NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: bin/55979 (sh single quotes removes nul characters)
The following reply was made to PR bin/55979; it has been noted by GNATS.
From: Justine Tunney <jtunney%gmail.com@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: kre%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
Subject: Re: bin/55979 (sh single quotes removes nul characters)
Date: Tue, 9 Feb 2021 20:08:50 -0800
--000000000000775f7705baf39137
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
This could be a memory corruption issue. /bin/sh behaves unpredictably when
it encounters nul characters inside single quotes. Sometimes scripts that
do this will work and sometimes they don't. When they don't work it'll
usually prints garbled data:
-bash-5.0# sh
netbsd# ./hello.com
./hello.com: r=EF=BF=BD=EF=BF=BD=EF=BF=BDPQ=EF=BF=BD=EF=BF=BD=EF=BF=BD=
=EF=BF=BD=EF=BF=BD=EF=BF=BD1=DB=B0=EF=BF=BD=EF=BF=BDYXr=EF=BF=BD=C6=83=EF=
=BF=BD: not found
./hello.com: xec: not found
./hello.com: 6: Syntax error: "else" unexpected
ktrace reveals that $PATH search uses clobbered memory after parsing a
single quoted string with NUL characters:
ktrace sh -c ./hello.com
kdump -f ktrace.out
11172 1 sh CALL read(0xc,0x11f62e180,0x3f8)
11172 1 sh GIO fd 12 read 1016 bytes
"MZqFpD=3D'\n\0\0\^P\0\M-x\0\0\0... etc.
\M-L\M-{\^N\^_\M-h\0\0^\M^A\M... etc.
\0U\M-*'\n#'\"\no=3D\"$(command -v \"... etc.
11172 1 sh RET read 1016/0x3f8
11172 1 sh CALL
mmap(0,0x1000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=3DNONE>,=
0xffffffff,0,0)
11172 1 sh RET mmap 126131311058944/0x72b73bfda000
11172 1 sh CALL __stat50(0x11f62e7f0,0x7f7fffbbe840)
11172 1 sh NAMI
"/root/bin/r=EF=BF=BD=EF=BF=BD=EF=BF=BDPQ<86>=EF=BF=BD=EF=BF=BD=EF=BF=BD=
=EF=BF=BD=EF=BF=BD1=DB=B0^A=EF=BF=BD^B=EF=BF=BD^SYXr^]<8C>=EF=BF=BD<83>=EF=
=BF=BD"
11172 1 sh RET __stat50 -1 errno 2 No such file or
directory
11172 1 sh CALL __stat50(0x11f62e7f0,0x7f7fffbbe840)
11172 1 sh NAMI
"/sbin/r=EF=BF=BD=EF=BF=BD=EF=BF=BDPQ<86>=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=
=BD=EF=BF=BD1=DB=B0^A=EF=BF=BD^B=EF=BF=BD^SYXr^]<8C>=EF=BF=BD<83>=EF=BF=BD"
11172 1 sh RET __stat50 -1 errno 2 No such file or
directory
11172 1 sh CALL __stat50(0x11f62e7f0,0x7f7fffbbe840)
11172 1 sh NAMI
"/usr/sbin/r=EF=BF=BD=EF=BF=BD=EF=BF=BDPQ<86>=EF=BF=BD=EF=BF=BD=EF=BF=BD=
=EF=BF=BD=EF=BF=BD1=DB=B0^A=EF=BF=BD^B=EF=BF=BD^SYXr^]<8C>=EF=BF=BD<83>=EF=
=BF=BD"
11172 1 sh RET __stat50 -1 errno 2 No such file or
directory
Can we fix this?
I misdiagnosed the issue earlier. Please disregard what I said about
needing NULs in strings. I don't care if NUL is filtered out. What I need
is for the shell to safely ignore binary data inside single quotes. For
more background on this executable format, see the following screenshot
https://justine.lol/apeheader.png and the design doc
https://justine.lol/ape.html
As for execve() + ENOEXEC safety restrictions, I have no opinion or need
for those.
If NetBSD wants to implement them, then I'd recommend doing what FreeBSD
did:
check that a line exists before the first NUL character containing a
lowercase letter.
