[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: eval '<$(;)' causes Segmentation Fault
|
From: |
Chet Ramey |
|
Subject: |
Re: eval '<$(;)' causes Segmentation Fault |
|
Date: |
Tue, 27 Aug 2024 10:02:51 -0400 |
|
User-agent: |
Mozilla Thunderbird |
On 8/26/24 6:44 PM, youheng.lue@gmail.com wrote:
Bash Version: 5.3
Patch Level: 0
Release Status: alpha
POC:
$ cat poc.sh
eval '<${;}'
The specific case is an empty command containing only a redirection that
results in an expansion error read from a script or string.
I can confirm that the error is triggerted in the "execute_null_command"
function and later containing a redirection.
Specifically the variable `INPUT_STREAM bashinput.location` is both a char
pointer and an int.
Thanks for the analysis.
At first it is used as a char pointer in the function "parse_and_execute"
BEFORE
```
gdb> p bash_input.location.string
$3 = 0x7fb3dc0db3b0 "<${;}"
```
However at shell.c:1758 in the fuction unset_bash_input it gets overwritten to
a fd:
```
bash_input.location.buffered_fd = -1;
This is an effect of the problem, not the problem itself. The subshell
forked to execute the empty command should not go back and try to read
from the script again after it encounters an expansion error. The fix is
to provide a target for longjmp in the forked subshell.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU chet@case.edu http://tiswww.cwru.edu/~chet/