Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > gnu.bash.bug > #14747

Use-After-Free in Bash

Path csiph.com!goblin1!goblin.stu.neva.ru!usenet.stanford.edu!not-for-mail
From Corbin Souffrant <corbin.souffrant@gmail.com>
Newsgroups gnu.bash.bug
Subject Use-After-Free in Bash
Date Tue, 30 Oct 2018 12:31:52 -0700
Lines 16
Approved bug-bash@gnu.org
Message-ID <mailman.3125.1540929667.1284.bug-bash@gnu.org> (permalink)
NNTP-Posting-Host lists.gnu.org
Mime-Version 1.0
Content-Type text/plain; charset="UTF-8"
X-Trace usenet.stanford.edu 1540929667 17555 208.118.235.17 (30 Oct 2018 20:01:07 GMT)
X-Complaints-To action@cs.stanford.edu
To bug-bash@gnu.org
Envelope-to bug-bash@gnu.org
DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=sDf+0n0TDhmLTcIKayjF1orwTJ2uGwP9GkDg/mxpuwQ=; b=AaAQ/grviMnWUS/9+JTUeXYs2HBW4Aiys4VMy0MFOJlSgZZfh9EeXqzCkgfdXbGWUX RJa6LFl0ZXRQRM3dHYOQ73MReEwYZrEB7Oas+1VO4i7M33RnkEBLuRvcxYgYYKbs+uzq gOGSlnLh5kmSZEtRvI41tqQpg8uuaTR8zpROSz0hrzygnK9VnoyLSMYhMp7qRlnRVyqC CAum/HRKaTlivKdLC29QEpG0os3ru0dn9cqS+tuD1CZnB6MrXaX3I3e2CT+scTUlHXi7 ox5eTe2/8icWZYjSbuYtDL0yZ6DeqTmsKXDV2zRElo2GjEYDDSgpIR0hWRmbrXI9208v OlxQ==
X-Google-DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=sDf+0n0TDhmLTcIKayjF1orwTJ2uGwP9GkDg/mxpuwQ=; b=oJ5ibQNk6BerfmtDPKa/OKbc+hfwmL3T0Yz6GtWSAnExoUpfcS0ln0YZvI23XGrFOv EDMG4rM0GlSbYv24X+qDQdViPuqLxIyQX9uZsKU/UoRobGwDQgFpxlq4v78KGY449dL+ RrPgbou5tzRZ7AQjGlpc+s7lXGriTvRA7XepGqK4bh6fgu+WPfK1UhK0ATKfwU/I9Kpy j1P8fmnOLWnDDSrg6VriuzXB8Y8/cVE/yDUL6DaUS6WekEII+v4TF40T4QbiSxT9rfrg tzBIOdR2C+2D/zjzd2tKr/5JHlCriNsTwZq55mudX6ZtgU214javeNF5enCNqAuVjrTV 9KWA==
X-Gm-Message-State AGRZ1gKWYmLdfXlTCbQwqLubEpOL2L+khIj71TlFSHy+yreHk5hGPORW p5szBxXSa7orGSak9ELdUlTwPq+6xwbDRaYlyttPmg==
X-Google-Smtp-Source AJdET5eFT5psxvF5X1dQfy5SNcVV3BtyEaCVUVUAnYiiXUXyQ4QBflpQXLvND2BEz3f789S2+pxT+rUq6YRyv0HqOTo=
X-Received by 2002:a9d:3387:: with SMTP id u7mr22685otc.81.1540927970071; Tue, 30 Oct 2018 12:32:50 -0700 (PDT)
X-detected-operating-system by eggs.gnu.org: Genre and OS details not recognized.
X-Received-From 2607:f8b0:4864:20::329
X-Mailman-Approved-At Tue, 30 Oct 2018 16:01:06 -0400
X-Content-Filtered-By Mailman/MimeDel 2.1.21
X-BeenThere bug-bash@gnu.org
X-Mailman-Version 2.1.21
Precedence list
List-Id Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive <http://lists.gnu.org/archive/html/bug-bash/>
List-Post <mailto:bug-bash@gnu.org>
List-Help <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
Xref csiph.com gnu.bash.bug:14747

Show key headers only | View raw

Hello,

I found a reproducible use-after-free in every version of Bash from
4.4-5.0beta, that could potentially be used to escape restricted mode. I
say potentially, because I can get it to crash in restricted mode, but I
haven't gone through the effort of attempting to heap spray to overwrite
function pointers.

I read in previous threads that you don't consider most crashes in Bash to
be security issues, but before I posted something to the public mailing
list, I wanted to be sure that this was the correct place to do so. If not,
who should I email? I have a writeup, with repro and patch that I think
should work. :)

Thanks!
Corbin Souffrant

Back to gnu.bash.bug | Previous | Next | Find similar | Unroll thread

Thread

Use-After-Free in Bash Corbin Souffrant <corbin.souffrant@gmail.com> - 2018-10-30 12:31 -0700

csiph-web