Another out of bounds heap read in bash completion
Hi, With Address Sanitizer I discovered another out of bounds read issue in bash. This is different from the issue I recently reported here and for which Chet already provided a patch: https://lists.gnu.org/archive/html/bug-bash/2015-06/msg00089.html To reproduce: a) compile bash with CFLAGS="-fsanitize=address -g" b) type in a=/ a c) go back with the cursor behind the backslash and press tab This is the stack trace from address sanitizer: ==28776==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001014af at pc 0x4c7c0f bp 0x7ffe122a3490 sp 0x7ffe122a3480 READ of size 1 at 0x6020001014af thread T0 #0 0x4c7c0e in bind_compfunc_variables /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:986 #1 0x4ca913 in gen_shell_function_matches /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:1133 #2 0x4ca913 in gen_compspec_completions /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:1411 #3 0x4cc221 in gen_progcomp_completions /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:1581 #4 0x4cc5a1 in programmable_completions /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:1633 #5 0x4bd184 in attempt_shell_completion /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/bashline.c:1517 #6 0x7f79530ed482 (/lib64/libreadline.so.6+0x3a482) #7 0x7f79530ed8bc in rl_complete_internal (/lib64/libreadline.so.6+0x3a8bc) #8 0x7f79530d8c0d in _rl_dispatch_subseq (/lib64/libreadline.so.6+0x25c0d) #9 0x7f79530d948c in readline_internal_char (/lib64/libreadline.so.6+0x2648c) #10 0x7f79530da354 in readline (/lib64/libreadline.so.6+0x27354) #11 0x410457 in yy_readline_get parse.y:1448 #12 0x414dad in yy_getc parse.y:1382 #13 0x414dad in shell_getc parse.y:2283 #14 0x419c19 in read_token parse.y:3050 #15 0x41f721 in yylex parse.y:2637 #16 0x41f721 in yyparse /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/y.tab.c:2037 #17 0x40f2ab in parse_command /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/eval.c:238 #18 0x40f4b1 in read_command /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/eval.c:282 #19 0x40f99e in reader_loop /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/eval.c:145 #20 0x40ba04 in main /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/shell.c:756 #21 0x7f7952820aa4 in __libc_start_main (/lib64/libc.so.6+0x21aa4) #22 0x40db2d (/bin/bash+0x40db2d) 0x6020001014af is located 1 bytes to the left of 2-byte region [0x6020001014b0,0x6020001014b2) allocated by thread T0 here: #0 0x7f79533a77c7 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x577c7) #1 0x4cd72a in xmalloc /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/xmalloc.c:112 SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:986 bind_compfunc_variables Shadow bytes around the buggy address: 0x0c0480018240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480018250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480018260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480018270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 02 fa 0x0c0480018280: fa fa 00 02 fa fa 00 02 fa fa 02 fa fa fa fd fa =>0x0c0480018290: fa fa fd fd fa[fa]02 fa fa fa 02 fa fa fa fd fa 0x0c04800182a0: fa fa 02 fa fa fa 06 fa fa fa fd fa fa fa fd fa 0x0c04800182b0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c04800182c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c04800182d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c04800182e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Contiguous container OOB:fc ASan internal: fe ==28776==ABORTING -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 pgpSN2bDnjEmD.pgp Description: OpenPGP digital signature
Please pardon the incorrectly handled anti-spam
