Bug#995013: csh: Certain input locks shell up and consumes all memory

Skip to first unread message

Jan Verbeek

Sep 24, 2021, 3:30:03 PMSep 24
Package: csh
Version: 20110502-6
Severity: normal


Certain arguments cause csh to lock up and endlessly consume memory
until killed. I'm guessing this happens during parsing because the
code doesn't have to actually be executed.

The most I've been able to narrow it down is that it happens when a
command line contains both a backslash and an unquoted ܠ (U+0720

Examples that trigger it:

true \ܠ

if (0) true \ܠ

true \ foo bar baz ܠ

true '\' ܠ

Examples that don't trigger it:

true ܠ

true \ 'ܠ'

I didn't manage to reproduce this on OpenBSD but I didn't try very

(This problem was found while fuzzing another piece of software.)

-- System Information:
Debian Release: 11.0
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages csh depends on:
ii libbsd0 0.11.3-1
ii libc6 2.31-13

csh recommends no packages.

csh suggests no packages.

-- no debconf information

Reply all
Reply to author
0 new messages