NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bin/55979 (sh single quotes removes nul characters)



The following reply was made to PR bin/55979; it has been noted by GNATS.

From: Kamil Rytarowski <kamil%netbsd.org@localhost>
To: Robert Elz <kre%munnari.OZ.AU@localhost>, gnats-bugs%netbsd.org@localhost, kamil%netbsd.org@localhost
Cc: 
Subject: Re: bin/55979 (sh single quotes removes nul characters)
Date: Wed, 10 Feb 2021 18:37:43 +0100

 On 10.02.2021 17:48, Robert Elz wrote:
 >     Date:        Wed, 10 Feb 2021 08:45:02 +0000 (UTC)
 >     From:        Kamil Rytarowski <kamil%netbsd.org@localhost>
 >     Message-ID:  <20210210084502.5509F1A9241%mollari.NetBSD.org@localhost>
 > 
 >   |  SUMMARY: MemorySanitizer: use-of-uninitialized-value
 >   |  /usr/src/bin/sh/exec.c:138:18 in shellexec
 >   |  Exiting
 >   |  ./hello.com: 6: Syntax error: ")" unexpected
 >   |  
 >   |  There is something wrong with or around padvance(). ':' gets stripped
 >   |  from PATH and there is an uninitialized memory read.
 > 
 > I will take a look at that, but first, Kamil can you tell me which sh
 > source version you used for that, HEAD, or netbsd-9, or ?   (Perhaps the
 > cvs version numbers of exec.c and eval.c).
 > 
 > Also, which hello.com are you using?  When I try it (with the original
 > from the original PR, fetched soon after it was filed) I see:
 > 
 > 	jinx$ ./sh /tmp/hello.com
 > 	./sh: Cannot execute ELF binary /tmp/hello.com
 > 
 > which is exactly what I'd expect to see (but version I have does not
 > start with that "MZqFpD=\n" string).
 > 
 > The analysis from msan is a little odd, as cmdentry local var (struct)
 > used in evalcommand(), and while fields from it are passed to other functions,
 > the struct itself is not (nor is its address ever evaluated), so it is a
 > bit hard to imagine how shellexec() is reading uninit'd values from it.
 > 
 > On the other hand, when evalcommand() calls shellexec() it does pass
 > cmdentry.u.index (a field in a union in the struct) as one of the parameters,
 > but if that is the uninit'd value, I'd have expected it to be detected
 > where it is fetched (in evalcommand()) rather than where the value is used.
 > 
 > Apart from that, about all I can imagine is that something has a wild
 > pointer which is accessing random stack memory -- that or perhaps the
 > random(ish) binary data which is being used here is somehow fooling msan
 > into believing something different than what is actually happening.
 > 
 > kre
 > 
 > ps: everyone ignore the questing/comment about mmap() ... martin@
 > reminded me that that's just malloc() doing its thing.   I date from
 > the days when malloc() used sbrk()...
 > 
 > 
 
 I've uploaded a tarball with src/bin/sh/ with hello.com and the prebuilt
 sh executable to:
 
 http://netbsd.org/~kamil/sh-pr55979.tar.bz2 (2.5 MB)
 
 $ uname -a
 NetBSD chieftec 9.99.79 NetBSD 9.99.79 (GENERIC) #3: Tue Jan 26 13:24:54
 CET 2021
 root@chieftec:/public/netbsd-root/sys/arch/amd64/compile/GENERIC amd64
 
 The sh version is from HEAD of CVS and I have removed local patches
 printf-ing some debug code as seen in the original report.
 
 It shows me:
 
 $ ./sh hello.com
 
 ==14798==WARNING: MemorySanitizer: use-of-uninitialized-value
     #0 0x46fa69 in shellexec /usr/src/bin/sh/exec.c:136:18
     #1 0x464ddc in evalcommand /usr/src/bin/sh/eval.c:1392:3
     #2 0x44e198 in evaltree /usr/src/bin/sh/eval.c:375:4
     #3 0x518f3f in cmdloop /usr/src/bin/sh/main.c:320:4
     #4 0x51736e in main /usr/src/bin/sh/main.c:262:3
     #5 0x41fa8b in ___start (/usr/src/bin/sh/./sh+0x41fa8b)
 
   Uninitialized value was stored to memory at
     #0 0x46f31d in shellexec /usr/src/bin/sh/exec.c:126
     #1 0x464ddc in evalcommand /usr/src/bin/sh/eval.c:1392:3
     #2 0x44e198 in evaltree /usr/src/bin/sh/eval.c:375:4
     #3 0x518f3f in cmdloop /usr/src/bin/sh/main.c:320:4
     #4 0x51736e in main /usr/src/bin/sh/main.c:262:3
     #5 0x41fa8b in ___start (/usr/src/bin/sh/./sh+0x41fa8b)
 
   Uninitialized value was created by an allocation of 'cmdentry' in the
 stack frame of function 'evalcommand'
     #0 0x458420 in evalcommand /usr/src/bin/sh/eval.c:870
 
 SUMMARY: MemorySanitizer: use-of-uninitialized-value
 /usr/src/bin/sh/exec.c:136:18 in shellexec
 Exiting
 hello.com: 6: Syntax error: ")" unexpected
 


Home | Main Index | Thread Index | Old Index