URL: <https://savannah.gnu.org/bugs/?68534>
Summary: heap-buffer-overflow in ansicstr/bexpand: size_t to
int truncation allocates 12-byte buffer for ~2 GB write
Group: The GNU Bourne-Again SHell
Submitter: gerben_altlinux
Submitted: Пт 17 июл 2026 15:02:47
Category: None
Severity: 3 - Normal
Priority: 5 - Normal
Item Group: None
Status: None
Privacy: Private
Assigned to: None
Open/Closed: Open
Discussion Lock: Unlocked
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: Пт 17 июл 2026 15:02:47 By: Denis Rastyogin <gerben_altlinux>
In ansicstr() (lib/sh/strtrans.c:68) and bexpand() (builtins /printf.def:1199)
the output buffer size is stored in int temp:
int c, temp;
...
temp = 4*len + 4; /* len is size_t */
if (temp < 12)
temp = 12;
ret = (char *)xmalloc(temp);
When len >= 536870912 (~512 MB), 4*len+4 overflows int32, the < 12 guard
fires, xmalloc(12) allocates 12 bytes. The copy loop then writes up to len
bytes into that buffer, corrupting the heap and leading to SIGSEGV.
python3 -c "import sys; sys.stdout.buffer.write(b'A'*536870912)" >
/tmp/poc.bin
bash -c 'v=$(cat /tmp/poc.bin); printf "%b" "$v"'
RCE: tested with ASLR=0, --with-bash-malloc, heap layout determined via GDB.
bash_malloc free-list pointers are unobfuscated; the linear overwrite
reaches SHELL_VAR.dynamic_value and replaces it with system().
Found by Denis Rastyogin <[email protected]> (ALT Linux).
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?68534>
_______________________________________________
Сообщение отправлено по Savannah
https://savannah.gnu.org/
signature.asc
Description: PGP signature
