Christoph Anton Mitterer
2022-Nov-24 05:15 UTC
[klibc] klibc sh segfault on invalid substitutions
Hey there. There?s a bug in ash-bashed shells, including the one shipped with klibc. The original variant is described here (for dash): https://lore.kernel.org/dash/b2e298215b3d51d8284296484caa138faddaa0e4.camel at scientia.org/ respectively https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024635 Apparently BusyBox? sh (also ash based) doesn't segfault with the example I've found above. But Harald van Dijk was able to create an example[0] where BusyBox? sh segfaults, too, reported by him at: http://lists.busybox.net/pipermail/busybox/2022-November/090036.html klibc?s sh segfaults in BOTH cases, and he asked me whether I could forward this here on also his behalf. Could you please have a look at both? It seems theres's no bugtracker for klibc, or is there? Just that this doesn't get forgotten by accident, I've also reported it downstream in the Debian BTS at: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024735 Thanks, Chris. [0] $ /usr/lib/klibc/bin/sh -c 'f() { echo ${PWD-${PWD!}}; }; f' Segmentation fault
On Thu, 2022-11-24 at 06:15 +0100, Christoph Anton Mitterer wrote:> Hey there. > > There?s a bug in ash-bashed shells, including the one shipped with > klibc. > > The original variant is described here (for dash): > https://lore.kernel.org/dash/b2e298215b3d51d8284296484caa138faddaa0e4.camel at scientia.org/ > respectively > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024635 > > > Apparently BusyBox? sh (also ash based) doesn't segfault with the > example I've found above. > > But Harald van Dijk was able to create an example[0] where BusyBox? sh > segfaults, too, reported by him at: > http://lists.busybox.net/pipermail/busybox/2022-November/090036.html > > > klibc?s sh segfaults in BOTH cases, and he asked me whether I could > forward this here on also his behalf. > > > Could you please have a look at both?I had a look at a core dump in gdb. The loop at the bottom of evalvar() seems to read off the end of the input string, and crashes once p reaches an unmapped page. This seems to match Harald's analysis: https://lore.kernel.org/dash/8710d1c3-d7c9-7332-4bc7-ce243a1cbd37 at gigawatt.nl/> It seems theres's no bugtracker for klibc, or is there?There's a component for it on bugzilla.kernel.org (under "Other").> Just that this doesn't get forgotten by accident, I've also reported it > downstream in the Debian BTS at: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024735 >That's also fine. I don't think I will work on this in klibc until there's a fix in upstream dash. If you're still watching upstream dash, please let me know when there's a fix I can pick. Ben. -- Ben Hutchings This sentence contradicts itself - no actually it doesn't. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: <https://lists.zytor.com/archives/klibc/attachments/20221127/0489121a/attachment.sig>