Bug 1010845 - (CVE-2016-9401) VUL-1: CVE-2016-9401: bash: popd controlled free (Segmentation fault)
(CVE-2016-9401)
VUL-1: CVE-2016-9401: bash: popd controlled free (Segmentation fault)
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: unspecified
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/176500/
CVSSv2:SUSE:CVE-2016-9401:3.3:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-18 01:00 UTC by Mikhail Kasimov
Modified: 2020-11-17 10:12 UTC (History)
9 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2016-11-18 01:00:51 UTC
Reference: http://seclists.org/oss-sec/2016/q4/445
===================================================

bash - popd controlled free
====================

popd can be tricked to free a user supplied address in the following way:

$ popd +-111111

This could be used to bypass restricted shells (rsh) on some
environments to cause use-after-free.

This was already reported to bash devs and only considered a bug, if
Mitre consider it could have a security impact, please assign a CVE.

Details
======
$ gdb bash
...
(gdb) r -c 'popd +-67372036'
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/bashinstrumentado/bash-4.3/bash -c 'popd +-67372036'

Program received signal SIGSEGV, Segmentation fault.
0x0827f93a in popd_builtin (list=<optimized out>) at ./pushd.def:384
384          free (pushd_directory_list[i]);
(gdb) print pushd_directory_list[i]
Cannot access memory at address 0x10101010

----
$ export AA=`perl -e 'print "A"x100000'`
$ gdb ./bash
...
(gdb) x/s *((char **)environ+13)
0xbffe75d4:    "AA=", 'A' <repeats 197 times>...
(gdb) run -c 'popd +-805281142'
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/bash/bash-4.3/bash -c 'popd +-805281142'

Program received signal SIGSEGV, Segmentation fault.
internal_free (mem=0x41414141, file=0x83fb36c "./pushd.def", line=384,
flags=<optimized out>) at malloc.c:863
863      if (p->mh_alloc == ISMEMALIGN)


- Fernando
===================================================

And yes, it can be reproduced on 42.1:
===================================================
k_mikhail@linux-mk500:~> gdb bash
GNU gdb (GDB; openSUSE Leap 42.1) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-suse-linux".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://bugs.opensuse.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from bash...(no debugging symbols found)...done.
Missing separate debuginfos, use: zypper install bash-debuginfo-4.2-78.1.x86_64
(gdb) r -c 'popd +-67372036'
Starting program: /bin/bash -c 'popd +-67372036'

Program received signal SIGSEGV, Segmentation fault.
0x0000000000448916 in popd_builtin ()
(gdb) r -c 'popd +-111111'
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /bin/bash -c 'popd +-111111'

Program received signal SIGSEGV, Segmentation fault.
0x0000000000448916 in popd_builtin ()
(gdb)
===================================================

k_mikhail@linux-mk500:~> bash --version 
GNU bash, version 4.2.47(1)-release (x86_64-suse-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Comment 1 Swamp Workflow Management 2016-11-18 23:00:23 UTC
bugbot adjusting priority
Comment 2 Dr. Werner Fink 2016-11-21 10:16:40 UTC
The same is true for bash 4.3
Comment 3 Dr. Werner Fink 2016-11-21 11:00:24 UTC
Also bash 4.4.5 does crash as well
Comment 4 Dr. Werner Fink 2016-11-21 11:10:50 UTC
Hmmm ... this seems to be a problem of how parsing the arguments for popd ... accordingly the manual page this is

       popd [-n] [+n] [-n]
              Removes  entries  from  the directory stack.  With no arguments,
              removes the top directory from the stack, and performs a  cd  to
              the new top directory.  Arguments, if supplied, have the follow-
              ing meanings:
              -n     Suppresses the normal change of directory  when  removing
                     directories  from  the  stack,  so that only the stack is
                     manipulated.
              +n     Removes the nth entry counting from the left of the  list
                     shown  by  dirs, starting with zero.  For example: ``popd
                     +0'' removes the first directory, ``popd +1'' the second.
              -n     Removes the nth entry counting from the right of the list
                     shown  by  dirs, starting with zero.  For example: ``popd
                     -0'' removes the last directory, ``popd -1'' the next  to
                     last.