Please pardon the incorrectly handled anti-spam message re-send seen today. One of the listhelper volunteers had a problem vivifying an incorrectly classified false-positive-as-spam message. Accidents happen. Your patience and tolerance is appreciated. Bob
Re: ShellShock where my browser window randomly re-encodes with what looks like Chinese
S. Irelan wrote: > I have vested so very many hours and attempts and well, can't get > out from under what I understand is the Shellshock /bash hacking > browser attacking NIGHTMARE !!! Your report does not indicate any similarities to the well known "Shellshock" bug. https://en.wikipedia.org/wiki/Shellshock_(software_bug) > Subject: Re: ShellShock where my browser window randomly re-encodes > with what looks like Chinese Nor does it seem related to anything that would have any result in a web browser. > My name is shaun, I have a knoppix that might very well be knoppix64 > and I have tried the suggested knoppix/adriane fuse thingy (pardon > my lack of prowess) and I need so help to understand how I can fix > without having the ability to enter alot of code. > I have tried within terminal: > [ 7397.465665] usb 2-1: Manufacturer: Kingston[ 7397.465670] usb 2-1: > SerialNumber: 5B6C10933DEF > [ 7397.466183] usb-storage 2-1:1.0: USB Mass Storage device detected > [ 7397.466740] scsi9 : usb-storage 2-1:1.0 > [ 7398.470159] scsi 9:0:0:0: Direct-Access Kingston DataTraveler 2.0 PMAP > PQ: 0 ANSI: 0 CCS > [ 7398.470441] sd 9:0:0:0: Attached scsi generic sg2 type 0 > [ 7398.471394] sd 9:0:0:0: [sdb] 4030464 512-byte logical blocks: (2.06 > GB/1.92 GiB) > [ 7398.474041] sd 9:0:0:0: [sdb] Write Protect is off > [ 7398.474046] sd 9:0:0:0: [sdb] Mode Sense: 23 00 00 00 > [ 7398.474632] sd 9:0:0:0: [sdb] No Caching mode page found > [ 7398.474637] sd 9:0:0:0: [sdb] Assuming drive cache: write through > [ 7398.478157] sdb: sdb1 > [ 7398.481770] sd 9:0:0:0: [sdb] Attached SCSI removable disk > [ 7399.305618] FAT-fs (sdb1): utf8 is not a recommended IO charset for FAT > filesystems, filesystem will be case sensitive! > [ 7399.312661] FAT-fs (sdb1): Volume was not properly unmounted. Some data > may be corrupt. Please run fsck. I see you have mounted a USB storage device containing a FAT filesystem. That is all that the above shows. > knoppix@Microknoppix:~$ sudo dd if=gnome-3.16.x86_64.iso.crdownload > of=/dev/home/knoppix bs=8M conv=fsyncdd: opening > `gnome-3.16.x86_64.iso.crdownload': No such file or directory You are trying to dd copy a file but that file does not exist and dd reports that problem to you. You apparently did not notice that the file name ended with the temporary suffix .crdownload and (appears to me) to be a temporary file name for the file. It was likely renamed to be the actual name after the download was completed. None of that appears to be related to bash in any way. Neither does it seem to be related to any web browser problem either. I don't know where I would direct you for further assistance. I think if you could locate a local user group community they would provide useful assistance to you face-to-face. Bob
ShellShock where my browser window randomly re-encodes with what looks like Chinese
Spam detection software, running on the system "desolation.proulx.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: I have vested so very many hours and attempts and well, can't get out from under what I understand is the Shellshock /bash hacking browser attacking NIGHTMARE !!! My name is shaun, I have a knoppix that might very well be knoppix64 and I have tried the suggested knoppix/adriane fuse thingy (pardon my lack of prowess) and I need so help to understand how I can fix without having the ability to enter alot of code. I have tried within terminal: [ 7397.465665] usb 2-1: Manufacturer: Kingston[ 7397.465670] usb 2-1: SerialNumber: 5B6C10933DEF[ 7397.466183] usb-storage 2-1:1.0: USB Mass Storage device