Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #11362
| From | Dan Douglas <ormaaj@gmail.com> |
|---|---|
| Newsgroups | gnu.bash.bug |
| Subject | Re: Integer Overflow in braces |
| Date | 2015-08-18 07:54 -0500 |
| Message-ID | <mailman.8513.1439902519.904.bug-bash@gnu.org> (permalink) |
| References | <CABq52TYThGj9OtBn3xTti5scmA=WdnS7ULw3G6GMayPK6WR0+w@mail.gmail.com> <CABq52TbKZCK8ci5ra_N4pfVB3jXGCdf-ZCG=k35c+_fVehfzFg@mail.gmail.com> <55D26B26.2060008@redhat.com> |
[Multipart message — attachments visible in raw view] - view raw
On Monday, August 17, 2015 04:15:50 PM Eric Blake wrote:
> On 08/17/2015 09:58 AM, Pasha K wrote:
> > Hey Greg,
> >
> > I wasn't particularly trying to actually generate that large amount of
> > strings in memory, I wa purposely trying to overflow the integer variable
> > "nelem"hoping to get Code Execution. This could potentially be a security
> > risk as shell shock was just more of a denial of service rather than
> > straight up code execution. However, just because I wasn't able to gain
> > control of the registers doesn't mean someone else with more skill can't.
>
> This is not a security risk.
>
> Shell shock was a security hole because the shell could be coerced into
> executing user-supplied code WITHOUT a way for a script to intervene.
>
> Any poorly-written shell script can do stupid things, including crashing
> bash because it overflows the heap by trying to allocate memory for such
> a stupidly large expansion. But unless the problem can be triggered
> without a script (the way shell shock executed user code before even
> starting to parse a script), then you can't exploit the problem to gain
> any more access to the system than you already have by being able to run
> a script in the first place.
>
> Fix your script to not do stupid things, like trying an insanely-large
> brace expansion, or trying an 'eval' (or similar) on untrusted user
> input. But don't call it a bash security hole that bash allows you to
> write stupid scripts.
>
>
IMHO the issue of whether the integer is allowed to overflow is separate from
the question of whether the resulting expansion is "too big". Code that does
an `eval "blah{0..$n}"` is reasonably common and not necessarily stupid.
--
Dan Douglas
Back to gnu.bash.bug | Previous | Next | Find similar
Re: Integer Overflow in braces Dan Douglas <ormaaj@gmail.com> - 2015-08-18 07:54 -0500
csiph-web