Updated: 2003-01-19 05:50

Sign extension bugs

Computer Emergency Response Team (CERTsm) Advisory CA-96.22

1. Vulnerability in yy_string_get()

There is a variable declaration error in the "yy_string_get()" function in the "parse.y" module of the "bash" source code. This function is responsible for parsing the user-provided command line into separate tokens (commands, special characters, arguments, etc.). The error involves the variable "string", which has been declared to be of type "char *".

The "string" variable is used to traverse the character string containing the command line to be parsed. As characters are retrieved from this pointer, they are stored in a variable of type "int". On systems/compilers where the "char" type defaults to "signed char" this value will be sign-extended when it is assigned to the "int" variable. For character code 255 decimal (-1 in two's complement form), this sign extension results in the value (-1) being assigned to the integer.

However, (-1) is used in other parts of the parser to indicate the end of a command. Thus, the character code 255 decimal (377 octal) will serve as an unintended command separator for commands given to bash via the "-c" option. For example,

bash -c 'ls\377who'

(where "\377" represents the single character with value 255 decimal) will execute two commands, "ls" and "who".

Web Author: Ian! D. Allen idallen@idallen.ca      Updated: 2003-01-19 05:50

Internet Free Zone Level 1 logo Support free and non-commercial Internet.

Any Browser logo This site works best in Any Browser, a campaign for non-specific WWW.

Creative Commons License logo This work is licensed under a Creative Commons License.