NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bin/55979 (sh single quotes removes nul characters)

This could be a memory corruption issue. /bin/sh behaves unpredictably when it encounters nul characters inside single quotes. Sometimes scripts that do this will work and sometimes they don't. When they don't work it'll usually prints garbled data:

    -bash-5.0# sh
    netbsd# ./
    ./ r���PQ������1۰��YXr�ƃ�: not found
    ./ xec: not found
    ./ 6: Syntax error: "else" unexpected

ktrace reveals that $PATH search uses clobbered memory after parsing a single quoted string with NUL characters:

    ktrace sh -c ./
    kdump -f ktrace.out
     11172      1 sh       CALL  read(0xc,0x11f62e180,0x3f8)
     11172      1 sh       GIO   fd 12 read 1016 bytes
           "MZqFpD='\n\0\0\^P\0\M-x\0\0\0... etc.
            \M-L\M-{\^N\^_\M-h\0\0^\M^A\M... etc.
            \0U\M-*'\n#'\"\no=\"$(command -v \"... etc.
     11172      1 sh       RET   read 1016/0x3f8
     11172      1 sh       CALL  mmap(0,0x1000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
     11172      1 sh       RET   mmap 126131311058944/0x72b73bfda000
     11172      1 sh       CALL  __stat50(0x11f62e7f0,0x7f7fffbbe840)
     11172      1 sh       NAMI  "/root/bin/r���PQ<86>�����1۰^A�^B�^SYXr^]<8C>�<83>�"
     11172      1 sh       RET   __stat50 -1 errno 2 No such file or directory
     11172      1 sh       CALL  __stat50(0x11f62e7f0,0x7f7fffbbe840)
     11172      1 sh       NAMI  "/sbin/r���PQ<86>�����1۰^A�^B�^SYXr^]<8C>�<83>�"
     11172      1 sh       RET   __stat50 -1 errno 2 No such file or directory
     11172      1 sh       CALL  __stat50(0x11f62e7f0,0x7f7fffbbe840)
     11172      1 sh       NAMI  "/usr/sbin/r���PQ<86>�����1۰^A�^B�^SYXr^]<8C>�<83>�"
     11172      1 sh       RET   __stat50 -1 errno 2 No such file or directory

Can we fix this?

I misdiagnosed the issue earlier. Please disregard what I said about needing NULs in strings. I don't care if NUL is filtered out. What I need is for the shell to safely ignore binary data inside single quotes. For more background on this executable format, see the following screenshot and the design doc

As for execve() + ENOEXEC safety restrictions, I have no opinion or need for those.
If NetBSD wants to implement them, then I'd recommend doing what FreeBSD did:
check that a line exists before the first NUL character containing a lowercase letter.
APE binaries always start with "MZqFpD=\n" so it won't impact this use case. See:

On Sun, Feb 7, 2021 at 3:20 AM Robert Elz <> wrote:
The following reply was made to PR bin/55979; it has been noted by GNATS.

From: Robert Elz <kre%munnari.OZ.AU@localhost>
To: Christos Zoulas <>
Subject: Re: bin/55979 (sh single quotes removes nul characters)
Date: Sun, 07 Feb 2021 18:15:03 +0700

     Date:        Sat, 6 Feb 2021 21:13:47 -0500
     From:        Christos Zoulas <>
     Message-ID:  <>

   | Weird, it seems to be working for me.
   | $ ./
   | hello world

 That works, Justine said it was working on NetBSD, what doesn't
 work is "sh" which I think is what is wanted.

 Justine, to change the shell we'd need a different heuristic that
 works as well, or at least close to it, to avoid executing files
 that should not be executed.   And support from the users.


Home | Main Index | Thread Index | Old Index