detected[ 7397.466740] scsi9 : usb-storage 2-1:1.0[ 7398.470159] scsi 9:0:0:0: Direct-Access   Kingston DataTraveler 2.0 PMAP PQ: 0 ANSI: 0 CCS[ 7398.470441] sd 9:0:0:0: Attached scsi generic sg2 type 0[ 7398.471394] sd 9:0:0:0: [sdb] 4030464 512-byte logical blocks: (2.06 GB/1.92 GiB)[ 7398.474041] sd 9:0:0:0: [sdb] Write Protect is off[ 7398.474046] sd 9:0:0:0: [sdb] Mode Sense: 23 00 00 00[ 7398.474632] sd 9:0:0:0: [sdb] No Caching mode page found[ 7398.474637] sd 9:0:0:0: [sdb] Assuming drive cache: write through[ 7398.478157]  sdb: sdb1[ 7398.481770] sd 9:0:0:0: [sdb] Attached SCSI removable disk[ 7399.305618] FAT-fs (sdb1): utf8 is not a recommended IO charset for FAT filesystems, filesystem will be case sensitive![ 7399.312661] FAT-fs (sdb1): Volume was not properly unmounted. Some data may be corrupt. Please run fsck.knoppix@Microknoppix:~$ sudo dd if=gnome-3.16.x86_64.iso.crdownload of=/dev/home/knoppix bs=8M conv=fsyncdd: opening `gnome-3.16.x86_64.iso.crdownload': No such file or directoryknoppix@Microknoppix:~$ [...] Content analysis details: (5.4 points, 5.0 required) pts rule name description -- -- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (shaunirelan[at]yahoo.com) 0.8 SPF_NEUTRALSPF: sender does not match SPF record (neutral) 0.0 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers 2.8 FSL_MY_NAME_IS BODY: My name is ... 0.5 HTML_MESSAGE BODY: HTML included in message 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.4397] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily valid 0.6 REPTO_QUOTE_YAHOO Yahoo! doesn't do quoting like this The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. --- Begin Message --- I have vested so very many hours and attempts and well, can't get out from under what I understand is the Shellshock /bash hacking browser attacking NIGHTMARE !!! My name is shaun, I have a knoppix that might very well be knoppix64 and I have tried the suggested knoppix/adriane fuse thingy (pardon my lack of prowess) and I need so help to understand how I can fix without having the ability to enter alot of code. I have tried within terminal: [ 7397.465665] usb 2-1: Manufacturer: Kingston[ 7397.465670] usb 2-1: SerialNumber: 5B6C10933DEF[ 7397.466183] usb-storage 2-1:1.0: USB Mass Storage device detected[ 7397.466740] scsi9 : usb-storage 2-1:1.0[ 7398.470159] scsi 9:0:0:0: Direct-Access Kingston DataTraveler 2.0 PMAP PQ: 0 ANSI: 0 CCS[ 7398.470441] sd 9:0:0:0: Attached scsi generic sg2 type 0[ 7398.471394] sd 9:0:0:0: [sdb] 4030464 512-byte logical blocks: (2.06 GB/1.92 GiB)[ 7398.474041] sd 9:0:0:0: [sdb] Write Protect is off[ 7398.474046] sd 9:0:0:0: [sdb] Mode Sense: 23 00 00 00[ 7398.474632] sd 9:0:0:0: [sdb] No Caching mode page found[ 7398.474637] sd 9:0:0:0: [sdb] Assuming drive cache: write through[ 7398.478157] sdb: sdb1[ 7398.481770] sd 9:0:0:0: [sdb] Attached SCSI removable disk[ 7399.305618] FAT-fs (sdb1): utf8 is not a recommended IO charset for FAT filesystems, filesystem will be case sensitive![ 7399.312661] FAT-fs (sdb1): Volume was not properly unmounted. Some data may be corrupt. Please run fsck.knoppix@Microknoppix:~$ sudo dd if=gnome-3.16.x86_64.iso.crdownload of=/dev/home/knoppix bs=8M conv=fsyncdd: opening `gnome-3.16.x86_
Re: Source Code Bug in Bash-4.3.31 Module variables.c
On 7/4/15 1:51 PM, John E. Malmberg wrote: > Any resolution for this issue? > > In arrayfunc.h: > > extern arrayind_t array_expand_index __P((SHELL_VAR *, char *, int)); > > SHELL_VAR is a struct declared in variables.h. > > So passing it const char * should be causing problems. I will fix it in the next release of bash. array_expand_index doesn't use its first argument, so it doesn't affect actual operation. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, ITS, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/