{"id":961,"date":"2017-03-14T15:27:40","date_gmt":"2017-03-14T14:27:40","guid":{"rendered":"http:\/\/www.floyd.ch\/?p=961"},"modified":"2023-05-31T08:01:09","modified_gmt":"2023-05-31T07:01:09","slug":"crash-bash","status":"publish","type":"post","link":"https:\/\/www.floyd.ch\/?p=961","title":{"rendered":"Crash bash"},"content":{"rendered":"<p>Fuzzing <a href=\"https:\/\/www.gnu.org\/software\/bash\/\" target=\"_blank\" rel=\"noopener\">Bash-4.4 patch 12<\/a> with <a href=\"https:\/\/lcamtuf.coredump.cx\/afl\/\">AFL<\/a> mainly fork bombed the fuzzing machine, but it also found this crash (they all have the same root cause):<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n&lt;&amp;-&lt;${}\r\n&lt;&amp;&quot;-&quot;&lt;&quot;$&#x5B;~]&quot;\r\n&lt;&amp;&quot;-&quot;&lt;&quot;${}&quot;\r\n&lt;&amp;&quot;-&quot;&lt;&quot;${$0}&quot;\r\n&lt;&amp;&quot;-&quot;&lt;$(())\r\n<\/pre>\n<p>It also works on a Bash 3.2.57, but some friends told me that they needed the following to reproduce:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\necho -ne '&lt;&amp;-&lt;${}'|bash\r\n<\/pre>\n<p>A Ubuntu user told me it was not reproducible at all, but I rather suspect his <a href=\"https:\/\/askubuntu.com\/questions\/135540\/what-is-the-whoopsie-process-and-how-can-i-remove-it#135552\" target=\"_blank\" rel=\"noopener\">whoopsie<\/a> didn&#8217;t want him to see it. Edit: As pointed out by Matthew in the comments it also works on Ubuntu.<\/p>\n<p>It looks like a nullpointer dereference to me:<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x000912a8 in buffered_getchar () at input.c:565\r\n565\t  return (bufstream_getc (buffers&#x5B;bash_input.location.buffered_fd]));\r\n(gdb) bt\r\n#0  0x000912a8 in buffered_getchar () at input.c:565\r\n#1  0x0002f87c in yy_getc () at \/usr\/homes\/chet\/src\/bash\/src\/parse.y:1390\r\n#2  0x000302cc in shell_getc (remove_quoted_newline=1) at\r\n\/usr\/homes\/chet\/src\/bash\/src\/parse.y:2299\r\n#3  0x0002e928 in read_token (command=0) at\r\n\/usr\/homes\/chet\/src\/bash\/src\/parse.y:3115\r\n#4  0x00029d2c in yylex () at \/usr\/homes\/chet\/src\/bash\/src\/parse.y:2675\r\n#5  0x000262cc in yyparse () at y.tab.c:1834\r\n#6  0x00025efc in parse_command () at eval.c:261\r\n#7  0x00025de8 in read_command () at eval.c:305\r\n#8  0x00025a70 in reader_loop () at eval.c:149\r\n#9  0x0002298c in main (argc=1, argv=0xbefff824, env=0xbefff82c) at\r\nshell.c:792\r\n(gdb) p bash_input.location.buffered_fd\r\n$1 = 0\r\n(gdb) p buffers\r\n$2 = (BUFFERED_STREAM **) 0x174808\r\n(gdb) x\/10x 0x174808\r\n0x174808:\t0x00000000\t0x00000000\t0x00000000\t0x00000000\r\n0x174818:\t0x00000000\t0x00000000\t0x00000000\t0x00000000\r\n0x174828:\t0x00000000\t0x00000000\r\n<\/pre>\n<p><a href=\"https:\/\/www.mail-archive.com\/bug-bash@gnu.org\/msg19414.html\" target=\"_blank\" rel=\"noopener\">The maintainers of bash were notified<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Fuzzing Bash-4.4 patch 12 with AFL mainly fork bombed the fuzzing machine, but it also found this crash (they all have the same root cause): &lt;&amp;-&lt;${} &lt;&amp;&quot;-&quot;&lt;&quot;$&#x5B;~]&quot; &lt;&amp;&quot;-&quot;&lt;&quot;${}&quot; &lt;&amp;&quot;-&quot;&lt;&quot;${$0}&quot; &lt;&amp;&quot;-&quot;&lt;$(()) It also works on a Bash 3.2.57, but some friends &hellip; <a href=\"https:\/\/www.floyd.ch\/?p=961\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[152],"tags":[148,45,15,184],"class_list":["post-961","post","type-post","status-publish","format-standard","hentry","category-fuzzing","tag-afl","tag-bash","tag-fuzzing","tag-segmentation-fault"],"_links":{"self":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts\/961","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=961"}],"version-history":[{"count":15,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts\/961\/revisions"}],"predecessor-version":[{"id":1355,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts\/961\/revisions\/1355"}],"wp:attachment":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=961"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=961"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=961"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}