[Bug 1620375] Re: zsh 5.0.2 Out of bounds read

Axel Beckert abe at debian.org
Mon Nov 21 18:57:50 UTC 2016 

JFTR: The accused line (should be "nbuf[rpms->ln][winw+1] = wrapped ?
zr_nl : zr_zr;") hasn't been touched upstream since 2008-04-03, so the
chances that the issue shows up in all of the above mentioned and tested
versions of zsh are rather high (since 4.3.17 was released after that
line has been changed the last time).

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to zsh in Ubuntu.
https://bugs.launchpad.net/bugs/1620375

Title:
  zsh 5.0.2 Out of bounds read

Status in zsh package in Ubuntu:
  Incomplete

Bug description:
  I have found an OOB read in z shell version 5.0.2 running on Ubuntu
  14.04 (x86_64).

  Please find the POC file attached.

  
  zsh 5.0.2 (x86_64-pc-linux-gnu)
  ******************************************

  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  0x00007ffff5d9a03d in nextline (rpms=rpms at entry=0x7fffffffdcb0,
      wrapped=wrapped at entry=0x1) at ../../../Src/Zle/zle_refresh.c:812
  812    ../../../Src/Zle/zle_refresh.c: No such file or directory.
  gdb-peda$
  gdb-peda$ x/16i $pc
  => 0x7ffff5d9a03d <nextline+45>:    mov    DWORD PTR [rdi],0xa
     0x7ffff5d9a043 <nextline+51>:    mov    DWORD PTR [rdi+0x4],0x0
     0x7ffff5d9a04a <nextline+58>:    mov    rsi,QWORD PTR [rbx+0x18]
     0x7ffff5d9a04e <nextline+62>:    mov    DWORD PTR [rsi],0x0
     0x7ffff5d9a054 <nextline+68>:    mov    DWORD PTR [rsi+0x4],0x0
     0x7ffff5d9a05b <nextline+75>:    
      mov    esi,DWORD PTR [rip+0x222627]        # 0x7ffff5fbc688 <winh>
     0x7ffff5d9a061 <nextline+81>:    lea    edi,[rsi-0x1]
     0x7ffff5d9a064 <nextline+84>:    cmp    eax,edi
     0x7ffff5d9a066 <nextline+86>:    je     0x7ffff5d9a0b0 <nextline+160>
     0x7ffff5d9a068 <nextline+88>:    add    eax,0x1
     0x7ffff5d9a06b <nextline+91>:    mov    DWORD PTR [rbx+0x4],eax
     0x7ffff5d9a06e <nextline+94>:    cdqe   
     0x7ffff5d9a070 <nextline+96>:    lea    rbp,[rcx+rax*8]
     0x7ffff5d9a074 <nextline+100>:    mov    rax,QWORD PTR [rbp+0x0]
     0x7ffff5d9a078 <nextline+104>:    test   rax,rax
     0x7ffff5d9a07b <nextline+107>:    je     0x7ffff5d9a140 <nextline+304>
  gdb-peda$ p/d 0xa
  $1 = 10
  gdb-peda$ ptype $rdi
  type = int64_t
  gdb-peda$ ptype 0xa
  type = int
  gdb-peda$

  gdb-peda$ i r
  rax            0x11    0x11
  rbx            0x7fffffffdcb0    0x7fffffffdcb0
  rcx            0x8ffca0    0x8ffca0
  rdx            0xcf    0xcf
  rsi            0x1    0x1
  rdi            0x680    0x680
  rbp            0x0    0x0
  rsp            0x7fffffffdbf0    0x7fffffffdbf0
  r8             0xcf    0xcf
  r9             0x0    0x0
  r10            0x0    0x0
  r11            0x6b6800    0x6b6800
  r12            0x7fffffffdcac    0x7fffffffdcac
  r13            0x1    0x1
  r14            0x7ffff7e94a18    0x7ffff7e94a18
  r15            0x7ffff5fbc7f8    0x7ffff5fbc7f8
  rip            0x7ffff5d9a03d    0x7ffff5d9a03d <nextline+45>
  eflags         0x10202    [ IF RF ]
  cs             0x33    0x33
  ss             0x2b    0x2b
  ds             0x0    0x0
  es             0x0    0x0
  fs             0x0    0x0
  gs             0x0    0x0
  gdb-peda$ where
  #0  0x00007ffff5d9a03d in nextline (rpms=rpms at entry=0x7fffffffdcb0,
      wrapped=wrapped at entry=0x1) at ../../../Src/Zle/zle_refresh.c:812
  #1  0x00007ffff5d9d918 in zrefresh () at ../../../Src/Zle/zle_refresh.c:1396
  #2  0x00007ffff5d929f0 in zlecore () at ../../../Src/Zle/zle_main.c:1095
  #3  0x00007ffff5d9350d in zleread (lp=<optimized out>, rp=<optimized out>,
      flags=<optimized out>, context=<optimized out>)
      at ../../../Src/Zle/zle_main.c:1228
  #4  0x000000000043f75f in zleentry (cmd=0x1) at ../../Src/init.c:1462
  #5  0x0000000000440336 in inputline () at ../../Src/input.c:281
  #6  ingetc () at ../../Src/input.c:217
  #7  0x0000000000439bb6 in ihgetc () at ../../Src/hist.c:279
  #8  0x000000000044a08c in gettok () at ../../Src/lex.c:714
  #9  zshlex () at ../../Src/lex.c:395
  #10 0x0000000000466a67 in parse_event () at ../../Src/parse.c:451
  #11 0x000000000043cb69 in loop (toplevel=toplevel at entry=0x1,
      justonce=justonce at entry=0x0) at ../../Src/init.c:132
  #12 0x000000000043fd66 in zsh_main (argc=<optimized out>, argv=<optimized out>)
      at ../../Src/init.c:1617
  #13 0x00007ffff70fef45 in __libc_start_main (main=0x40ebf0 <main>, argc=0x1,
      argv=0x7fffffffe2b8, init=<optimized out>, fini=<optimized out>,
      rtld_fini=<optimized out>, stack_end=0x7fffffffe2a8) at libc-start.c:287
  #14 0x000000000040ec1e in _start ()

  
  Replication steps:

  1. Copy the base64 encoded data in the file attached ( copied text)
  2. In a terminal, type "echo (paste copied text) | base 64 -d | ./zsh

  Note: I downloaded and compiled another zsh on my machine. And I would
  recoomend you first type the command "echo <pate copied data to be
  pasted here last > | base 64 -d | ./zsh" and then only end with
  pasting the payload.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/zsh/+bug/1620375/+subscriptions

More information about the foundations-bugs mailing list