Another out of bounds heap read in bash completion

2015-07-06 Thread Hanno Böck
Hi,

With Address Sanitizer I discovered another out of bounds read issue in
bash. This is different from the issue I recently reported here and
for which Chet already provided a patch:
https://lists.gnu.org/archive/html/bug-bash/2015-06/msg00089.html

To reproduce:
a) compile bash with CFLAGS="-fsanitize=address -g"
b) type in a=/ a
c) go back with the cursor behind the backslash and press tab

This is the stack trace from address sanitizer:
==28776==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x6020001014af at pc 0x4c7c0f bp 0x7ffe122a3490 sp 0x7ffe122a3480
READ of size 1 at 0x6020001014af thread T0
#0 0x4c7c0e in bind_compfunc_variables 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:986
#1 0x4ca913 in gen_shell_function_matches 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:1133
#2 0x4ca913 in gen_compspec_completions 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:1411
#3 0x4cc221 in gen_progcomp_completions 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:1581
#4 0x4cc5a1 in programmable_completions 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:1633
#5 0x4bd184 in attempt_shell_completion 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/bashline.c:1517
#6 0x7f79530ed482 (/lib64/libreadline.so.6+0x3a482)
#7 0x7f79530ed8bc in rl_complete_internal (/lib64/libreadline.so.6+0x3a8bc)
#8 0x7f79530d8c0d in _rl_dispatch_subseq (/lib64/libreadline.so.6+0x25c0d)
#9 0x7f79530d948c in readline_internal_char 
(/lib64/libreadline.so.6+0x2648c)
#10 0x7f79530da354 in readline (/lib64/libreadline.so.6+0x27354)
#11 0x410457 in yy_readline_get parse.y:1448
#12 0x414dad in yy_getc parse.y:1382
#13 0x414dad in shell_getc parse.y:2283
#14 0x419c19 in read_token parse.y:3050
#15 0x41f721 in yylex parse.y:2637
#16 0x41f721 in yyparse 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/y.tab.c:2037
#17 0x40f2ab in parse_command 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/eval.c:238
#18 0x40f4b1 in read_command 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/eval.c:282
#19 0x40f99e in reader_loop 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/eval.c:145
#20 0x40ba04 in main 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/shell.c:756
#21 0x7f7952820aa4 in __libc_start_main (/lib64/libc.so.6+0x21aa4)
#22 0x40db2d (/bin/bash+0x40db2d)

0x6020001014af is located 1 bytes to the left of 2-byte region 
[0x6020001014b0,0x6020001014b2)
allocated by thread T0 here:
#0 0x7f79533a77c7 in malloc 
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x577c7)
#1 0x4cd72a in xmalloc 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/xmalloc.c:112

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:986 
bind_compfunc_variables
Shadow bytes around the buggy address:
  0x0c0480018240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480018250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480018260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480018270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 02 fa
  0x0c0480018280: fa fa 00 02 fa fa 00 02 fa fa 02 fa fa fa fd fa
=>0x0c0480018290: fa fa fd fd fa[fa]02 fa fa fa 02 fa fa fa fd fa
  0x0c04800182a0: fa fa 02 fa fa fa 06 fa fa fa fd fa fa fa fd fa
  0x0c04800182b0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800182c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800182d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800182e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:   fa
  Heap right redzone:  fb
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack partial redzone:   f4
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Contiguous container OOB:fc
  ASan internal:   fe
==28776==ABORTING


-- 
Hanno Böck
http://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: BBB51E42


pgpSN2bDnjEmD.pgp
Description: OpenPGP digital signature


Please pardon the incorrectly handled anti-spam

2015-07-06 Thread Bob Proulx
Please pardon the incorrectly handled anti-spam message re-send seen
today.  One of the listhelper volunteers had a problem vivifying an
incorrectly classified false-positive-as-spam message.  Accidents
happen.  Your patience and tolerance is appreciated.

Bob



Re: ShellShock where my browser window randomly re-encodes with what looks like Chinese

2015-07-06 Thread Bob Proulx
S. Irelan wrote:
> I have vested so very many hours and attempts and well, can't get
> out from under what I understand is the Shellshock /bash hacking
> browser attacking NIGHTMARE !!!

Your report does not indicate any similarities to the well known
"Shellshock" bug.

  https://en.wikipedia.org/wiki/Shellshock_(software_bug)

> Subject: Re: ShellShock where my browser window randomly re-encodes
> with what looks like Chinese

Nor does it seem related to anything that would have any result in a
web browser.

