Path: csiph.com!goblin1!goblin.stu.neva.ru!usenet.stanford.edu!not-for-mail From: Corbin Souffrant Newsgroups: gnu.bash.bug Subject: Use-After-Free in Bash Date: Tue, 30 Oct 2018 12:31:52 -0700 Lines: 16 Approved: bug-bash@gnu.org Message-ID: NNTP-Posting-Host: lists.gnu.org Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Trace: usenet.stanford.edu 1540929667 17555 208.118.235.17 (30 Oct 2018 20:01:07 GMT) X-Complaints-To: action@cs.stanford.edu To: bug-bash@gnu.org Envelope-to: bug-bash@gnu.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=sDf+0n0TDhmLTcIKayjF1orwTJ2uGwP9GkDg/mxpuwQ=; b=AaAQ/grviMnWUS/9+JTUeXYs2HBW4Aiys4VMy0MFOJlSgZZfh9EeXqzCkgfdXbGWUX RJa6LFl0ZXRQRM3dHYOQ73MReEwYZrEB7Oas+1VO4i7M33RnkEBLuRvcxYgYYKbs+uzq gOGSlnLh5kmSZEtRvI41tqQpg8uuaTR8zpROSz0hrzygnK9VnoyLSMYhMp7qRlnRVyqC CAum/HRKaTlivKdLC29QEpG0os3ru0dn9cqS+tuD1CZnB6MrXaX3I3e2CT+scTUlHXi7 ox5eTe2/8icWZYjSbuYtDL0yZ6DeqTmsKXDV2zRElo2GjEYDDSgpIR0hWRmbrXI9208v OlxQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=sDf+0n0TDhmLTcIKayjF1orwTJ2uGwP9GkDg/mxpuwQ=; b=oJ5ibQNk6BerfmtDPKa/OKbc+hfwmL3T0Yz6GtWSAnExoUpfcS0ln0YZvI23XGrFOv EDMG4rM0GlSbYv24X+qDQdViPuqLxIyQX9uZsKU/UoRobGwDQgFpxlq4v78KGY449dL+ RrPgbou5tzRZ7AQjGlpc+s7lXGriTvRA7XepGqK4bh6fgu+WPfK1UhK0ATKfwU/I9Kpy j1P8fmnOLWnDDSrg6VriuzXB8Y8/cVE/yDUL6DaUS6WekEII+v4TF40T4QbiSxT9rfrg tzBIOdR2C+2D/zjzd2tKr/5JHlCriNsTwZq55mudX6ZtgU214javeNF5enCNqAuVjrTV 9KWA== X-Gm-Message-State: AGRZ1gKWYmLdfXlTCbQwqLubEpOL2L+khIj71TlFSHy+yreHk5hGPORW p5szBxXSa7orGSak9ELdUlTwPq+6xwbDRaYlyttPmg== X-Google-Smtp-Source: AJdET5eFT5psxvF5X1dQfy5SNcVV3BtyEaCVUVUAnYiiXUXyQ4QBflpQXLvND2BEz3f789S2+pxT+rUq6YRyv0HqOTo= X-Received: by 2002:a9d:3387:: with SMTP id u7mr22685otc.81.1540927970071; Tue, 30 Oct 2018 12:32:50 -0700 (PDT) X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4864:20::329 X-Mailman-Approved-At: Tue, 30 Oct 2018 16:01:06 -0400 X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: bug-bash@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Bug reports for the GNU Bourne Again SHell List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Xref: csiph.com gnu.bash.bug:14747 Hello, I found a reproducible use-after-free in every version of Bash from 4.4-5.0beta, that could potentially be used to escape restricted mode. I say potentially, because I can get it to crash in restricted mode, but I haven't gone through the effort of attempting to heap spray to overwrite function pointers. I read in previous threads that you don't consider most crashes in Bash to be security issues, but before I posted something to the public mailing list, I wanted to be sure that this was the correct place to do so. If not, who should I email? I have a writeup, with repro and patch that I think should work. :) Thanks! Corbin Souffrant