Ubuntu
zsh package

zsh killed by stack smashing protection

Bug #333722 reported by Cosmin L
16
Affects Status Importance Assigned to Milestone
zsh (Debian)
Fix Released
Unknown
zsh (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

Binary package hint: zsh

I'm experiencing some weird problem with zsh, which is getting killed due to an apparent stack overflow.

It seems that commands like the following cause problems (notice the "!" inside
the command line; also, this "command" doesn't have newlines, I wrapped it for
better readability):

% AAAAAAAAAAAAAAAAAAAAAAAA!AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...

(see attachment for crash info).

Additional info:

$ lsb_release -rd
Description: Ubuntu 8.10
Release: 8.10

(this also happens on a Debian Sid with zsh 4.3.9)

$ apt-cache policy zsh
zsh:
  Installed: 4.3.6-4ubuntu1
  Candidate: 4.3.6-4ubuntu1
  Version table:
 *** 4.3.6-4ubuntu1 0
        500 http://archive.ubuntu.com intrepid/main Packages
        100 /var/lib/dpkg/status

Revision history for this message
Cosmin L (lcosmin) wrote :
Revision history for this message
Ted (tedks) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Please answer these questions:
1. Is this reproducible?
2. If so, what specific steps should we take to recreate this bug? Be as detailed as possible.
This will help us to find and resolve the problem.

Changed in zsh:
status: New → Incomplete
Revision history for this message
Cosmin L (lcosmin) wrote :

Well, I took a look at the zsh code and it seems to have a buffer overflow when expanding the "!" on the command line.

To trigger, just type "!AAAAA....A" (without the quotes) at the zsh prompt.

If zsh is compiled with stack protection code, the overflow is detected faster. If not, you need to type lots of A's.

% gdb ./zsh ./core
[...]
Core was generated by `AAAAAA'.
Program terminated with signal 11, Segmentation fault.
[New process 23255]
#0 0x41414141 in ?? ()
(gdb) bt
#0 0x41414141 in ?? ()
Cannot access memory at address 0x41414145
(gdb) i r
eax 0xffffffff -1
ecx 0x0 0
edx 0xb7e7d0dc -1209544484
ebx 0x3e9 1001
esp 0xbfc17660 0xbfc17660
ebp 0x41414141 0x41414141
esi 0x41414141 1094795585
edi 0x41414141 1094795585
eip 0x41414141 0x41414141
eflags 0x210246 [ PF ZF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51

Kees Cook (kees)
Changed in zsh (Ubuntu):
importance: Undecided → Low
status: Incomplete → Confirmed
Revision history for this message
Kees Cook (kees) wrote :

I've confirmed this (see the duplicates for an apport crash). Reproducer, just typing:

!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Fixed in debian's 4.3.9-4

Patch available:

http://www.zsh.org/mla/workers/2009/msg00388.html
http://patch-tracking.debian.net/patch/misc/view/zsh/4.3.9-4/Src/hist.c

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is fixed in jaunty. Closing bug.

Changed in zsh (Ubuntu):
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in zsh (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.