> My name is shaun, I have a knoppix that might very well be knoppix64
> and I have tried the suggested knoppix/adriane fuse thingy (pardon
> my lack of prowess) and I need so help to understand how I can fix
> without having the ability to enter alot of code.
> I have tried within terminal:
> [ 7397.465665] usb 2-1: Manufacturer: Kingston[ 7397.465670] usb 2-1: 
> SerialNumber: 5B6C10933DEF
> [ 7397.466183] usb-storage 2-1:1.0: USB Mass Storage device detected
> [ 7397.466740] scsi9 : usb-storage 2-1:1.0
> [ 7398.470159] scsi 9:0:0:0: Direct-Access Kingston DataTraveler 2.0 PMAP 
> PQ: 0 ANSI: 0 CCS
> [ 7398.470441] sd 9:0:0:0: Attached scsi generic sg2 type 0
> [ 7398.471394] sd 9:0:0:0: [sdb] 4030464 512-byte logical blocks: (2.06 
> GB/1.92 GiB)
> [ 7398.474041] sd 9:0:0:0: [sdb] Write Protect is off
> [ 7398.474046] sd 9:0:0:0: [sdb] Mode Sense: 23 00 00 00
> [ 7398.474632] sd 9:0:0:0: [sdb] No Caching mode page found
> [ 7398.474637] sd 9:0:0:0: [sdb] Assuming drive cache: write through
> [ 7398.478157]  sdb: sdb1
> [ 7398.481770] sd 9:0:0:0: [sdb] Attached SCSI removable disk
> [ 7399.305618] FAT-fs (sdb1): utf8 is not a recommended IO charset for FAT 
> filesystems, filesystem will be case sensitive!
> [ 7399.312661] FAT-fs (sdb1): Volume was not properly unmounted. Some data 
> may be corrupt. Please run fsck.

I see you have mounted a USB storage device containing a FAT
filesystem.  That is all that the above shows.

> knoppix@Microknoppix:~$ sudo dd if=gnome-3.16.x86_64.iso.crdownload 
> of=/dev/home/knoppix bs=8M conv=fsyncdd: opening 
> `gnome-3.16.x86_64.iso.crdownload': No such file or directory

You are trying to dd copy a file but that file does not exist and dd
reports that problem to you.

You apparently did not notice that the file name ended with the
temporary suffix .crdownload and (appears to me) to be a temporary
file name for the file.  It was likely renamed to be the actual name
after the download was completed.

None of that appears to be related to bash in any way.  Neither does
it seem to be related to any web browser problem either.

I don't know where I would direct you for further assistance.  I think
if you could locate a local user group community they would provide
useful assistance to you face-to-face.

Bob



ShellShock where my browser window randomly re-encodes with what looks like Chinese

2015-07-06 Thread S. Irelan
Spam detection software, running on the system "desolation.proulx.com", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  I have vested so very many hours and attempts and well, can't
   get out from under what I understand is the Shellshock /bash hacking browser
   attacking NIGHTMARE !!! My name is shaun, I have a knoppix that might very
   well be knoppix64 and I have tried the suggested knoppix/adriane fuse thingy
   (pardon my lack of prowess) and I need so help to understand how I can fix
   without having the ability to enter alot of code. I have tried within 
terminal:
   [ 7397.465665] usb 2-1: Manufacturer: Kingston[ 7397.465670] usb 2-1: 
SerialNumber:
   5B6C10933DEF[ 7397.466183] usb-storage 2-1:1.0: USB Mass Storage device 
detected[
   7397.466740] scsi9 : usb-storage 2-1:1.0[ 7398.470159] scsi 9:0:0:0: 
Direct-Access
   Â Â Kingston DataTraveler 2.0 PMAP PQ: 0 ANSI: 0 CCS[ 7398.470441] sd 
9:0:0:0:
   Attached scsi generic sg2 type 0[ 7398.471394] sd 9:0:0:0: [sdb] 4030464
  512-byte logical blocks: (2.06 GB/1.92 GiB)[ 7398.474041] sd 9:0:0:0: [sdb]
   Write Protect is off[ 7398.474046] sd 9:0:0:0: [sdb] Mode Sense: 23 00 00
   00[ 7398.474632] sd 9:0:0:0: [sdb] No Caching mode page found[ 7398.474637]
   sd 9:0:0:0: [sdb] Assuming drive cache: write through[ 7398.478157] Â sdb:
   sdb1[ 7398.481770] sd 9:0:0:0: [sdb] Attached SCSI removable disk[ 
7399.305618]
   FAT-fs (sdb1): utf8 is not a recommended IO charset for FAT filesystems,
  filesystem will be case sensitive![ 7399.312661] FAT-fs (sdb1): Volume was
   not properly unmounted. Some data may be corrupt. Please run 
fsck.knoppix@Microknoppix:~$
   sudo dd if=gnome-3.16.x86_64.iso.crdownload of=/dev/home/knoppix bs=8M 
conv=fsyncdd:
   opening `gnome-3.16.x86_64.iso.crdownload': No such file or 
directoryknoppix@Microknoppix:~$Â
   [...] 

