On Okt 04 2021, Chet Ramey wrote: > I suspect this is a buffer overflow introduced between systemd-247 and > systemd-249. It's not caught when building bash without the bash malloc > because the default libc malloc probably doesn't do the bounds checking > the bash malloc does, even without malloc debugging turned on.
Chet, thanks for you detailed analysis, I've opened an issue to get some inputs from systemd's devs: https://github.com/systemd/systemd/issues/20931 Le lun. 04 oct. 2021 22h44 +0200, Andreas Schwab a écrit : > If it's a buffer overflow, then valgrind should be able to catch it > (when bash is configured --without-bash-malloc). valgrind's bounds > checking is much more advanced than what a checking malloc can do. Andreas, just to confirm that so far I'm unable to get a crash or error when using --without-bash-malloc, even in valgrind (but I'm a newbie at valgrind). # systemd-run --pipe -p DynamicUser=1 -E LD_LIBRARY_PATH=$(nix-store -q $(which systemctl))/lib -pBindReadOnlyPaths={/etc,/nix,/run} -p RootDirectory=/run/bash -- $(readlink $(which valgrind)) --trace-children=yes -- $(readlink -e bash5-without-bash-malloc/bin/bash) --norc -c $(readlink $(which id)) > Running as unit: run-u3128.service > ==669426== Memcheck, a memory error detector > ==669426== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. > ==669426== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info > ==669426== Command: > /nix/store/2kw8gj9lm1kn6zbpw5nf68h7msm1y716-bash-5.1-p8/bin/bash --norc -c > /nix/store/j93py7g2fd0qmxq5q2mhnvc6ziijkjb8-coreutils-8.32/bin/id > ==669426== > ==669426== Memcheck, a memory error detector > ==669426== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. > ==669426== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info > ==669426== Command: > /nix/store/j93py7g2fd0qmxq5q2mhnvc6ziijkjb8-coreutils-8.32/bin/id > ==669426== > ==669426== > ==669426== HEAP SUMMARY: > ==669426== in use at exit: 3,550 bytes in 10 blocks > ==669426== total heap usage: 903 allocs, 893 frees, 5,165,001 bytes > allocated > ==669426== > ==669426== LEAK SUMMARY: > ==669426== definitely lost: 0 bytes in 0 blocks > ==669426== indirectly lost: 0 bytes in 0 blocks > ==669426== possibly lost: 0 bytes in 0 blocks > ==669426== still reachable: 3,446 bytes in 9 blocks > ==669426== suppressed: 104 bytes in 1 blocks > ==669426== Rerun with --leak-check=full to see details of leaked memory > ==669426== > ==669426== For lists of detected and suppressed errors, rerun with: -s > ==669426== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) # systemd-run --pipe -p DynamicUser=1 -E LD_LIBRARY_PATH=$(nix-store -q $(which systemctl))/lib -pBindReadOnlyPaths={/etc,/nix,/run} -p RootDirectory=/run/bash -- $(readlink -e bash5-without-bash-malloc/bin/bash) --norc -c $(readlink $(which id)) > Running as unit: run-u3109.service > uid=62878(run-u3109) gid=62878(run-u3109) groups=62878(run-u3109)
