[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
BASH recursion segfault, FUNCNEST doesn't help
|
From: |
Gergely |
|
Subject: |
BASH recursion segfault, FUNCNEST doesn't help |
|
Date: |
Wed, 01 Jun 2022 20:49:12 +0000 |
Hi,
I stumbled upon a recursion overflow crash in BASH. It affects both my
Debian machine (this report), as well as the latest stable built from
source.
There's a slim chance this might be exploitable.
Best,
Gergely Kalman
Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -Wall
uname output: Linux test 5.17.0-2-amd64 #1 SMP PREEMPT Debian 5.17.6-1
(2022-05-14) x86_64 GNU/Linux
Machine Type: x86_64-pc-linux-gnu
Bash Version: 5.1
Patch Level: 16
Release Status: release
Description:
A file repeatedly sourcing itself crashes bash with a segfault.
I did not have time to investigate, but it is alarming to me that
bash with some depths can survive the recursion, only to crash when I
try to run programs. This suggests to me that there's a very slim chance
of exploitability, but really I saw no point in investigating as at this
point the attacker can pretty much already run code...
As suggested in the previous report like this
(https://lists.gnu.org/archive/html/bug-bash/2022-05/msg00016.html),
FUNCNEST doesn't help, somewhat unsurprisingly.
Repeat-By:
Basic code to reproduce:
echo '. a' > a; bash -c '. a'
With FUNCNEST:
export FUNCNEST=1000; echo '. a' > a; bash -c 'echo $FUNCNEST; . a'
Code to test with N depth:
-----
if [ $1 -eq 0 ]
then
echo done
# id
# ls
# whoami
else
source a $(($1-1))
return
fi
id
ls
whoami
-----
bash -c '. a 4280' results in crashing after 'id' is ran, but
before 'ls'. It doesn't seem to matter where I call these programs, bash
crashes all the same, whether I am in the deepest level or the top.
Varying the parameter I can also crash in various places, like:
bash, libtinfo, or libc:
[438676.042819] bash[408615]: segfault at 7ffedc6aaff8 ip
000055bfc89a7966 sp 00007ffedc6ab000 error 6 in bash[55bfc899e000+bb000]
[438679.191182] bash[408618]: segfault at 7ffd851ffff0 ip
00007fc71696dabf sp 00007ffd851fffe0 error 6 in
libc-2.33.so[7fc71690b000+158000]
[438681.979822] bash[408619]: segfault at 7fff8f8a7ff8 ip
00007f80a488d0fb sp 00007fff8f8a8000 error 6 in
libc-2.33.so[7f80a482a000+158000]
[438684.104766] bash[408620]: segfault at 7fff416f6eb0 ip
0000555b17112963 sp 00007fff416f6e70 error 6 in bash[555b17106000+bb000]
[438685.969473] bash[408621]: segfault at 7fffd9e1d418 ip
00007f7d49d7ba76 sp 00007fffd9e1d410 error 6 in
libtinfo.so.6.3[7f7d49d6d000+11000]
Fix:
Place a limit on the depth of source-able files, like FUNCNEST.
- BASH recursion segfault, FUNCNEST doesn't help,
Gergely <=
- Re: BASH recursion segfault, FUNCNEST doesn't help, Martin Schulte, 2022/06/01
- Re: BASH recursion segfault, FUNCNEST doesn't help, Gergely, 2022/06/02
- Re: BASH recursion segfault, FUNCNEST doesn't help, Ángel, 2022/06/04
- Re: BASH recursion segfault, FUNCNEST doesn't help, Chet Ramey, 2022/06/06
- Re: BASH recursion segfault, FUNCNEST doesn't help, Gergely, 2022/06/07
- Re: BASH recursion segfault, FUNCNEST doesn't help, Chet Ramey, 2022/06/07
- Re: BASH recursion segfault, FUNCNEST doesn't help, Gergely, 2022/06/07
- Re: BASH recursion segfault, FUNCNEST doesn't help, Chet Ramey, 2022/06/09
Re: BASH recursion segfault, FUNCNEST doesn't help, Chet Ramey, 2022/06/06