eval '<$(;)' causes Segmentation Fault

[youheng.lue]

From: Youheng Lü

To: bug-bash@gnu.org

Subject: eval '<$(;)' causes Segmentation Fault

 

Configuration Information [Automatically generated, do not change]:

Machine: x86_64

OS: linux-gnu

Compiler: gcc

Compilation CFLAGS: -g -O2 -flto=auto -ffat-lto-objects -flto=auto 
-ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security 
-Wall

uname output: Linux sw-c-098 6.8.0-40-generic #40~22.04.3-Ubuntu SMP 
PREEMPT_DYNAMIC Tue Jul 30 17:30:19 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Machine Type: x86_64-pc-linux-gnu

 

Bash Version: 5.1

Patch Level: 16

Release Status: release

 

Description:

        Certain strings when given to `eval` cause a Segmentation Fault in bash.

 

Repeat-By:

        1. Create a script, i.e. `poc.sh` with the problematic string

        2. Execute `bash poc.sh`

 

Example:

        $ cat poc.sh

        eval '<$(;)'

 

        $ bash poc.sh

        poc.sh: command substitution: line 2: syntax error near unexpected 
token `;'

        poc.sh: command substitution: line 2: `;)'

        poc.sh: line 1: 42674 Segmentation fault      (core dumped)

 

Related Issues:

        All the following scripts can create a Segmentation Fault

        eval '<$[;]'

        eval '<$(;)'

        eval '<${;}'

        eval '<$[|]'

        eval '<$(|)'

        eval '<${|}'

 

GDB:

        The Segmentation Fault appears in `parse_and_execute`.

        At some point $rax gets corrupted and the program tries

        to read from $rax=0x5555ffffffff, which is an invalid address

 

        $ gdb -nx bash

        Reading symbols from bash...

        (No debugging symbols found in bash)

        (gdb) set follow-fork-mode child

        (gdb) run poc.sh

        Starting program: /usr/bin/bash poc.sh

        [Thread debugging using libthread_db enabled]

        Using host libthread_db library 
"/lib/x86_64-linux-gnu/libthread_db.so.1".

        [Attaching after Thread 0x7ffff7f6f740 (LWP 46590) fork to child 
process 46593]

        [New inferior 2 (process 46593)]

        [Detaching after fork from parent process 46590]

        [Inferior 1 (process 46590) detached]

        [Thread debugging using libthread_db enabled]

        Using host libthread_db library 
"/lib/x86_64-linux-gnu/libthread_db.so.1".

        poc.sh: command substitution: line 3: syntax error near unexpected 
token `;'

        poc.sh: command substitution: line 3: `;)'

 

        Thread 2.1 "bash" received signal SIGSEGV, Segmentation fault.

        [Switching to Thread 0x7ffff7f6f740 (LWP 46593)]

        0x0000555555601f27 in parse_and_execute ()

        (gdb) x/i $rip

        => 0x555555601f27 <parse_and_execute+263>:      cmpb   $0x0,(%rax)

        (gdb) x/gx $rax

        0x5555ffffffff: Cannot access memory at address 0x5555ffffffff

        (gdb) bt

        #0  0x0000555555601f27 in parse_and_execute ()

        #1  0x00005555556037a1 in evalstring ()

        #2  0x00005555555a798c in ?? ()

        #3  0x00005555555a06b4 in ?? ()

        #4  0x00005555555a1b5d in execute_command_internal ()

        #5  0x00005555555a41b8 in execute_command ()

        #6  0x00005555555953cb in reader_loop ()

        #7  0x0000555555586c46 in main ()