Debian Bug report logs - #966156
dash -n: stack overflow on long sequence of backticks

version graph

Package: dash; Maintainer for dash is Andrej Shadura <[email protected]>; Source for dash is src:dash (PTS, buildd, popcon).

Reported by: Jakub Wilk <[email protected]>

Date: Thu, 23 Jul 2020 21:54:01 UTC

Severity: normal

Tags: fixed-upstream, patch, upstream

Found in version dash/0.5.10.2-7

Forwarded to https://lore.kernel.org/dash/[email protected]/t/

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to [email protected], [email protected], Andrej Shadura <[email protected]>:
Bug#966156; Package dash. (Thu, 23 Jul 2020 21:54:03 GMT) (full text, mbox, link).

Message #3 received at [email protected] (full text, mbox, reply):

From: Jakub Wilk <[email protected]>
To: [email protected]
Subject: dash -n: stack overflow on long sequence of backticks
Date: Thu, 23 Jul 2020 23:50:25 +0200
Package: dash
Version: 0.5.10.2-7

dash crashes when checking syntax of a script consisting of a very long 
sequence of backticks:

  $ printf %09999d | tr 0 '`' | dash -n
  Segmentation fault

Valgrind says it's a stack overflow:

  Process terminating with default action of signal 11 (SIGSEGV)
   Access not within mapped region at address 0xFE33B4C8
  Stack overflow in thread #1: can't grow stack to 0xfe33b000
     at 0x1180EA: UnknownInlinedFun (string_fortified.h:34)
     by 0x1180EA: readtoken1 (parser.c:1377)


Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Architecture: i386

Versions of packages dash depends on:
ii  libc6        2.31-2
ii  debianutils  4.11
ii  dpkg         1.20.5
ii  debconf      1.5.74

-- 
Jakub Wilk

Information forwarded to [email protected], Andrej Shadura <[email protected]>:
Bug#966156; Package dash. (Wed, 14 Dec 2022 23:45:03 GMT) (full text, mbox, link).

Acknowledgement sent to наб <[email protected]>:
Extra info received and forwarded to list. Copy sent to Andrej Shadura <[email protected]>. (Wed, 14 Dec 2022 23:45:03 GMT) (full text, mbox, link).

Message #8 received at [email protected] (full text, mbox, reply):

From: наб <[email protected]>
To: [email protected]
Cc: Jakub Wilk <[email protected]>
Subject: Re: Bug#966156: dash -n: stack overflow on long sequence of backticks
Date: Thu, 15 Dec 2022 00:42:48 +0100
[Message part 1 (text/plain, inline)]
Control: tags -1 + upstream patch
Control: forwarded -1 https://lore.kernel.org/dash/[email protected]/t/

Valgrind is right. I don't think you're likely to run into this on
non-pathological input, but it's a relatively simple fix.

Patch posted to dash@, archived at forwarded-to.

наб

[signature.asc (application/pgp-signature, inline)]

Added tag(s) patch and upstream. Request was from наб <[email protected]> to [email protected]. (Wed, 14 Dec 2022 23:45:03 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://lore.kernel.org/dash/[email protected]/t/'. Request was from наб <[email protected]> to [email protected]. (Wed, 14 Dec 2022 23:45:03 GMT) (full text, mbox, link).

Information forwarded to [email protected], Andrej Shadura <[email protected]>:
Bug#966156; Package dash. (Sun, 08 Jan 2023 13:45:03 GMT) (full text, mbox, link).

Acknowledgement sent to наб <[email protected]>:
Extra info received and forwarded to list. Copy sent to Andrej Shadura <[email protected]>. (Sun, 08 Jan 2023 13:45:03 GMT) (full text, mbox, link).

Message #17 received at [email protected] (full text, mbox, reply):

From: наб <[email protected]>
To: [email protected]
Cc: Jakub Wilk <[email protected]>
Subject: Re: Bug#966156: dash -n: stack overflow on long sequence of backticks
Date: Sun, 8 Jan 2023 14:42:45 +0100
[Message part 1 (text/plain, inline)]
Control: tags -1 + fixed-upstream

Fixed this series (v3 in forwarded-to thread):
  https://git.kernel.org/pub/scm/utils/dash/dash.git/commit/?id=d89761b0e1652e212e9354fd3c96f977de873a06
  https://git.kernel.org/pub/scm/utils/dash/dash.git/commit/?id=f96ec8765cf37eb0c222a563de2f767ebfbf56db

наб

[signature.asc (application/pgp-signature, inline)]

Added tag(s) fixed-upstream. Request was from наб <[email protected]> to [email protected]. (Sun, 08 Jan 2023 13:45:03 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 12:25:22 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.