Ubuntu
zsh package

zsh 5.0.2 Out of bounds read

Bug #1620375 reported by dmitri
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
zsh (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

I have found an OOB read in z shell version 5.0.2 running on Ubuntu 14.04 (x86_64).

Please find the POC file attached.

zsh 5.0.2 (x86_64-pc-linux-gnu)
******************************************

Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007ffff5d9a03d in nextline (rpms=rpms@entry=0x7fffffffdcb0,
    wrapped=wrapped@entry=0x1) at ../../../Src/Zle/zle_refresh.c:812
812 ../../../Src/Zle/zle_refresh.c: No such file or directory.
gdb-peda$
gdb-peda$ x/16i $pc
=> 0x7ffff5d9a03d <nextline+45>: mov DWORD PTR [rdi],0xa
   0x7ffff5d9a043 <nextline+51>: mov DWORD PTR [rdi+0x4],0x0
   0x7ffff5d9a04a <nextline+58>: mov rsi,QWORD PTR [rbx+0x18]
   0x7ffff5d9a04e <nextline+62>: mov DWORD PTR [rsi],0x0
   0x7ffff5d9a054 <nextline+68>: mov DWORD PTR [rsi+0x4],0x0
   0x7ffff5d9a05b <nextline+75>:
    mov esi,DWORD PTR [rip+0x222627] # 0x7ffff5fbc688 <winh>
   0x7ffff5d9a061 <nextline+81>: lea edi,[rsi-0x1]
   0x7ffff5d9a064 <nextline+84>: cmp eax,edi
   0x7ffff5d9a066 <nextline+86>: je 0x7ffff5d9a0b0 <nextline+160>
   0x7ffff5d9a068 <nextline+88>: add eax,0x1
   0x7ffff5d9a06b <nextline+91>: mov DWORD PTR [rbx+0x4],eax
   0x7ffff5d9a06e <nextline+94>: cdqe
   0x7ffff5d9a070 <nextline+96>: lea rbp,[rcx+rax*8]
   0x7ffff5d9a074 <nextline+100>: mov rax,QWORD PTR [rbp+0x0]
   0x7ffff5d9a078 <nextline+104>: test rax,rax
   0x7ffff5d9a07b <nextline+107>: je 0x7ffff5d9a140 <nextline+304>
gdb-peda$ p/d 0xa
$1 = 10
gdb-peda$ ptype $rdi
type = int64_t
gdb-peda$ ptype 0xa
type = int
gdb-peda$

gdb-peda$ i r
rax 0x11 0x11
rbx 0x7fffffffdcb0 0x7fffffffdcb0
rcx 0x8ffca0 0x8ffca0
rdx 0xcf 0xcf
rsi 0x1 0x1
rdi 0x680 0x680
rbp 0x0 0x0
rsp 0x7fffffffdbf0 0x7fffffffdbf0
r8 0xcf 0xcf
r9 0x0 0x0
r10 0x0 0x0
r11 0x6b6800 0x6b6800
r12 0x7fffffffdcac 0x7fffffffdcac
r13 0x1 0x1
r14 0x7ffff7e94a18 0x7ffff7e94a18
r15 0x7ffff5fbc7f8 0x7ffff5fbc7f8
rip 0x7ffff5d9a03d 0x7ffff5d9a03d <nextline+45>
eflags 0x10202 [ IF RF ]
cs 0x33 0x33
ss 0x2b 0x2b
ds 0x0 0x0
es 0x0 0x0
fs 0x0 0x0
gs 0x0 0x0
gdb-peda$ where
#0 0x00007ffff5d9a03d in nextline (rpms=rpms@entry=0x7fffffffdcb0,
    wrapped=wrapped@entry=0x1) at ../../../Src/Zle/zle_refresh.c:812
#1 0x00007ffff5d9d918 in zrefresh () at ../../../Src/Zle/zle_refresh.c:1396
#2 0x00007ffff5d929f0 in zlecore () at ../../../Src/Zle/zle_main.c:1095
#3 0x00007ffff5d9350d in zleread (lp=<optimized out>, rp=<optimized out>,
    flags=<optimized out>, context=<optimized out>)
    at ../../../Src/Zle/zle_main.c:1228
#4 0x000000000043f75f in zleentry (cmd=0x1) at ../../Src/init.c:1462
#5 0x0000000000440336 in inputline () at ../../Src/input.c:281
#6 ingetc () at ../../Src/input.c:217
#7 0x0000000000439bb6 in ihgetc () at ../../Src/hist.c:279
#8 0x000000000044a08c in gettok () at ../../Src/lex.c:714
#9 zshlex () at ../../Src/lex.c:395
#10 0x0000000000466a67 in parse_event () at ../../Src/parse.c:451
#11 0x000000000043cb69 in loop (toplevel=toplevel@entry=0x1,
    justonce=justonce@entry=0x0) at ../../Src/init.c:132
#12 0x000000000043fd66 in zsh_main (argc=<optimized out>, argv=<optimized out>)
    at ../../Src/init.c:1617
#13 0x00007ffff70fef45 in __libc_start_main (main=0x40ebf0 <main>, argc=0x1,
    argv=0x7fffffffe2b8, init=<optimized out>, fini=<optimized out>,
    rtld_fini=<optimized out>, stack_end=0x7fffffffe2a8) at libc-start.c:287
#14 0x000000000040ec1e in _start ()