APE binaries always start with "MZqFpD=3D\n" so it won't impact this use
case. See:
https://github.com/freebsd/freebsd-src/commit/e0f5c1387df23c8c4811f5b24a7ef=
6ecac51a71a
https://github.com/jart/zsh/commit/94a4bc14bb2e415ec3d10cf716512bd3e0d99f48
On Sun, Feb 7, 2021 at 3:20 AM Robert Elz <kre%munnari.oz.au@localhost> wrote:
> The following reply was made to PR bin/55979; it has been noted by GNATS.
>
> From: Robert Elz <kre%munnari.OZ.AU@localhost>
> To: Christos Zoulas <christos%zoulas.com@localhost>
> Cc: gnats-bugs%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost=
,
> jtunney%gmail.com@localhost
> Subject: Re: bin/55979 (sh single quotes removes nul characters)
> Date: Sun, 07 Feb 2021 18:15:03 +0700
>
> Date: Sat, 6 Feb 2021 21:13:47 -0500
> From: Christos Zoulas <christos%zoulas.com@localhost>
> Message-ID: <07BE2947-3B90-463F-B8D9-532A15FA0FED%zoulas.com@localhost>
>
> | Weird, it seems to be working for me.
> |
> | $ ./hello.com
> | hello world
>
> That works, Justine said it was working on NetBSD, what doesn't
> work is "sh hello.com" which I think is what is wanted.
>
> Justine, to change the shell we'd need a different heuristic that
> works as well, or at least close to it, to avoid executing files
> that should not be executed. And support from the users.
>
> kre
>
>
--000000000000775f7705baf39137
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr">This could be a memory corruption issue. =
/bin/sh behaves unpredictably when it encounters nul characters inside sing=
le=C2=A0quotes. Sometimes scripts that do this will work and sometimes they=
don't. When they don't work it'll usually prints garbled data:=
<div><br></div><div>=C2=A0 =C2=A0 -bash-5.0# sh<br>=C2=A0 =C2=A0 netbsd# ./=
<a href=3D"http://hello.com";>hello.com</a><br>=C2=A0 =C2=A0 ./<a href=3D"ht=
tp://hello.com">hello.com</a>: r=EF=BF=BD=EF=BF=BD=EF=BF=BDPQ=EF=BF=BD=EF=
=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD1=DB=B0=EF=BF=BD=EF=BF=BDYXr=EF=
=BF=BD=C6=83=EF=BF=BD: not found<br>=C2=A0 =C2=A0 ./<a href=3D"http://hello=
.com">hello.com</a>: xec: not found<br>=C2=A0 =C2=A0 ./<a href=3D"http://he=
llo.com">hello.com</a>: 6: Syntax error: "else" unexpected<br></d=
iv><div><br></div><div>ktrace reveals that $PATH search uses clobbered memo=
ry after parsing a single quoted string with NUL=C2=A0characters:</div><div=
><br></div><div>=C2=A0 =C2=A0=C2=A0ktrace sh -c ./<a href=3D"http://hello.c=
om">hello.com</a></div><div>=C2=A0 =C2=A0 kdump -f ktrace.out</div><div>=C2=
=A0 =C2=A0 =C2=A011172 =C2=A0 =C2=A0 =C2=A01 sh =C2=A0 =C2=A0 =C2=A0 CALL =
=C2=A0read(0xc,0x11f62e180,0x3f8)<br>=C2=A0 =C2=A0 =C2=A011172 =C2=A0 =C2=
=A0 =C2=A01 sh =C2=A0 =C2=A0 =C2=A0 GIO =C2=A0 fd 12 read 1016 bytes<br>=C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"MZqFpD=3D'\n\0\0\^P\0\M-x\0=
\0\0... etc.<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 \M-L\M-{\^N\^_\M-=
h\0\0^\M^A\M... etc.<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 \0U\M-*&#=
