[klibc] klibc sh segfault on invalid substitutions

[Ben Hutchings]

On Thu, 2022-11-24 at 06:15 +0100, Christoph Anton Mitterer wrote:
> Hey there.
> 
> There’s a bug in ash-bashed shells, including the one shipped with
> klibc.
> 
> The original variant is described here (for dash):
> https://lore.kernel.org/dash/b2e298215b3d51d8284296484caa138faddaa0e4.camel@scientia.org/
> respectively
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024635
> 
> 
> Apparently BusyBox’ sh (also ash based) doesn't segfault with the
> example I've found above.
> 
> But Harald van Dijk was able to create an example[0] where BusyBox’ sh
> segfaults, too, reported by him at:
> http://lists.busybox.net/pipermail/busybox/2022-November/090036.html
> 
> 
> klibc’s sh segfaults in BOTH cases, and he asked me whether I could
> forward this here on also his behalf.
> 
> 
> Could you please have a look at both?

I had a look at a core dump in gdb.  The loop at the bottom of
evalvar() seems to read off the end of the input string, and crashes
once p reaches an unmapped page.  This seems to match Harald's
analysis:
https://lore.kernel.org/dash/8710d1c3-d7c9-7332-4bc7-ce243a1cbd37@gigawatt.nl/

> It seems theres's no bugtracker for klibc, or is there?

There's a component for it on bugzilla.kernel.org (under "Other").

> Just that this doesn't get forgotten by accident, I've also reported it
> downstream in the Debian BTS at:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024735
> 

That's also fine.

I don't think I will work on this in klibc until there's a fix in
upstream dash.  If you're still watching upstream dash, please let me
know when there's a fix I can pick.

Ben.

-- 
Ben Hutchings
This sentence contradicts itself - no actually it doesn't.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <https://lists.zytor.com/archives/klibc/attachments/20221127/0489121a/attachment.sig>