Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 25 Sep 2014 23:19:24 +0530
From: Huzaifa Sidhpurwala <huzaifas@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Fwd: Non-upstream patches for bash

Hi All,

Based on the current situation and the fact that there is confusion 
about what patch to use for the bash issue. I wanted to post this here.

We have found a few more issues (OOB memory access). Also I am posting 
Florain's patch here which should fix the issue in a more deeper way 
rather than just apply duct-tape.

Any feed back etc is welcome!


-------- Forwarded Message --------
Subject: Non-upstream patches for bash
Date: Thu, 25 Sep 2014 19:37:36 +0200
From: Florian Weimer <fweimer@...hat.com>
To: Huzaifa Sidhpurwala <huzaifas@...hat.com>, Joshua Bressers 
<bressers@...hat.com>

Note that if you ship 4.3, you might want to reevaluate a decision to
enable array variable import from the environment.

Internal analysis revealed two out-of-bounds array accesses in the bash
parser.  This was also independently and privately reported by Todd
Sabin <tsabin@...online.net>.

The redir_stack issue is this:

$ bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF
<<EOF <<EOF <<EOF <<EOF <<EOF'
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: make_here_document: bad instruction type 33
Segmentation fault (core dumped)

The word_lineno issue is this (only visible with address sanitizer, but
it's probably to come up with something better):

$ (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in
{1..200} ; do echo done ; done) > test-script.sh $ bash test-script.sh

Both issues are fixed by the parser-oob patches.

I'm also including the function definition affix patch which has already
been posted to oss-security.  (variables-affix-3.0.patch has only seen
very light review and testing yet, but it's a fairly straightforward
backport.)

You'll also want Chet's one-liner patch posted to oss-security.

-- 
Florian Weimer / Red Hat Product Security





--- ../bash-4.2-orig/parse.y	2014-09-25 13:07:59.218209276 +0200
+++ parse.y	2014-09-25 15:26:52.813159810 +0200
@@ -264,9 +264,21 @@
 
 /* Variables to manage the task of reading here documents, because we need to
    defer the reading until after a complete command has been collected. */
-static REDIRECT *redir_stack[10];
+static REDIRECT **redir_stack;
 int need_here_doc;
 
+/* Pushes REDIR onto redir_stack, resizing it as needed. */
+static void
+push_redir_stack (REDIRECT *redir)
+{
+  /* Guard against oveflow. */
+  if (need_here_doc + 1 > INT_MAX / sizeof (*redir_stack))
+    abort ();
+  redir_stack = xrealloc (redir_stack,
+			  (need_here_doc + 1) * sizeof (*redir_stack));
+  redir_stack[need_here_doc++] = redir;
+}
+
 /* Where shell input comes from.  History expansion is performed on each
    line when the shell is interactive. */
 static char *shell_input_line = (char *)NULL;
@@ -519,42 +531,42 @@
 			  source.dest = 0;
 			  redir.filename = $2;
 			  $$ = make_redirection (source, r_reading_until, redir, 0);
-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
 			}
 	|	NUMBER LESS_LESS WORD
 			{
 			  source.dest = $1;
 			  redir.filename = $3;
 			  $$ = make_redirection (source, r_reading_until, redir, 0);
-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
 			}
 	|	REDIR_WORD LESS_LESS WORD
 			{
 			  source.filename = $1;
 			  redir.filename = $3;
 			  $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
 			}
 	|	LESS_LESS_MINUS WORD
 			{
 			  source.dest = 0;
 			  redir.filename = $2;
 			  $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
 			}
 	|	NUMBER LESS_LESS_MINUS WORD
 			{
 			  source.dest = $1;
 			  redir.filename = $3;
 			  $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
 			}
 	|	REDIR_WORD  LESS_LESS_MINUS WORD
 			{
 			  source.filename = $1;
 			  redir.filename = $3;
 			  $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
 			}
 	|	LESS_LESS_LESS WORD
 			{
@@ -4757,7 +4769,7 @@
     case CASE:
     case SELECT:
     case FOR:
-      if (word_top < MAX_CASE_NEST)
+      if (word_top + 1 < MAX_CASE_NEST)
 	word_top++;
       word_lineno[word_top] = line_number;
       break;



--- bash-3.0-orig/variables.c	2014-09-25 18:50:08.987614049 +0200
+++ bash-3.0/variables.c	2014-09-25 18:50:45.588769468 +0200
@@ -227,7 +227,7 @@
 static void propagate_temp_var __P((PTR_T));
 static void dispose_temporary_env __P((sh_free_func_t *));     
 
