Package: dash Version: 0.5.11+git20200708+dd9ef66-5 Severity: normal Dear Maintainer,
The following incorrect use of test -o causes a Segmentation fault for me: $ dash -c 'echo baz 987654321abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 | while read field data; do test "$field" = foo -o; done' Segmentation fault (core dumped) The backtrace in gdb is below. The crashing instruction in __strcmp_sse2_unaligned is trying to load from %rdi, but that contains bytes from the long string in the argument to echo. gdb> bt #0 __strcmp_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:31 #1 0x000056293a93170d in getop (s=<optimized out>) at bltin/test.c:175 #2 t_lex (tp=tp@entry=0x56293bd90380) at bltin/test.c:448 #3 0x000056293a931820 in aexpr (n=<optimized out>) at bltin/test.c:273 #4 oexpr (n=<optimized out>) at bltin/test.c:256 #5 0x000056293a931e7f in testcmd (argc=<optimized out>, argv=0x56293bd90358) at bltin/test.c:232 #6 0x000056293a923d77 in evalbltin (cmd=0x56293a93ba18 <builtincmd+696>, argc=argc@entry=0x5, argv=argv@entry=0x56293bd90350, flags=flags@entry=0x0) at eval.c:969 #7 0x000056293a92442a in evalcommand (cmd=0x56293bd90148, flags=0x0) at eval.c:912 #8 0x000056293a92327e in evaltree (n=0x56293bd90148, flags=flags@entry=0x0) at eval.c:303 #9 0x000056293a9238e0 in evalloop (n=0x56293a93e988 <stackbase+424>, flags=0x0) at eval.c:400 #10 0x000056293a923231 in evaltree (n=0x56293a93e988 <stackbase+424>, flags=flags@entry=0x1) at eval.c:303 #11 0x000056293a923630 in evaltreenr (flags=0x1, n=<optimized out>) at eval.c:349 #12 evalpipe (n=0x56293a93e950 <stackbase+368>, flags=0x1) at eval.c:601 #13 0x000056293a92327e in evaltree (n=n@entry=0x56293a93e950 <stackbase+368>, flags=0x0) at eval.c:303 #14 0x000056293a923c6a in evalstring (s=0x56293a93e7e8 <stackbase+8> "echo baz 987654321abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 | while read field data; do test \"$field\" = foo -o; done", flags=flags@entry=0x0) at eval.c:185 #15 0x000056293a92167f in main (argc=0x3, argv=0x7ffc474c2c88) at main.c:177 gdb> x/i $pc => 0x7fb4664191fa <__strcmp_sse2_unaligned+26>: movdqu (%rdi),%xmm1 gdb> p/x $rdi $1 = 0x5958575655545352 gdb> I suspect the problem is that there is no check for the end of the arguments in oexpr (and related functions). -- System Information: Debian Release: 11.7 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-21-amd64 (SMP w/12 CPU threads) Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages dash depends on: ii debconf [debconf-2.0] 1.5.77 ii debianutils 4.11.2 ii dpkg 1.20.12 ii libc6 2.31-13+deb11u6 dash recommends no packages. dash suggests no packages. -- debconf information: * dash/sh: true