39;\n#'\"\no=3D\"$(command -v \"... etc.<br>=C2=A0 =C2=
=A0 =C2=A011172 =C2=A0 =C2=A0 =C2=A01 sh =C2=A0 =C2=A0 =C2=A0 RET =C2=A0 re=
ad 1016/0x3f8<br>=C2=A0 =C2=A0 =C2=A011172 =C2=A0 =C2=A0 =C2=A01 sh =C2=A0 =
=C2=A0 =C2=A0 CALL =C2=A0mmap(0,0x1000,PROT_READ|PROT_WRITE,0x1002<PRIVA=
TE,ANONYMOUS,ALIGN=3DNONE>,0xffffffff,0,0)<br>=C2=A0 =C2=A0 =C2=A011172 =
=C2=A0 =C2=A0 =C2=A01 sh =C2=A0 =C2=A0 =C2=A0 RET =C2=A0 mmap 1261313110589=
44/0x72b73bfda000<br>=C2=A0 =C2=A0 =C2=A011172 =C2=A0 =C2=A0 =C2=A01 sh =C2=
=A0 =C2=A0 =C2=A0 CALL =C2=A0__stat50(0x11f62e7f0,0x7f7fffbbe840)<br>=C2=A0=
=C2=A0 =C2=A011172 =C2=A0 =C2=A0 =C2=A01 sh =C2=A0 =C2=A0 =C2=A0 NAMI =C2=
=A0"/root/bin/r=EF=BF=BD=EF=BF=BD=EF=BF=BDPQ<86>=EF=BF=BD=EF=BF=
=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD1=DB=B0^A=EF=BF=BD^B=EF=BF=BD^SYXr^]<8C>=
;=EF=BF=BD<83>=EF=BF=BD"<br>=C2=A0 =C2=A0 =C2=A011172 =C2=A0 =C2=
=A0 =C2=A01 sh =C2=A0 =C2=A0 =C2=A0 RET =C2=A0 __stat50 -1 errno 2 No such =
file or directory<br>=C2=A0 =C2=A0 =C2=A011172 =C2=A0 =C2=A0 =C2=A01 sh =C2=
=A0 =C2=A0 =C2=A0 CALL =C2=A0__stat50(0x11f62e7f0,0x7f7fffbbe840)<br>=C2=A0=
=C2=A0 =C2=A011172 =C2=A0 =C2=A0 =C2=A01 sh =C2=A0 =C2=A0 =C2=A0 NAMI =C2=
=A0"/sbin/r=EF=BF=BD=EF=BF=BD=EF=BF=BDPQ<86>=EF=BF=BD=EF=BF=BD=
=EF=BF=BD=EF=BF=BD=EF=BF=BD1=DB=B0^A=EF=BF=BD^B=EF=BF=BD^SYXr^]<8C>=
=EF=BF=BD<83>=EF=BF=BD"<br>=C2=A0 =C2=A0 =C2=A011172 =C2=A0 =C2=
=A0 =C2=A01 sh =C2=A0 =C2=A0 =C2=A0 RET =C2=A0 __stat50 -1 errno 2 No such =
file or directory<br>=C2=A0 =C2=A0 =C2=A011172 =C2=A0 =C2=A0 =C2=A01 sh =C2=
=A0 =C2=A0 =C2=A0 CALL =C2=A0__stat50(0x11f62e7f0,0x7f7fffbbe840)<br>=C2=A0=
=C2=A0 =C2=A011172 =C2=A0 =C2=A0 =C2=A01 sh =C2=A0 =C2=A0 =C2=A0 NAMI =C2=
=A0"/usr/sbin/r=EF=BF=BD=EF=BF=BD=EF=BF=BDPQ<86>=EF=BF=BD=EF=BF=
=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD1=DB=B0^A=EF=BF=BD^B=EF=BF=BD^SYXr^]<8C>=
;=EF=BF=BD<83>=EF=BF=BD"<br>=C2=A0 =C2=A0 =C2=A011172 =C2=A0 =C2=
=A0 =C2=A01 sh =C2=A0 =C2=A0 =C2=A0 RET =C2=A0 __stat50 -1 errno 2 No such =
file or directory<br></div><div><br></div><div>Can we fix this?</div><div><=
br></div><div><div>I misdiagnosed the issue earlier. Please disregard what =
I said about needing NULs in strings. I don't care if NUL is filtered o=
ut. What I need is for the shell to safely ignore binary data inside single=
=C2=A0quotes. For more background on this executable format, see the follow=
ing screenshot <a href=3D"https://justine.lol/apeheader.png";>https://justin=
e.lol/apeheader.png</a> and the design doc <a href=3D"https://justine.lol/a=
pe.html">https://justine.lol/ape.html</a></div><div></div></div><div><br></=
div><div>As for execve() + ENOEXEC safety restrictions, I have no opinion o=
r need for those.</div><div>If NetBSD wants to implement them, then I'd=
recommend doing what FreeBSD did:</div><div>check that a line exists befor=
e the first NUL character containing a lowercase letter.</div><div>APE bina=
ries always start with "MZqFpD=3D\n" so it won't impact this =