-static inline char *mk_env_string __P((const char *, const char *));
+static inline char *mk_env_string __P((const char *, const char *, int));
 static char **make_env_array_from_var_list __P((SHELL_VAR **));
 static char **make_var_export_array __P((VAR_CONTEXT *));
 static char **make_func_export_array __P((void));
@@ -240,6 +240,13 @@
 static void push_exported_var __P((PTR_T));
 
 static inline int find_special_var __P((const char *));
+
+/* Prefix and suffix for environment variable names which contain
+   shell functions. */
+#define FUNCDEF_PREFIX "BASH_FUNC_"
+#define FUNCDEF_PREFIX_LEN (strlen (FUNCDEF_PREFIX))
+#define FUNCDEF_SUFFIX "()"
+#define FUNCDEF_SUFFIX_LEN (strlen (FUNCDEF_SUFFIX))
 	       
 /* Initialize the shell variables from the current environment.
    If PRIVMODE is nonzero, don't import functions from ENV or
@@ -289,22 +296,31 @@
 
       /* If exported function, define it now.  Don't import functions from
 	 the environment in privileged mode. */
-      if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
-	{
-	  string_length = strlen (string);
-	  temp_string = (char *)xmalloc (3 + string_length + char_index);
-
-	  strcpy (temp_string, name);
-	  temp_string[char_index] = ' ';
-	  strcpy (temp_string + char_index + 1, string);
+      if (privmode == 0 && read_but_dont_execute == 0
+ 	  && STREQN (FUNCDEF_PREFIX, name, FUNCDEF_PREFIX_LEN)
+ 	  && STREQ (name + char_index - FUNCDEF_SUFFIX_LEN, FUNCDEF_SUFFIX)
+ 	  && STREQN ("() {", string, 4))
+ 	{
+ 	  size_t name_length
+ 	    = char_index - (FUNCDEF_PREFIX_LEN + FUNCDEF_SUFFIX_LEN);
+ 	  char *temp_name = name + FUNCDEF_PREFIX_LEN;
+ 	  /* Temporarily remove the suffix. */
+ 	  temp_name[name_length] = '\0';
+ 
+ 	  string_length = strlen (string);
+ 	  temp_string = (char *)xmalloc (name_length + 1 + string_length + 1);
+ 	  memcpy (temp_string, temp_name, name_length);
+ 	  temp_string[name_length] = ' ';
+ 	  memcpy (temp_string + name_length + 1, string, string_length + 1);
 
 	  /* Don't import function names that are invalid identifiers from the
 	     environment, though we still allow them to be defined as shell
 	     variables. */
-	  if (legal_identifier (name))
-	    parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+	  if (legal_identifier (temp_name))
+	    parse_and_execute (temp_string, temp_name,
+			       SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
 
-	  if (temp_var = find_function (name))
+	  if (temp_var = find_function (temp_name))
 	    {
 	      VSETATTR (temp_var, (att_exported|att_imported));
 	      array_needs_making = 1;
@@ -312,9 +328,8 @@
 	  else
 	    report_error (_("error importing function definition for `%s'"), name);
 
-	  /* ( */
-	  if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
-	    name[char_index - 2] = '(';		/* ) */
+ 	  /* Restore the original suffix. */
+ 	  temp_name[name_length] = FUNCDEF_SUFFIX[0];
 	}
 #if defined (ARRAY_VARS)
 #  if 0
@@ -2117,7 +2132,7 @@
   var->context = variable_context;	/* XXX */
 
   INVALIDATE_EXPORTSTR (var);
-  var->exportstr = mk_env_string (name, value);
+  var->exportstr = mk_env_string (name, value, 0);
 
   array_needs_making = 1;
 
@@ -2899,22 +2914,43 @@
 /*								    */
 /* **************************************************************** */
 
+/* Returns the string NAME=VALUE if !FUNCTIONP or if VALUE == NULL (in
+   which case it is treated as empty).  Otherwise, decorate NAME with
+   FUNCDEF_PREFIX and FUNCDEF_SUFFIX, and return a string of the form
+   FUNCDEF_PREFIX NAME FUNCDEF_SUFFIX = VALUE (without spaces).  */
 static inline char *
-mk_env_string (name, value)
+mk_env_string (name, value, functionp)
      const char *name, *value;
+     int functionp;
 {
-  int name_len, value_len;
-  char	*p;
+  size_t name_len, value_len;
+  char *p, *q;
 
   name_len = strlen (name);
   value_len = STRLEN (value);
-  p = (char *)xmalloc (2 + name_len + value_len);
-  strcpy (p, name);
-  p[name_len] = '=';
+  if (functionp && value != NULL)
+    {
+      p = (char *)xmalloc (FUNCDEF_PREFIX_LEN + name_len + FUNCDEF_SUFFIX_LEN
+			   + 1 + value_len + 1);
+      q = p;
+      memcpy (q, FUNCDEF_PREFIX, FUNCDEF_PREFIX_LEN);
+      q += FUNCDEF_PREFIX_LEN;
+      memcpy (q, name, name_len);
+      q += name_len;
+      memcpy (q, FUNCDEF_SUFFIX, FUNCDEF_SUFFIX_LEN);
+      q += FUNCDEF_SUFFIX_LEN;
+    }
+  else
+    {
+      p = (char *)xmalloc (name_len + 1 + value_len + 1);
+      memcpy (p, name, name_len);
+      q = p + name_len;
+    }
+  q[0] = '=';
   if (value && *value)
-    strcpy (p + name_len + 1, value);
+    memcpy (q + 1, value, value_len + 1);
   else
-    p[name_len + 1] = '\0';
+    q[1] = '\0';
   return (p);
 }
 
