Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #16685
| Path | csiph.com!goblin2!goblin1!goblin.stu.neva.ru!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Jakub Wilk <jwilk@jwilk.net> |
| Newsgroups | gnu.bash.bug |
| Subject | bash -n: stack overflow in extract_delimited_string() |
| Date | Mon, 3 Aug 2020 11:30:55 +0200 |
| Lines | 46 |
| Approved | bug-bash@gnu.org |
| Message-ID | <mailman.649.1596447072.2739.bug-bash@gnu.org> (permalink) |
| References | <20200803093054.gu6fmxi4eqi7hz45@jwilk.net> |
| NNTP-Posting-Host | lists.gnu.org |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset="us-ascii"; format=flowed |
| X-Trace | usenet.stanford.edu 1596447073 7424 209.51.188.17 (3 Aug 2020 09:31:13 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| To | <bug-bash@gnu.org> |
| Envelope-to | bug-bash@gnu.org |
| Authentication-Results | garm.ovh; auth=pass (GARM-98R0029d915bbd-06a4-478d-bb26-1dd5610cbecc, F40D6CC01FD9521AEE478BEB1506047368CCBD5F) smtp.auth=jwilk@jwilk.net |
| Content-Disposition | inline |
| User-Agent | NeoMutt/20180716 |
| X-Originating-IP | [37.59.142.98] |
| X-ClientProxiedBy | DAG6EX2.mxp6.local (172.16.2.52) To DAG4EX2.mxp6.local (172.16.2.32) |
| X-Ovh-Tracer-GUID | d8fefa57-c4dc-4426-93c1-db7d7406b682 |
| X-Ovh-Tracer-Id | 15659015906717652759 |
| X-VR-SPAMSTATE | OK |
| X-VR-SPAMSCORE | 0 |
| X-VR-SPAMCAUSE | gggruggvucftvghtrhhoucdtuddrgeduiedrjeeggddujecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecunecujfgurhepfffhvffukfggtggufghisehttdertddtredvnecuhfhrohhmpeflrghkuhgsucghihhlkhcuoehjfihilhhksehjfihilhhkrdhnvghtqeenucggtffrrghtthgvrhhnpeetheduueeuhedttdejiefhlefgfeeiveefhfdtledtffffveegtdfgfeegffeuheenucfkpheptddrtddrtddrtddpfeejrdehledrudegvddrleeknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohguvgepshhmthhpqdhouhhtpdhhvghlohepmhigphhlrghniedrmhgrihhlrdhovhhhrdhnvghtpdhinhgvtheptddrtddrtddrtddpmhgrihhlfhhrohhmpehjfihilhhksehjfihilhhkrdhnvghtpdhrtghpthhtohepsghughdqsggrshhhsehgnhhurdhorhhg |
| Received-SPF | pass client-ip=79.137.123.220; envelope-from=jwilk@jwilk.net; helo=smtpout1.mo804.mail-out.ovh.net |
| X-detected-operating-system | by eggs.gnu.org: First seen = 2020/08/03 05:30:57 |
| X-ACL-Warn | Detected OS = Linux 3.11 and newer |
| X-Spam_score_int | -28 |
| X-Spam_score | -2.9 |
| X-Spam_bar | -- |
| X-Spam_report | (-2.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no |
| X-Spam_action | no action |
| X-BeenThere | bug-bash@gnu.org |
| X-Mailman-Version | 2.1.23 |
| Precedence | list |
| List-Id | Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org> |
| List-Unsubscribe | <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe> |
| List-Archive | <https://lists.gnu.org/archive/html/bug-bash> |
| List-Post | <mailto:bug-bash@gnu.org> |
| List-Help | <mailto:bug-bash-request@gnu.org?subject=help> |
| List-Subscribe | <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe> |
| X-Mailman-Original-Message-ID | <20200803093054.gu6fmxi4eqi7hz45@jwilk.net> |
| Xref | csiph.com gnu.bash.bug:16685 |
Show key headers only | View raw
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -g -O2 -Wno-parentheses -Wno-format-security
uname output: Linux debian 4.19.0-9-cloud-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
Machine Type: x86_64-pc-linux-gnu
Bash Version: 5.0
Patch Level: 18
Release Status: release
bash crashes with stack overflow when checking syntax of this crafted script:
$ ulimit -s
8192
$ printf 'x[$(($(fi)))`\n%050000d\n][`]\n' | tr 0 '(' | bash -n
bash: command substitution: line 4: syntax error near unexpected token `fi'
bash: command substitution: line 4: `fi)))`'
Segmentation fault
Backtrace:
#0 0x000056084f0c841c in extract_delimited_string (string=string@entry=0x56084f2a6008 "x[$(($(fi)))`\n", '(' <repeats 186 times>..., sindex=sindex@entry=0x7ffde769a0fc, opener=opener@entry=0x56084f14bc31 "(", alt_opener=alt_opener@entry=0x56084f14bc31 "(", closer=closer@entry=0x56084f14a41f ")", flags=flags@entry=9) at subst.c:1326
#1 0x000056084f0c8819 in extract_delimited_string (string=string@entry=0x56084f2a6008 "x[$(($(fi)))`\n", '(' <repeats 186 times>..., sindex=sindex@entry=0x7ffde769a1ac, opener=opener@entry=0x56084f14bc31 "(", alt_opener=alt_opener@entry=0x56084f14bc31 "(", closer=closer@entry=0x56084f14a41f ")", flags=flags@entry=9) at subst.c:1400
#2 0x000056084f0c8819 in extract_delimited_string (string=string@entry=0x56084f2a6008 "x[$(($(fi)))`\n", '(' <repeats 186 times>..., sindex=sindex@entry=0x7ffde769a25c, opener=opener@entry=0x56084f14bc31 "(", alt_opener=alt_opener@entry=0x56084f14bc31 "(", closer=closer@entry=0x56084f14a41f ")", flags=flags@entry=9) at subst.c:1400
...
