Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 600174 (CVE-2016-9401) - <app-shells/bash-4.3_p48-r1: popd controlled use-after-free
Summary: <app-shells/bash-4.3_p48-r1: popd controlled use-after-free
Status: RESOLVED FIXED
Alias: CVE-2016-9401
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2016/q4/445
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-18 14:43 UTC by Thomas Deutschmann (RETIRED)
Modified: 2018-03-18 15:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-18 14:43:10 UTC
popd can be tricked to free a user supplied address in the following way:

$ popd +-111111

This could be used to bypass restricted shells (rsh) on some
environments to cause use-after-free.

This was already reported to bash devs and only considered a bug, if
Mitre consider it could have a security impact, please assign a CVE.

Details
======
$ gdb bash
...
(gdb) r -c 'popd +-67372036'
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/bashinstrumentado/bash-4.3/bash -c 'popd +-67372036'

Program received signal SIGSEGV, Segmentation fault.
0x0827f93a in popd_builtin (list=<optimized out>) at ./pushd.def:384
384          free (pushd_directory_list[i]);
(gdb) print pushd_directory_list[i]
Cannot access memory at address 0x10101010

----
$ export AA=`perl -e 'print "A"x100000'`
$ gdb ./bash
...
(gdb) x/s *((char **)environ+13)
0xbffe75d4:    "AA=", 'A' <repeats 197 times>...
(gdb) run -c 'popd +-805281142'
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/bash/bash-4.3/bash -c 'popd +-805281142'

Program received signal SIGSEGV, Segmentation fault.
internal_free (mem=0x41414141, file=0x83fb36c "./pushd.def", line=384,
flags=<optimized out>) at malloc.c:863
863      if (p->mh_alloc == ISMEMALIGN)
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-18 14:55:51 UTC
@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 SpanKY gentoo-dev 2016-11-27 01:46:27 UTC
added upstream's fix to 4.4:
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1bf1ceeb04a2f57e1e5e1636a8c288c4d0db6682

Chet seemed confident it isn't exploitable (beyond making the active shell crash/exit immediately)
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-04 00:08:52 UTC
@ Arches,

please test and mark stable: =app-shells/bash-4.4_p5-r1
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-04 15:44:55 UTC
Stabilization postponed on request of base-system (looks like they want to stabilize 4.4.x together with readline-7.x and aren't ready yet).
Comment 5 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-12-04 16:12:07 UTC
I've added the fix to bash-4.3 so we (base-system) have a bit more time figuring out if readline-7.0 is ready for stabilization:

commit c3d3bdc215881e2712843708c42978b7bac96ba9
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Sun Dec 4 17:06:54 2016

    app-shells/bash: Revbump to add popd offset overflow fix to bash-4.3 (#600174).

    Package-Manager: portage-2.3.2


Arches please test and mark stable =app-shells/bash-4.3_p48-r1 with target KEYWORDS:
alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2016-12-05 15:49:05 UTC
Stable on alpha.
Comment 7 SpanKY gentoo-dev 2016-12-05 18:49:23 UTC
yes, we do not want to stabilize bash-4.4 this year.  it needs more time to sit.
Comment 8 Agostino Sarubbo gentoo-dev 2016-12-06 11:51:16 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-12-06 11:54:05 UTC
x86 stable
Comment 10 SpanKY gentoo-dev 2016-12-15 21:49:52 UTC
done the rest now
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2016-12-15 22:24:02 UTC
(In reply to SpanKY from comment #10)
> done the rest now

Thanks, Mike!

GLSA pending review.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-01-01 13:47:37 UTC
This issue was resolved and addressed in
 GLSA 201701-02 at https://security.gentoo.org/glsa/201701-02
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-01 13:57:03 UTC
Re-opening for cleanup.

@ Maintainer(s): Please drop <app-shells/bash-4.3_p48-r1 or apply masks indicating a security problem.
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-08 23:08:37 UTC
Cleanup PR: https://github.com/gentoo/gentoo/pull/3392
Comment 15 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-06 14:06:24 UTC
Ping:

PR was closed because earlier bash versions are kept for testing reasons.

Security Team Padawan 
ChrisADR
Comment 16 Aaron Bauman (RETIRED) gentoo-dev 2017-09-17 21:03:04 UTC
@base-system, can we mask here?
Comment 17 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-18 15:51:35 UTC
Cleanup done, closing as RESOLVED.

Thank you all.