Fuzzing Bash-4.4 patch 12 with AFL mainly fork bombed the fuzzing machine, but it also found this crash (they all have the same root cause):
<&-<${} <&"-"<"$[~]" <&"-"<"${}" <&"-"<"${$0}" <&"-"<$(())
It also works on a Bash 3.2.57, but some friends told me that they needed the following to reproduce:
echo -ne '<&-<${}'|bash
A Ubuntu user told me it was not reproducible at all, but I rather suspect his whoopsie didn’t want him to see it. Edit: As pointed out by Matthew in the comments it also works on Ubuntu.
It looks like a nullpointer dereference to me:
Program received signal SIGSEGV, Segmentation fault. 0x000912a8 in buffered_getchar () at input.c:565 565 return (bufstream_getc (buffers[bash_input.location.buffered_fd])); (gdb) bt #0 0x000912a8 in buffered_getchar () at input.c:565 #1 0x0002f87c in yy_getc () at /usr/homes/chet/src/bash/src/parse.y:1390 #2 0x000302cc in shell_getc (remove_quoted_newline=1) at /usr/homes/chet/src/bash/src/parse.y:2299 #3 0x0002e928 in read_token (command=0) at /usr/homes/chet/src/bash/src/parse.y:3115 #4 0x00029d2c in yylex () at /usr/homes/chet/src/bash/src/parse.y:2675 #5 0x000262cc in yyparse () at y.tab.c:1834 #6 0x00025efc in parse_command () at eval.c:261 #7 0x00025de8 in read_command () at eval.c:305 #8 0x00025a70 in reader_loop () at eval.c:149 #9 0x0002298c in main (argc=1, argv=0xbefff824, env=0xbefff82c) at shell.c:792 (gdb) p bash_input.location.buffered_fd $1 = 0 (gdb) p buffers $2 = (BUFFERED_STREAM **) 0x174808 (gdb) x/10x 0x174808 0x174808: 0x00000000 0x00000000 0x00000000 0x00000000 0x174818: 0x00000000 0x00000000 0x00000000 0x00000000 0x174828: 0x00000000 0x00000000