Another out of bounds heap read in bash completion

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Another out of bounds heap read in bash completion

From:	Hanno Böck
Subject:	Another out of bounds heap read in bash completion
Date:	Tue, 7 Jul 2015 00:46:40 +0200

Hi,

With Address Sanitizer I discovered another out of bounds read issue in
bash. This is different from the issue I recently reported here and
for which Chet already provided a patch:
https://lists.gnu.org/archive/html/bug-bash/2015-06/msg00089.html

To reproduce:
a) compile bash with CFLAGS="-fsanitize=address -g"
b) type in a=/ a
c) go back with the cursor behind the backslash and press tab

This is the stack trace from address sanitizer:
==28776==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x6020001014af at pc 0x4c7c0f bp 0x7ffe122a3490 sp 0x7ffe122a3480
READ of size 1 at 0x6020001014af thread T0
    #0 0x4c7c0e in bind_compfunc_variables 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:986
    #1 0x4ca913 in gen_shell_function_matches 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:1133
    #2 0x4ca913 in gen_compspec_completions 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:1411
    #3 0x4cc221 in gen_progcomp_completions 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:1581
    #4 0x4cc5a1 in programmable_completions 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:1633
    #5 0x4bd184 in attempt_shell_completion 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/bashline.c:1517
    #6 0x7f79530ed482 (/lib64/libreadline.so.6+0x3a482)
    #7 0x7f79530ed8bc in rl_complete_internal (/lib64/libreadline.so.6+0x3a8bc)
    #8 0x7f79530d8c0d in _rl_dispatch_subseq (/lib64/libreadline.so.6+0x25c0d)
    #9 0x7f79530d948c in readline_internal_char 
(/lib64/libreadline.so.6+0x2648c)
    #10 0x7f79530da354 in readline (/lib64/libreadline.so.6+0x27354)
    #11 0x410457 in yy_readline_get parse.y:1448
    #12 0x414dad in yy_getc parse.y:1382
    #13 0x414dad in shell_getc parse.y:2283
    #14 0x419c19 in read_token parse.y:3050
    #15 0x41f721 in yylex parse.y:2637
    #16 0x41f721 in yyparse 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/y.tab.c:2037
    #17 0x40f2ab in parse_command 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/eval.c:238
    #18 0x40f4b1 in read_command 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/eval.c:282
    #19 0x40f99e in reader_loop 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/eval.c:145
    #20 0x40ba04 in main 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/shell.c:756
    #21 0x7f7952820aa4 in __libc_start_main (/lib64/libc.so.6+0x21aa4)
    #22 0x40db2d (/bin/bash+0x40db2d)

0x6020001014af is located 1 bytes to the left of 2-byte region 
[0x6020001014b0,0x6020001014b2)
allocated by thread T0 here:
    #0 0x7f79533a77c7 in malloc 
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x577c7)
    #1 0x4cd72a in xmalloc 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/xmalloc.c:112

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:986 
bind_compfunc_variables
Shadow bytes around the buggy address:
  0x0c0480018240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480018250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480018260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480018270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 02 fa
  0x0c0480018280: fa fa 00 02 fa fa 00 02 fa fa 02 fa fa fa fd fa
=>0x0c0480018290: fa fa fd fd fa[fa]02 fa fa fa 02 fa fa fa fd fa
  0x0c04800182a0: fa fa 02 fa fa fa 06 fa fa fa fd fa fa fa fd fa
  0x0c04800182b0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800182c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800182d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800182e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==28776==ABORTING


-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42

pgpBInBrAkuTf.pgp
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

Another out of bounds heap read in bash completion, Hanno Böck <=
- Re: Another out of bounds heap read in bash completion, Chet Ramey, 2015/07/10
  - Re: Another out of bounds heap read in bash completion, Hanno Böck, 2015/07/10
    - Re: Another out of bounds heap read in bash completion, Chet Ramey, 2015/07/10
    - Re: Another out of bounds heap read in bash completion, Hanno Böck, 2015/07/10
    - Re: Another out of bounds heap read in bash completion, Chet Ramey, 2015/07/10
    - Re: Another out of bounds heap read in bash completion, Hanno Böck, 2015/07/10
    - Re: Another out of bounds heap read in bash completion, Chet Ramey, 2015/07/10
    - Re: Another out of bounds heap read in bash completion, Hanno Böck, 2015/07/10
    - Re: Another out of bounds heap read in bash completion, Chet Ramey, 2015/07/10
    - Re: Another out of bounds heap read in bash completion, Hanno Böck, 2015/07/10

Prev by Date: Re: ShellShock where my browser window randomly re-encodes with what looks like Chinese
Next by Date: segfault after disabling a loadable builtin
Previous by thread: Please pardon the incorrectly handled anti-spam
Next by thread: Re: Another out of bounds heap read in bash completion
Index(es):
- Date
- Thread