Content analysis details:   (5.4 points, 5.0 required)

 pts rule name  description
 -- --
 0.0 FREEMAIL_FROM  Sender email is commonly abused enduser mail 
provider
(shaunirelan[at]yahoo.com)
 0.8 SPF_NEUTRALSPF: sender does not match SPF record (neutral)
 0.0 FORGED_YAHOO_RCVD  'From' yahoo.com does not match 'Received' headers
 2.8 FSL_MY_NAME_IS BODY: My name is ...
 0.5 HTML_MESSAGE   BODY: HTML included in message
 0.8 BAYES_50   BODY: Bayes spam probability is 40 to 60%
[score: 0.4397]
-0.1 DKIM_VALID_AU  Message has a valid DKIM or DK signature from 
author's
domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily 
valid
 0.6 REPTO_QUOTE_YAHOO  Yahoo! doesn't do quoting like this

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.

--- Begin Message ---
I have vested so very many hours and attempts and well, can't get out from 
under what I understand is the Shellshock /bash hacking browser attacking 
NIGHTMARE !!!
My name is shaun, I have a knoppix that might very well be knoppix64 and I have 
tried the suggested knoppix/adriane fuse thingy (pardon my lack of prowess) and 
I need so help to understand how I can fix without having the ability to enter 
alot of code.
I have tried within terminal:
[ 7397.465665] usb 2-1: Manufacturer: Kingston[ 7397.465670] usb 2-1: 
SerialNumber: 5B6C10933DEF[ 7397.466183] usb-storage 2-1:1.0: USB Mass Storage 
device detected[ 7397.466740] scsi9 : usb-storage 2-1:1.0[ 7398.470159] scsi 
9:0:0:0: Direct-Access     Kingston DataTraveler 2.0 PMAP PQ: 0 ANSI: 0 CCS[ 
7398.470441] sd 9:0:0:0: Attached scsi generic sg2 type 0[ 7398.471394] sd 
9:0:0:0: [sdb] 4030464 512-byte logical blocks: (2.06 GB/1.92 GiB)[ 
7398.474041] sd 9:0:0:0: [sdb] Write Protect is off[ 7398.474046] sd 9:0:0:0: 
[sdb] Mode Sense: 23 00 00 00[ 7398.474632] sd 9:0:0:0: [sdb] No Caching mode 
page found[ 7398.474637] sd 9:0:0:0: [sdb] Assuming drive cache: write through[ 
7398.478157]  sdb: sdb1[ 7398.481770] sd 9:0:0:0: [sdb] Attached SCSI removable 
disk[ 7399.305618] FAT-fs (sdb1): utf8 is not a recommended IO charset for FAT 
filesystems, filesystem will be case sensitive![ 7399.312661] FAT-fs (sdb1): 
Volume was not properly unmounted. Some data may be corrupt. Please run 
fsck.knoppix@Microknoppix:~$ sudo dd if=gnome-3.16.x86_64.iso.crdownload 
of=/dev/home/knoppix bs=8M conv=fsyncdd: opening 
`gnome-3.16.x86_

Re: Source Code Bug in Bash-4.3.31 Module variables.c

2015-07-06 Thread Chet Ramey
On 7/4/15 1:51 PM, John E. Malmberg wrote:

> Any resolution for this issue?
> 
> In arrayfunc.h:
> 
> extern arrayind_t array_expand_index __P((SHELL_VAR *, char *, int));
> 
> SHELL_VAR is a struct declared in variables.h.
> 
> So passing it const char * should be causing problems.

I will fix it in the next release of bash.  array_expand_index doesn't use
its first argument, so it doesn't affect actual operation.

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/