bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using systemd-249's libnss_systemd.so.2 triggers a crash in bash-5.1


From: Chet Ramey
Subject: Re: Using systemd-249's libnss_systemd.so.2 triggers a crash in bash-5.1's malloc.c
Date: Mon, 4 Oct 2021 17:57:14 -0400
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.14.0

On 10/4/21 5:28 PM, Julien Moutinho wrote:
On Okt 04 2021, Chet Ramey wrote:
I suspect this is a buffer overflow introduced between systemd-247 and
systemd-249. It's not caught when building bash without the bash malloc
because the default libc malloc probably doesn't do the bounds checking
the bash malloc does, even without malloc debugging turned on.

Chet, thanks for you detailed analysis,
I've opened an issue to get some inputs from systemd's devs:
https://github.com/systemd/systemd/issues/20931

Le lun. 04 oct. 2021 22h44 +0200, Andreas Schwab a écrit :
If it's a buffer overflow, then valgrind should be able to catch it
(when bash is configured --without-bash-malloc).  valgrind's bounds
checking is much more advanced than what a checking malloc can do.

Andreas, just to confirm that so far I'm unable to get a crash or error
when using --without-bash-malloc, even in valgrind (but I'm a newbie at 
valgrind).

If you want to make sure that you're checking bash with valgrind, even in
the presence of bash optimizing execution and performing an `exec' of `id'
without forking, use a bash builtin like `true' instead of `id'.

--
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    chet@case.edu    http://tiswww.cwru.edu/~chet/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]