@@ -2989,7 +3025,7 @@
 	  /* Gee, I'd like to get away with not using savestring() if we're
 	     using the cached exportstr... */
 	  list[list_index] = USE_EXPORTSTR ? savestring (value)
-					   : mk_env_string (var->name, value);
+	    : mk_env_string (var->name, value, function_p (var));
 
 	  if (USE_EXPORTSTR == 0)
 	    SAVE_EXPORTSTR (var, list[list_index]);


--- bash-3.2-orig/parse.y	2014-09-25 18:00:08.742924560 +0200
+++ bash-3.2/parse.y	2014-09-25 17:59:33.488769406 +0200
@@ -253,9 +253,21 @@
 
 /* Variables to manage the task of reading here documents, because we need to
    defer the reading until after a complete command has been collected. */
-static REDIRECT *redir_stack[10];
+static REDIRECT **redir_stack;
 int need_here_doc;
 
+/* Pushes REDIR onto redir_stack, resizing it as needed. */
+static void
+push_redir_stack (REDIRECT *redir)
+{
+  /* Guard against oveflow. */
+  if (need_here_doc + 1 > INT_MAX / sizeof (*redir_stack))
+    abort ();
+  redir_stack = xrealloc (redir_stack,
+			  (need_here_doc + 1) * sizeof (*redir_stack));
+  redir_stack[need_here_doc++] = redir;
+}
+
 /* Where shell input comes from.  History expansion is performed on each
    line when the shell is interactive. */
 static char *shell_input_line = (char *)NULL;
@@ -424,13 +436,13 @@
 			{
 			  redir.filename = $2;
 			  $$ = make_redirection (0, r_reading_until, redir);
-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
 			}
 	|	NUMBER LESS_LESS WORD
 			{
 			  redir.filename = $3;
 			  $$ = make_redirection ($1, r_reading_until, redir);
-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
 			}
 	|	LESS_LESS_LESS WORD
 			{
@@ -487,14 +499,14 @@
 			  redir.filename = $2;
 			  $$ = make_redirection
 			    (0, r_deblank_reading_until, redir);
-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
 			}
 	|	NUMBER LESS_LESS_MINUS WORD
 			{
 			  redir.filename = $3;
 			  $$ = make_redirection
 			    ($1, r_deblank_reading_until, redir);
-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
 			}
 	|	GREATER_AND '-'
 			{
@@ -3767,7 +3779,7 @@
     case CASE:
     case SELECT:
     case FOR:
-      if (word_top < MAX_CASE_NEST)
+      if (word_top + 1 < MAX_CASE_NEST)
 	word_top++;
       word_lineno[word_top] = line_number;
       break;


--- ../bash-4.2-orig/variables.c	2014-09-25 13:07:59.313209541 +0200
+++ variables.c	2014-09-25 13:15:29.869420719 +0200
@@ -268,7 +268,7 @@
 static void propagate_temp_var __P((PTR_T));
 static void dispose_temporary_env __P((sh_free_func_t *));     
 
-static inline char *mk_env_string __P((const char *, const char *));
+static inline char *mk_env_string __P((const char *, const char *, int));
 static char **make_env_array_from_var_list __P((SHELL_VAR **));
 static char **make_var_export_array __P((VAR_CONTEXT *));
 static char **make_func_export_array __P((void));
@@ -301,6 +301,14 @@
 #endif
 }
 
+/* Prefix and suffix for environment variable names which contain
+   shell functions. */
+#define FUNCDEF_PREFIX "BASH_FUNC_"
+#define FUNCDEF_PREFIX_LEN (strlen (FUNCDEF_PREFIX))
+#define FUNCDEF_SUFFIX "()"
+#define FUNCDEF_SUFFIX_LEN (strlen (FUNCDEF_SUFFIX))
+
+
 /* Initialize the shell variables from the current environment.
    If PRIVMODE is nonzero, don't import functions from ENV or
    parse $SHELLOPTS. */
@@ -338,27 +346,39 @@
 
