On Thu, 2022-11-24 at 06:15 +0100, Christoph Anton Mitterer wrote:> Hey there. > > There?s a bug in ash-bashed shells, including the one shipped with > klibc. > > The original variant is described here (for dash): > https://lore.kernel.org/dash/b2e298215b3d51d8284296484caa138faddaa0e4.camel at scientia.org/ > respectively > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024635 > > > Apparently BusyBox? sh (also ash based) doesn't segfault with the > example I've found above. > > But Harald van Dijk was able to create an example[0] where BusyBox? sh > segfaults, too, reported by him at: > http://lists.busybox.net/pipermail/busybox/2022-November/090036.html > > > klibc?s sh segfaults in BOTH cases, and he asked me whether I could > forward this here on also his behalf. > > > Could you please have a look at both?I had a look at a core dump in gdb. The loop at the bottom of evalvar() seems to read off the end of the input string, and crashes once p reaches an unmapped page. This seems to match Harald's analysis: https://lore.kernel.org/dash/8710d1c3-d7c9-7332-4bc7-ce243a1cbd37 at gigawatt.nl/> It seems theres's no bugtracker for klibc, or is there?There's a component for it on bugzilla.kernel.org (under "Other").> Just that this doesn't get forgotten by accident, I've also reported it > downstream in the Debian BTS at: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024735 >That's also fine. I don't think I will work on this in klibc until there's a fix in upstream dash. If you're still watching upstream dash, please let me know when there's a fix I can pick. Ben. -- Ben Hutchings This sentence contradicts itself - no actually it doesn't. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: <https://lists.zytor.com/archives/klibc/attachments/20221127/0489121a/attachment.sig>
Christoph Anton Mitterer
2022-Nov-27 17:00 UTC
[klibc] klibc sh segfault on invalid substitutions
Hey Ben. Thanks for looking into it On Sun, 2022-11-27 at 17:51 +0100, Ben Hutchings wrote:> There's a component for it on bugzilla.kernel.org (under "Other").Would you mind (not urgent), to add that e.g. to https://git.kernel.org/pub/scm/libs/klibc/klibc.git/tree/README ? I'm sure I'd forget where it is, should I ever need it again ;-)> > I don't think I will work on this in klibc until there's a fix in > upstream dash.? If you're still watching upstream dash, please let me > know when there's a fix I can pick.I will ping, if I don't forget it by then. Thanks, Chris.
Christoph Anton Mitterer
2022-Dec-07 04:57 UTC
[klibc] klibc sh segfault on invalid substitutions
Hey Ben. On Sun, 2022-11-27 at 17:51 +0100, Ben Hutchings wrote:> I don't think I will work on this in klibc until there's a fix in > upstream dash.? If you're still watching upstream dash, please let me > know when there's a fix I can pick.A patch has now been posted for dash at: https://lore.kernel.org/dash/Y47ZlpwkQy+jiule at gondor.apana.org.au/ which is apparently scheduled to be merged into their git. Cheers, Chris.