use case. See:</div><div><a href=3D"https://github.com/freebsd/freebsd-src/=
commit/e0f5c1387df23c8c4811f5b24a7ef6ecac51a71a">https://github.com/freebsd=
/freebsd-src/commit/e0f5c1387df23c8c4811f5b24a7ef6ecac51a71a</a><br></div><=
div><a href=3D"https://github.com/jart/zsh/commit/94a4bc14bb2e415ec3d10cf71=
6512bd3e0d99f48">https://github.com/jart/zsh/commit/94a4bc14bb2e415ec3d10cf=
716512bd3e0d99f48</a><br></div></div></div><br><div class=3D"gmail_quote"><=
div dir=3D"ltr" class=3D"gmail_attr">On Sun, Feb 7, 2021 at 3:20 AM Robert =
Elz <<a href=3D"mailto:kre%munnari.oz.au@localhost";>kre%munnari.oz.au@localhost</a>> wrot=
e:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0=
.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">The following=
reply was made to PR bin/55979; it has been noted by GNATS.<br>
<br>
From: Robert Elz <<a href=3D"mailto:kre%munnari.OZ.AU@localhost"; target=3D"_blank"=
>kre%munnari.OZ.AU@localhost</a>><br>
To: Christos Zoulas <<a href=3D"mailto:christos%zoulas.com@localhost"; target=3D"_b=
lank">christos%zoulas.com@localhost</a>><br>
Cc: <a href=3D"mailto:gnats-bugs%netbsd.org@localhost"; target=3D"_blank">gnats-bugs@n=
etbsd.org</a>, <a href=3D"mailto:gnats-admin%netbsd.org@localhost"; target=3D"_blank">=
gnats-admin%netbsd.org@localhost</a>, <a href=3D"mailto:netbsd-bugs%netbsd.org@localhost"; targe=
t=3D"_blank">netbsd-bugs%netbsd.org@localhost</a>,<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=3D"mailto:jtunney%gmail.com@localhost"; target=3D"=
_blank">jtunney%gmail.com@localhost</a><br>
Subject: Re: bin/55979 (sh single quotes removes nul characters)<br>
Date: Sun, 07 Feb 2021 18:15:03 +0700<br>
<br>
=C2=A0 =C2=A0 =C2=A0Date:=C2=A0 =C2=A0 =C2=A0 =C2=A0 Sat, 6 Feb 2021 21:13:=
47 -0500<br>
=C2=A0 =C2=A0 =C2=A0From:=C2=A0 =C2=A0 =C2=A0 =C2=A0 Christos Zoulas <<a=
href=3D"mailto:christos%zoulas.com@localhost"; target=3D"_blank">christos%zoulas.com@localhost<=
/a>><br>
=C2=A0 =C2=A0 =C2=A0Message-ID:=C2=A0 <<a href=3D"mailto:07BE2947-3B90-4=
63F-B8D9-532A15FA0FED%zoulas.com@localhost" target=3D"_blank">07BE2947-3B90-463F-B8D9=
-532A15FA0FED%zoulas.com@localhost</a>><br>
<br>
=C2=A0 =C2=A0| Weird, it seems to be working for me.<br>
=C2=A0 =C2=A0|<br>
=C2=A0 =C2=A0| $ ./<a href=3D"http://hello.com"; rel=3D"noreferrer" target=
=3D"_blank">hello.com</a><br>
=C2=A0 =C2=A0| hello world<br>
<br>
=C2=A0That works, Justine said it was working on NetBSD, what doesn't<b=
r>
=C2=A0work is "sh <a href=3D"http://hello.com"; rel=3D"noreferrer" targ=
et=3D"_blank">hello.com</a>" which I think is what is wanted.<br>
<br>
=C2=A0Justine, to change the shell we'd need a different heuristic that=
<br>
=C2=A0works as well, or at least close to it, to avoid executing files<br>
=C2=A0that should not be executed.=C2=A0 =C2=A0And support from the users.<=
br>
<br>
=C2=A0kre<br>
<br>
</blockquote></div>
--000000000000775f7705baf39137--
Home |
Main Index |
Thread Index |
Old Index