Date: Sat, 13 Dec 2014 01:23:10 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 195918] /bin/sh crash caused by a particular script Message-ID: <bug-195918-8-Wgo6GIaOt8@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-195918-8@https.bugs.freebsd.org/bugzilla/> References: <bug-195918-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195918 --- Comment #4 from jason.unovitch@gmail.com --- An interesting observation to add, I can trigger this on my amd64 box but not on my i386 router. After further investigation, I found through using GDB on an old 9.1 VM with bin/sh compiled with debuging that expand.c runs atoi and uses the negative number it receives to read from an array index. I've attached the diff but it's crude and I don't think this is the "right" solution but does prevent any seg faults and errors out cleanly with the bad substitution. 64 bit: FreeBSD xts-bsd 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 jason@xts-bsd:/usr/src/bin/sh % sh $ echo b=${1985234857347568347:12:5} Segmentation fault 32 bit: FreeBSD xts-rtr 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274562M: Sun Nov 16 07:37:32 UTC 2014 root@xts-bsd:/usr/obj/nanobsd.soekris/i386.i386/usr/src/sys/GENERIC i386 jason@xts-rtr:~ % sh $ echo b=${1985234857347568347:12:5} ${1985234857347568347:1...}: Bad substitution -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-195918-8-Wgo6GIaOt8>