#47577 0x000056084f0c8819 in extract_delimited_string (string=string@entry=0x56084f2a6008 "x[$(($(fi)))`\n", '(' <repeats 186 times>..., sindex=sindex@entry=0x7ffde7e9662c, opener=opener@entry=0x56084f14bc31 "(", alt_opener=alt_opener@entry=0x56084f14bc31 "(", closer=closer@entry=0x56084f14a41f ")", flags=flags@entry=9) at subst.c:1400
#47578 0x000056084f0c8819 in extract_delimited_string (string=string@entry=0x56084f2a6008 "x[$(($(fi)))`\n", '(' <repeats 186 times>..., sindex=sindex@entry=0x7ffde7e966dc, opener=opener@entry=0x56084f14bc31 "(", alt_opener=alt_opener@entry=0x56084f14bc31 "(", closer=closer@entry=0x56084f14a41f ")", flags=flags@entry=9) at subst.c:1400
#47579 0x000056084f0c8c02 in extract_delimited_string (string=string@entry=0x56084f2a6008 "x[$(($(fi)))`\n", '(' <repeats 186 times>..., sindex=sindex@entry=0x7ffde7e9676c, opener=opener@entry=0x56084f14bc30 "$(", alt_opener=alt_opener@entry=0x56084f14bc31 "(", closer=closer@entry=0x56084f14a41f ")", flags=flags@entry=9) at subst.c:1410
#47580 0x000056084f0c917b in skip_matched_pair (string=string@entry=0x56084f2a6008 "x[$(($(fi)))`\n", '(' <repeats 186 times>..., start=<optimized out>, flags=flags@entry=0, close=93, open=91) at subst.c:1799
#47581 0x000056084f0ca485 in skipsubscript (string=string@entry=0x56084f2a6008 "x[$(($(fi)))`\n", '(' <repeats 186 times>..., start=<optimized out>, flags=flags@entry=0) at subst.c:1827
#47582 0x000056084f0a62be in assignment (string=string@entry=0x56084f2a6008 "x[$(($(fi)))`\n", '(' <repeats 186 times>..., flags=0) at general.c:440
#47583 0x000056084f0a034c in read_token_word (character=10) at /usr/homes/chet/src/bash/src/parse.y:5305
#47584 read_token (command=<optimized out>) at /usr/homes/chet/src/bash/src/parse.y:3445
#47585 read_token (command=0) at /usr/homes/chet/src/bash/src/parse.y:3202
#47586 0x000056084f0a2698 in yylex () at /usr/homes/chet/src/bash/src/parse.y:2761
#47587 yyparse () at y.tab.c:1842
#47588 0x000056084f098486 in parse_command () at eval.c:303
#47589 0x000056084f0985a4 in read_command () at eval.c:347
#47590 0x000056084f0987b8 in reader_loop () at eval.c:143
#47591 0x000056084f09715d in main (argc=2, argv=0x7ffde7e979a8, env=0x7ffde7e979c0) at shell.c:805
--
Jakub Wilk
Back to gnu.bash.bug | Previous | Next | Find similar
bash -n: stack overflow in extract_delimited_string() Jakub Wilk <jwilk@jwilk.net> - 2020-08-03 11:30 +0200
csiph-web