[Bug 195918] /bin/sh crash caused by a particular script
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sat Dec 13 01:23:10 UTC 2014
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195918
--- Comment #4 from jason.unovitch at gmail.com ---
An interesting observation to add, I can trigger this on my amd64 box but not
on my i386 router. After further investigation, I found through using GDB on
an old 9.1 VM with bin/sh compiled with debuging that expand.c runs atoi and
uses the negative number it receives to read from an array index. I've
attached the diff but it's crude and I don't think this is the "right" solution
but does prevent any seg faults and errors out cleanly with the bad
substitution.
64 bit:
FreeBSD xts-bsd 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11
21:02:49 UTC 2014 root at releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC
amd64
jason at xts-bsd:/usr/src/bin/sh % sh
$ echo b=${1985234857347568347:12:5}
Segmentation fault
32 bit:
FreeBSD xts-rtr 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274562M: Sun Nov 16
07:37:32 UTC 2014
root at xts-bsd:/usr/obj/nanobsd.soekris/i386.i386/usr/src/sys/GENERIC i386
jason at xts-rtr:~ % sh
$ echo b=${1985234857347568347:12:5}
${1985234857347568347:1...}: Bad substitution
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list