Hi,
I stumbled upon a recursion overflow crash in BASH. It affects both my Debian machine (this report), as well as the latest stable built from source. There's a slim chance this might be exploitable. Best, Gergely Kalman Configuration Information [Automatically generated, do not change]: Machine: x86_64 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall uname output: Linux test 5.17.0-2-amd64 #1 SMP PREEMPT Debian 5.17.6-1 (2022-05-14) x86_64 GNU/Linux Machine Type: x86_64-pc-linux-gnu Bash Version: 5.1 Patch Level: 16 Release Status: release Description: A file repeatedly sourcing itself crashes bash with a segfault. I did not have time to investigate, but it is alarming to me that bash with some depths can survive the recursion, only to crash when I try to run programs. This suggests to me that there's a very slim chance of exploitability, but really I saw no point in investigating as at this point the attacker can pretty much already run code... As suggested in the previous report like this (https://lists.gnu.org/archive/html/bug-bash/2022-05/msg00016.html), FUNCNEST doesn't help, somewhat unsurprisingly. Repeat-By: Basic code to reproduce: echo '. a' > a; bash -c '. a' With FUNCNEST: export FUNCNEST=1000; echo '. a' > a; bash -c 'echo $FUNCNEST; . a' Code to test with N depth: ----- if [ $1 -eq 0 ] then echo done # id # ls # whoami else source a $(($1-1)) return fi id ls whoami ----- bash -c '. a 4280' results in crashing after 'id' is ran, but before 'ls'. It doesn't seem to matter where I call these programs, bash crashes all the same, whether I am in the deepest level or the top. Varying the parameter I can also crash in various places, like: bash, libtinfo, or libc: [438676.042819] bash[408615]: segfault at 7ffedc6aaff8 ip 000055bfc89a7966 sp 00007ffedc6ab000 error 6 in bash[55bfc899e000+bb000] [438679.191182] bash[408618]: segfault at 7ffd851ffff0 ip 00007fc71696dabf sp 00007ffd851fffe0 error 6 in libc-2.33.so[7fc71690b000+158000] [438681.979822] bash[408619]: segfault at 7fff8f8a7ff8 ip 00007f80a488d0fb sp 00007fff8f8a8000 error 6 in libc-2.33.so[7f80a482a000+158000] [438684.104766] bash[408620]: segfault at 7fff416f6eb0 ip 0000555b17112963 sp 00007fff416f6e70 error 6 in bash[555b17106000+bb000] [438685.969473] bash[408621]: segfault at 7fffd9e1d418 ip 00007f7d49d7ba76 sp 00007fffd9e1d410 error 6 in libtinfo.so.6.3[7f7d49d6d000+11000] Fix: Place a limit on the depth of source-able files, like FUNCNEST.
