[Pkg-zsh-devel] Bug#879548: zsh -n: use-after-free in patcompile()

Jakub Wilk jwilk at jwilk.net
Sun Oct 22 19:13:07 UTC 2017 

Package: zsh
Version: 5.4.2-1

zsh uses memory that has been already freed when checking syntax of some 
scripts:

   $ valgrind --quiet -- zsh -n uaf.sh
   ==6749== Invalid read of size 4
   ==6749==    at 0x4832F70: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
   ==6749==    by 0x18B0C6: memcpy (string3.h:53)
   ==6749==    by 0x18B0C6: dupstring_wlen (string.c:55)
   ==6749==    by 0x1802F8: patcompile (pattern.c:673)
   ==6749==    by 0x13BA6F: compgetmatch (glob.c:2625)
   ==6749==    by 0x142923: getmatch (glob.c:2665)
   ==6749==    by 0x1915F2: paramsubst (subst.c:3045)
   ==6749==    by 0x1915F2: stringsubst (subst.c:247)
   ==6749==    by 0x194648: prefork (subst.c:85)
   ==6749==    by 0x12DAE9: execcmd_getargs (exec.c:2676)
   ==6749==    by 0x132009: execcmd_exec (exec.c:2782)
   ==6749==    by 0x1356C9: execpline2 (exec.c:1887)
   ==6749==    by 0x135ABF: execpline (exec.c:1616)
   ==6749==    by 0x1370C0: execlist (exec.c:1371)
   ==6749==  Address 0x4ab3ae8 is 48 bytes inside a block of size 256 free'd
   ==6749==    at 0x483047C: realloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
   ==6749==    by 0x1638A9: zrealloc (mem.c:1000)
   ==6749==    by 0x17D900: patadd (pattern.c:414)
   ==6749==    by 0x1802E2: patcompile (pattern.c:671)
   ==6749==    by 0x13BA6F: compgetmatch (glob.c:2625)
   ==6749==    by 0x142923: getmatch (glob.c:2665)
   ==6749==    by 0x1915F2: paramsubst (subst.c:3045)
   ==6749==    by 0x1915F2: stringsubst (subst.c:247)
   ==6749==    by 0x194648: prefork (subst.c:85)
   ==6749==    by 0x12DAE9: execcmd_getargs (exec.c:2676)
   ==6749==    by 0x132009: execcmd_exec (exec.c:2782)
   ==6749==    by 0x1356C9: execpline2 (exec.c:1887)
   ==6749==    by 0x135ABF: execpline (exec.c:1616)
   ==6749==  Block was alloc'd at
   ==6749==    at 0x482E2BC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
   ==6749==    by 0x163988: zrealloc (mem.c:1015)
   ==6749==    by 0x17FC7E: patcompile (pattern.c:549)
   ==6749==    by 0x13BA6F: compgetmatch (glob.c:2625)
   ==6749==    by 0x142923: getmatch (glob.c:2665)
   ==6749==    by 0x1915F2: paramsubst (subst.c:3045)
   ==6749==    by 0x1915F2: stringsubst (subst.c:247)
   ==6749==    by 0x194648: prefork (subst.c:85)
   ==6749==    by 0x12DAE9: execcmd_getargs (exec.c:2676)
   ==6749==    by 0x132009: execcmd_exec (exec.c:2782)
   ==6749==    by 0x1356C9: execpline2 (exec.c:1887)
   ==6749==    by 0x135ABF: execpline (exec.c:1616)
   ==6749==    by 0x1370C0: execlist (exec.c:1371)
   ...


Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Architecture: i386

Versions of packages zsh depends on:
ii  zsh-common  5.4.2-1
ii  libc6       2.24-17
ii  libcap2     1:2.25-1.1
ii  libtinfo5   6.0+20170902-1

Versions of packages zsh recommends:
ii  libncursesw5  6.0+20170902-1
ii  libpcre3      2:8.39-5

-- 
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: uaf.sh
Type: application/x-sh
Size: 194 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-zsh-devel/attachments/20171022/a8c4b5d8/attachment.sh>

More information about the Pkg-zsh-devel mailing list