[bug #67323] Fix invalid access by adjusting members of COMMAND and SIMPLE_COM

[Florian Schmaus]

URL:
  <https://savannah.gnu.org/bugs/?67323>

                 Summary: Fix invalid access by adjusting members of COMMAND
and SIMPLE_COM
                   Group: The GNU Bourne-Again SHell
               Submitter: flow
               Submitted: Wed 16 Jul 2025 08:53:38 AM GMT
                Category: None
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Wed 16 Jul 2025 08:53:38 AM GMT By: Florian Schmaus <flow>
Bash casts SIMPLE_COM* to COMMAND* in certain places and afterward accesses
the 'redirects' field (which is declared by both structs). However, the
'redirects' field is only at the same offset assuming that enum, int, and
pointers are equal sized. This assumption does not hold for architectures with
fat pointers, like CHERI RISC-V, resulting in invalid loads or stores on
'redirects.'

For example, an invalid access can be triggered by the |& operator using
CheriBSD:


root@cheribsd-morello-purecap:~ # bash -c 'echo foo |& tee bar'
In-address space security exception (core dumped)


Here, bash casts SIMPLE_COM* to COMMAND* in the BAR_AND case handling at
parse.y:1480 and then will dereference the 'redirects' pointer on the wrong
offset. The resulting load does not yield a valid pointer, triggering a CHERI
fault.

Fix this by aligning the declaration order of the shared members of the two
structs, enabling reliable access to the shared members.

Based on the crash analysis of Martin Kaiser. Thanks!






    _______________________________________________________
File Attachments:


-------------------------------------------------------
Name: 0001-Fix-invalid-access-by-adjusting-members-of-COMMAND-a.patch  Size:
2KiB
<https://file.savannah.gnu.org/file/0001-Fix-invalid-access-by-adjusting-members-of-COMMAND-a.patch?file_id=57417>

    AGPL NOTICE

These attachments are served by Savane. You can download the corresponding
source code of Savane at
https://savannah.gnu.org/source/savane-e6e5367e43c4f3277d32091b77b783b4fe8d5c20.tar.gz

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?67323>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

signature.asc
Description: PGP signature