Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -g -O2
-fdebug-prefix-map=/build/bash-2bxm7h/bash-5.0=.
-fstack-protector-strong -Wformat -Werror=format-security -Wall
-Wno-parentheses -Wno-format-security
uname output: Linux garegga 4.19.0-2-amd64 #1 SMP Debian 4.19.16-1
(2019-01-17) x86_64 GNU/Linux
Machine Type: x86_64-pc-linux-gnu
Bash Version: 5.0
Patch Level: 3
Release Status: release
Description:
Bash 2.04 through 5.0 crash when trying to write to a closed socket.
It is expected for bash to give an user error, but it exits instead.
Using the socket opening feature in the redirection code, opening a
socket, assigning it to a file descriptor, then having that socket
close and try to write to it again will crash.
This bug works on version 2.04 (when writing to sockets was first
introduced) through 5.0.
Backtrace:
Program received signal SIGPIPE, Broken pipe.
0x00007ffff7eab504 in __GI___libc_write (fd=1, buf=0x5555559f0c08, nbytes=1)
at ../sysdeps/unix/sysv/linux/write.c:26
26 ../sysdeps/unix/sysv/linux/write.c: Aucun fichier ou dossier
de ce type.
(gdb) where
#0 0x00007ffff7eab504 in __GI___libc_write (fd=1,
buf=0x5555559f0c08, nbytes=1)
at ../sysdeps/unix/sysv/linux/write.c:26
#1 0x00007ffff7e3c3bd in _IO_new_file_write (f=0x7ffff7f7d760
<_IO_2_1_stdout_>, data=0x5555559f0c08, n=1)
at fileops.c:1183
#2 0x00007ffff7e3b75f in new_do_write (fp=0x7ffff7f7d760
<_IO_2_1_stdout_>, fp@entry=0x1,
data=0x5555559f0c08 "\n\n", '\337' <repeats 197 times>,
<incomplete sequence \337>..., to_do=to_do@entry=1)
at libioP.h:839
#3 0x00007ffff7e3d509 in _IO_new_do_write (to_do=1, data=<optimized
out>, fp=0x1) at fileops.c:430
#4 _IO_new_do_write (fp=fp@entry=0x7ffff7f7d760 <_IO_2_1_stdout_>,
data=<optimized out>, to_do=1)
at fileops.c:430
#5 0x00007ffff7e3d8f3 in _IO_new_file_overflow (f=0x7ffff7f7d760
<_IO_2_1_stdout_>, ch=10) at fileops.c:791
#6 0x00005555557cf1e5 in putchar (__c=10) at
/usr/include/x86_64-linux-gnu/bits/stdio.h:84
#7 echo_builtin (list=<optimized out>) at ./echo.def:199
#8 0x00005555555efc9b in execute_builtin
(builtin=builtin@entry=0x5555557ce6d0 <echo_builtin>,
flags=flags@entry=0, subshell=subshell@entry=0, words=<optimized
out>) at execute_cmd.c:4708
#9 0x00005555555fc819 in execute_builtin_or_function
(flags=<optimized out>, fds_to_close=0x555555a5f2e8,
redirects=<optimized out>, var=0x0, builtin=0x5555557ce6d0
<echo_builtin>, words=0x555555a069c8)
at execute_cmd.c:5216
#10 execute_simple_command (simple_command=<optimized out>,
pipe_in=pipe_in@entry=-1,
pipe_out=pipe_out@entry=-1, async=async@entry=0,
fds_to_close=fds_to_close@entry=0x555555a5f2e8)
at execute_cmd.c:4478
#11 0x000055555560310e in execute_command_internal
(command=0x555555a5f388, asynchronous=0, pipe_in=-1,
pipe_out=-1, fds_to_close=0x555555a5f2e8) at execute_cmd.c:841
#12 0x0000555555609b31 in execute_command (command=0x555555a5f388) at
execute_cmd.c:394
#13 0x000055555558d8a9 in reader_loop () at eval.c:175
#14 0x000055555558896d in main (argc=1, argv=0x7fffffffe3d8,
env=0x7fffffffe3e8) at shell.c:805
Repeat-By:
1. Open bash.
2. Open any kind of socket and assign it to a file descriptor:
exec 3<>/dev/tcp/www.google.com/80
3. Have the socket close, for example sending garbage to close the
socket:
echo "a" >&3; echo "a" >&3
4. Try to write to the socket again:
echo "" >&3
5. Bash crashes.
--
xy2_ (Hugo Elhaj-Lahsen)
www.xy2.dev