              If  the popd command is successful, a dirs is performed as well,
              and the return status is 0.  popd returns false  if  an  invalid
              option is encountered, the directory stack is empty, a non-exis-
              tent directory stack entry is specified, or the directory change
              fails.

now if I do

  bash -c 'popd +-1'
  Segmentation fault

it crashes ... if used correct

  bash -c 'popd +67372036'
  bash: line 0: popd: directory stack empty
  bash -c 'popd -67372036'
  bash: line 0: popd: directory stack empty

all went OK.
Comment 5 Dr. Werner Fink 2016-11-21 11:13:12 UTC
Just to notice

  bash -c 'popd --1'
  Segmentation fault (core dumped)
Comment 6 Dr. Werner Fink 2016-11-21 15:28:43 UTC
From upstream:

On 11/21/16 6:47 AM, werner@suse.de wrote:

> Bash Version: 4.2.47, 4.3.48, 4.4.5
> Release Status: release
> OpenSUSE bug: 1010845
> CVE: 2016-9401
>
> Description:
>       popd controlled free (Segmentation fault) in all bash versions here around

This has been fixed for a couple of weeks in the devel branch.
Comment 7 Dr. Werner Fink 2016-11-21 15:36:58 UTC
Thu, 3 Nov 2016 22:28:23 +0100 (17:28 -0400)

+builtins/pushd.def
+       - popd_builtin: make sure to check the normalized stack offset
+         (i.e., negatives counting back from the end of the stack) is within
+         bounds before trying to free that stack entry.  Report from
+         Fernando Muñoz <fernando@null-life.com>
Comment 8 Dr. Werner Fink 2016-11-23 10:57:39 UTC
Question: is this a real VUL-0?  IMHO only the user him/her self can fool on his/her on purpose by plain *wrong* usage of popd.

I see currently only a script wich uses a variable for the number used together with popd and then this number have to be determinde in the script be foreign data ... very unlikely IMHO
Comment 9 Johannes Segitz 2016-11-25 12:34:46 UTC
(In reply to Dr. Werner Fink from comment #8)
I think this is something that should be fixed, but we don't need to trigger an update just for that. Setting it to VUL-1
Comment 10 Dr. Werner Fink 2016-11-28 11:40:09 UTC
Accordingly to upstream this is not a security bug at all ... it is only a segmentation fault, comprare with

  https://lists.gnu.org/archive/html/bug-bash/2016-11/msg00116.html
Comment 13 Dr. Werner Fink 2017-04-28 08:40:03 UTC
SR#131914 SUSE:SLE-11-SP3:Update
SR#131915 SUSE:SLE-11-SP4:Update
Comment 15 Marcus Meissner 2017-04-28 11:04:40 UTC
reopen for tracking.


the bar of requesting CVEs is low, but also the bar of "disputing" or "rejecting" CVE entries is quite low these days.

I will get a dispute in motion.
Comment 16 Leonardo Chiquitto 2017-05-09 01:02:28 UTC
Werner, please, could you submit the fix to SUSE:SLE-12-SP2:Update as well? Thanks.
Comment 17 Dr. Werner Fink 2017-05-09 09:05:01 UTC
(In reply to Leonardo Chiquitto from comment #16)
> Werner, please, could you submit the fix to SUSE:SLE-12-SP2:Update as well?
> Thanks.

SR#132395 ... can not supersede SR#132284 as the last one is already accepted
Comment 19 Swamp Workflow Management 2017-05-16 19:15:57 UTC
SUSE-SU-2017:1317-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1010845,1035371
CVE References: CVE-2016-9401
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    bash-4.3-82.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    bash-4.3-82.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    bash-4.3-82.1
SUSE Linux Enterprise Server 12-SP2 (src):    bash-4.3-82.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    bash-4.3-82.1
OpenStack Cloud Magnum Orchestration 7 (src):    bash-4.3-82.1
Comment 20 Swamp Workflow Management 2017-05-18 16:24:58 UTC
SUSE-SU-2017:1337-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (low)
Bug References: 1010845,1031729,976776
CVE References: CVE-2016-9401
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    bash-3.2-147.35.1
SUSE Linux Enterprise Server 11-SP4 (src):    bash-3.2-147.35.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    bash-3.2-147.35.1
Comment 21 Swamp Workflow Management 2017-05-24 19:12:34 UTC
openSUSE-SU-2017:1402-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1010845,1035371
CVE References: CVE-2016-9401
Sources used:
openSUSE Leap 42.2 (src):    bash-4.3-80.3.1
Comment 22 Johannes Segitz 2017-06-22 06:06:55 UTC
Doesn't seem like the dispute request by Marcus went through
Comment 23 Dr. Werner Fink 2017-06-22 07:02:46 UTC
(In reply to Johannes Segitz from comment #22)
> Doesn't seem like the dispute request by Marcus went through

I'm a bit puzzled AFAICS the update is out there ... so what's going on here?
Comment 24 Marcus Meissner 2017-06-22 07:08:10 UTC
i think we can safely close this bug, as updates have been released.

An escape from a restricted shell is likely a bit of a security issue, so we can let the CVE stay as is.
Comment 30 Swamp Workflow Management 2019-04-16 14:17:37 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2019-04-30.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64260
Comment 33 Wolfgang Frisch 2020-09-24 13:25:52 UTC
Resolved.