRlX3VuaXhfY29tbWFuZCIsIFNFVkFMX05PSElTVHxTRVZBTF9OT0ZS RUUpOworICByID0gcGFyc2VfYW5kX2V4ZWN1dGUgKHNhdmVzdHJpbmcgKGNtZCksICJiYXNoX2V4 ZWN1dGVfdW5peF9jb21tYW5kIiwgU0VWQUxfTk9ISVNUKTsKICAgcmVzdG9yZV9wYXJzZXJfc3Rh dGUgKCZwcyk7CiAKICAgdiA9IGZpbmRfdmFyaWFibGUgKCJSRUFETElORV9MSU5FIik7Ci0tIAoy LjkuNQoK --0000000000007013b9056b4ed76c--