zsh 5.0.2 Out of bounds read
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
zsh (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
I have found an OOB read in z shell version 5.0.2 running on Ubuntu 14.04 (x86_64).
Please find the POC file attached.
zsh 5.0.2 (x86_64-
*******
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007ffff5d9a03d in nextline (rpms=rpms@
wrapped=
812 ../../.
gdb-peda$
gdb-peda$ x/16i $pc
=> 0x7ffff5d9a03d <nextline+45>: mov DWORD PTR [rdi],0xa
0x7ffff5d9a043 <nextline+51>: mov DWORD PTR [rdi+0x4],0x0
0x7ffff5d9a04a <nextline+58>: mov rsi,QWORD PTR [rbx+0x18]
0x7ffff5d9a04e <nextline+62>: mov DWORD PTR [rsi],0x0
0x7ffff5d9a054 <nextline+68>: mov DWORD PTR [rsi+0x4],0x0
0x7ffff5d9a05b <nextline+75>:
mov esi,DWORD PTR [rip+0x222627] # 0x7ffff5fbc688 <winh>
0x7ffff5d9a061 <nextline+81>: lea edi,[rsi-0x1]
0x7ffff5d9a064 <nextline+84>: cmp eax,edi
0x7ffff5d9a066 <nextline+86>: je 0x7ffff5d9a0b0 <nextline+160>
0x7ffff5d9a068 <nextline+88>: add eax,0x1
0x7ffff5d9a06b <nextline+91>: mov DWORD PTR [rbx+0x4],eax
0x7ffff5d9a06e <nextline+94>: cdqe
0x7ffff5d9a070 <nextline+96>: lea rbp,[rcx+rax*8]
0x7ffff5d9a074 <nextline+100>: mov rax,QWORD PTR [rbp+0x0]
0x7ffff5d9a078 <nextline+104>: test rax,rax
0x7ffff5d9a07b <nextline+107>: je 0x7ffff5d9a140 <nextline+304>
gdb-peda$ p/d 0xa
$1 = 10
gdb-peda$ ptype $rdi
type = int64_t
gdb-peda$ ptype 0xa
type = int
gdb-peda$
gdb-peda$ i r
rax 0x11 0x11
rbx 0x7fffffffdcb0 0x7fffffffdcb0
rcx 0x8ffca0 0x8ffca0
rdx 0xcf 0xcf
rsi 0x1 0x1
rdi 0x680 0x680
rbp 0x0 0x0
rsp 0x7fffffffdbf0 0x7fffffffdbf0
r8 0xcf 0xcf
r9 0x0 0x0
r10 0x0 0x0
r11 0x6b6800 0x6b6800
r12 0x7fffffffdcac 0x7fffffffdcac
r13 0x1 0x1
r14 0x7ffff7e94a18 0x7ffff7e94a18
r15 0x7ffff5fbc7f8 0x7ffff5fbc7f8
rip 0x7ffff5d9a03d 0x7ffff5d9a03d <nextline+45>
eflags 0x10202 [ IF RF ]
cs 0x33 0x33
ss 0x2b 0x2b
ds 0x0 0x0
es 0x0 0x0
fs 0x0 0x0
gs 0x0 0x0
gdb-peda$ where
#0 0x00007ffff5d9a03d in nextline (rpms=rpms@
wrapped=
#1 0x00007ffff5d9d918 in zrefresh () at ../../.
#2 0x00007ffff5d929f0 in zlecore () at ../../.
#3 0x00007ffff5d9350d in zleread (lp=<optimized out>, rp=<optimized out>,
flags=
at ../../.
#4 0x000000000043f75f in zleentry (cmd=0x1) at ../../Src/
#5 0x0000000000440336 in inputline () at ../../Src/
#6 ingetc () at ../../Src/
#7 0x0000000000439bb6 in ihgetc () at ../../Src/
#8 0x000000000044a08c in gettok () at ../../Src/lex.c:714
#9 zshlex () at ../../Src/lex.c:395
#10 0x0000000000466a67 in parse_event () at ../../Src/
#11 0x000000000043cb69 in loop (toplevel=
justonce=
#12 0x000000000043fd66 in zsh_main (argc=<optimized out>, argv=<optimized out>)
at ../../Src/
#13 0x00007ffff70fef45 in __libc_start_main (main=0x40ebf0 <main>, argc=0x1,
argv=
rtld_
#14 0x000000000040ec1e in _start ()
Replication steps:
1. Copy the base64 encoded data in the file attached ( copied text)
2. In a terminal, type "echo (paste copied text) | base 64 -d | ./zsh
Note: I downloaded and compiled another zsh on my machine. And I would recoomend you first type the command "echo <pate copied data to be pasted here last > | base 64 -d | ./zsh" and then only end with pasting the payload.
information type: | Private Security → Public Security |
Changed in zsh (Ubuntu): | |
status: | Expired → New |
Hi dmitri - thank you for the bug report. I'm having a little trouble reproducing the issue because it seems like your base64.txt attachment may have been corrupted. Here's what I see when trying to decode the file:
$ base64 -d /tmp/base64.txt
�CoreDumpbase64: invalid input
Can you try uploading the input file once more?