       /* If exported function, define it now.  Don't import functions from
 	 the environment in privileged mode. */
-      if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
-	{
-	  string_length = strlen (string);
-	  temp_string = (char *)xmalloc (3 + string_length + char_index);
+      if (privmode == 0 && read_but_dont_execute == 0
+	  && STREQN (FUNCDEF_PREFIX, name, FUNCDEF_PREFIX_LEN)
+	  && STREQ (name + char_index - FUNCDEF_SUFFIX_LEN, FUNCDEF_SUFFIX)
+	  && STREQN ("() {", string, 4))
+	{
+	  size_t name_length
+	    = char_index - (FUNCDEF_PREFIX_LEN + FUNCDEF_SUFFIX_LEN);
+	  char *temp_name = name + FUNCDEF_PREFIX_LEN;
+	  /* Temporarily remove the suffix. */
+	  temp_name[name_length] = '\0';
 
-	  strcpy (temp_string, name);
-	  temp_string[char_index] = ' ';
-	  strcpy (temp_string + char_index + 1, string);
+	  string_length = strlen (string);
+	  temp_string = (char *)xmalloc (name_length + 1 + string_length + 1);
+	  memcpy (temp_string, temp_name, name_length);
+	  temp_string[name_length] = ' ';
+	  memcpy (temp_string + name_length + 1, string, string_length + 1);
 
 	  /* Don't import function names that are invalid identifiers from the
 	     environment. */
-	  if (legal_identifier (name))
-	    parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+	  if (legal_identifier (temp_name))
+	    parse_and_execute (temp_string, temp_name,
+			       SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
 
-	  if (temp_var = find_function (name))
+	  if (temp_var = find_function (temp_name))
 	    {
 	      VSETATTR (temp_var, (att_exported|att_imported));
 	      array_needs_making = 1;
 	    }
 	  else
 	    report_error (_("error importing function definition for `%s'"), name);
+
+	  /* Restore the original suffix. */
+	  temp_name[name_length] = FUNCDEF_SUFFIX[0];
 	}
 #if defined (ARRAY_VARS)
 #  if 0
@@ -2537,7 +2557,7 @@
   var->context = variable_context;	/* XXX */
 
   INVALIDATE_EXPORTSTR (var);
-  var->exportstr = mk_env_string (name, value);
+  var->exportstr = mk_env_string (name, value, 0);
 
   array_needs_making = 1;
 
@@ -3388,22 +3408,43 @@
 /*								    */
 /* **************************************************************** */
 
+/* Returns the string NAME=VALUE if !FUNCTIONP or if VALUE == NULL (in
+   which case it is treated as empty).  Otherwise, decorate NAME with
+   FUNCDEF_PREFIX and FUNCDEF_SUFFIX, and return a string of the form
+   FUNCDEF_PREFIX NAME FUNCDEF_SUFFIX = VALUE (without spaces).  */
 static inline char *
-mk_env_string (name, value)
+mk_env_string (name, value, functionp)
      const char *name, *value;
+     int functionp;
 {
-  int name_len, value_len;
-  char	*p;
+  size_t name_len, value_len;
+  char *p, *q;
 
   name_len = strlen (name);
   value_len = STRLEN (value);
-  p = (char *)xmalloc (2 + name_len + value_len);
-  strcpy (p, name);
-  p[name_len] = '=';
+  if (functionp && value != NULL)
+    {
+      p = (char *)xmalloc (FUNCDEF_PREFIX_LEN + name_len + FUNCDEF_SUFFIX_LEN
+			   + 1 + value_len + 1);
+      q = p;
+      memcpy (q, FUNCDEF_PREFIX, FUNCDEF_PREFIX_LEN);
+      q += FUNCDEF_PREFIX_LEN;
+      memcpy (q, name, name_len);
+      q += name_len;
+      memcpy (q, FUNCDEF_SUFFIX, FUNCDEF_SUFFIX_LEN);
+      q += FUNCDEF_SUFFIX_LEN;
+    }
+  else
+    {
+      p = (char *)xmalloc (name_len + 1 + value_len + 1);
+      memcpy (p, name, name_len);
+      q = p + name_len;
+    }
+  q[0] = '=';
   if (value && *value)
-    strcpy (p + name_len + 1, value);
+    memcpy (q + 1, value, value_len + 1);
   else
-    p[name_len + 1] = '\0';
+    q[1] = '\0';
   return (p);
 }
 
@@ -3489,7 +3530,7 @@
 	  /* Gee, I'd like to get away with not using savestring() if we're
 	     using the cached exportstr... */
 	  list[list_index] = USE_EXPORTSTR ? savestring (value)
-					   : mk_env_string (var->name, value);
+	    : mk_env_string (var->name, value, function_p (var));
 
 	  if (USE_EXPORTSTR == 0)
 	    SAVE_EXPORTSTR (var, list[list_index]);


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