Replication steps:

1. Copy the base64 encoded data in the file attached ( copied text)
2. In a terminal, type "echo (paste copied text) | base 64 -d | ./zsh

Note: I downloaded and compiled another zsh on my machine. And I would recoomend you first type the command "echo <pate copied data to be pasted here last > | base 64 -d | ./zsh" and then only end with pasting the payload.

Revision history for this message
dmitri (kaslovdmitri) wrote :
affects: pinentry-qt4 (Ubuntu) → zsh (Ubuntu)
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi dmitri - thank you for the bug report. I'm having a little trouble reproducing the issue because it seems like your base64.txt attachment may have been corrupted. Here's what I see when trying to decode the file:

$ base64 -d /tmp/base64.txt
�CoreDumpbase64: invalid input

Can you try uploading the input file once more?

Changed in zsh (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for zsh (Ubuntu) because there has been no activity for 60 days.]

Changed in zsh (Ubuntu):
status: Incomplete → Expired
Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Revision history for this message
Axel Beckert (xtaran) wrote :

Seth: Strip any leading space in the file and it works, e.g. like this:

→ sed -e 's/^ *//' base64.txt | base64 -d | zcat | file -
/dev/stdin: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, from 'pinentry --display :0', real uid: 1000, effective uid: 1000, real gid: 1000, effective gid: 1000, execfn: '/usr/bin/pinentry', platform: 'x86_64'

Axel Beckert (xtaran)
Changed in zsh (Ubuntu):
status: Expired → New
Revision history for this message
Axel Beckert (xtaran) wrote :

Tyler/Seth: Sorry, the past message was thought for Tyler.

dmitri: I can't reproduce the crash with neither zsh 5.0.2 inside an Ubuntu 14.04 chroot, nor with zsh 5.0.7 on Debian 8, zsh 4.3.17 on Debian 7 or zsh 5.2 on Debian Unstable.

$ GET https://bugs.launchpad.net/ubuntu/+source/zsh/+bug/1620375/+attachment/4735015/+files/base64.txt | sed -e 's/^ *//' | base64 -d | zsh
zsh: command not found: ^_\M-^K^H^H
zsh: parse error near `)'
zsh: parse error near `)'
zsh: parse error near `)'
zsh: parse error near `)'
zsh: parse error near `)'
zsh: parse error near `)'
zsh: parse error near `)'
zsh: no matches found: \M-^^CL\M-^YN8^B\M-t\M-8C\M-^W+\M-X^C\M-x\M-Y\M-^Q\M-^D?^^E\M-xF^O\M-^R\M-[\M-4\M-^N\M-h^G\M-V^Rn^@\M-^?\M-x\M-^BG^T

Changed in zsh (Ubuntu):
status: New → Incomplete
Revision history for this message
Axel Beckert (xtaran) wrote :

JFTR: The accused line (should be "nbuf[rpms->ln][winw+1] = wrapped ? zr_nl : zr_zr;") hasn't been touched upstream since 2008-04-03, so the chances that the issue shows up in all of the above mentioned and tested versions of zsh are rather high (since 4.3.17 was released after that line has been changed the last time).

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for zsh (Ubuntu) because there has been no activity for 60 days.]

Changed in zsh (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.