Re: Another out of bounds heap read in bash completion

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Another out of bounds heap read in bash completion

From:	Hanno Böck
Subject:	Re: Another out of bounds heap read in bash completion
Date:	Fri, 10 Jul 2015 20:38:48 +0200

Hi Chet,

On Fri, 10 Jul 2015 14:23:25 -0400
Chet Ramey <chet.ramey@case.edu> wrote:

> > To reproduce:
> > a) compile bash with CFLAGS="-fsanitize=address -g"
> > b) type in a=/ a
> > c) go back with the cursor behind the backslash and press tab
> 
> Thanks for the report.  I've attached a patch that should address the
> problem.  It's not in bash-4.4-alpha.

Can confirm the patch fixes the issue.

However in 4.4 alpha I still get an asan error. However the stack trace
is different.

Here's the asan message on 4.4 alpha:
==5999==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002d6f 
at pc 0x5ca2b8 bp 0x7fffc9d75240 sp 0x7fffc9d75230
READ of size 1 at 0x602000002d6f thread T0
    #0 0x5ca2b7 in printable_part 
/mnt/ram/bash-4.4-alpha/lib/readline/complete.c:738
    #1 0x5ce776 in rl_display_match_list 
/mnt/ram/bash-4.4-alpha/lib/readline/complete.c:1571
    #2 0x5cf358 in display_matches 
/mnt/ram/bash-4.4-alpha/lib/readline/complete.c:1753
    #3 0x5d1448 in rl_complete_internal 
/mnt/ram/bash-4.4-alpha/lib/readline/complete.c:2124
    #4 0x5c986a in rl_complete 
/mnt/ram/bash-4.4-alpha/lib/readline/complete.c:431
    #5 0x5b7457 in _rl_dispatch_subseq 
/mnt/ram/bash-4.4-alpha/lib/readline/readline.c:860
    #6 0x5b7032 in _rl_dispatch 
/mnt/ram/bash-4.4-alpha/lib/readline/readline.c:803
    #7 0x5b683d in readline_internal_char 
/mnt/ram/bash-4.4-alpha/lib/readline/readline.c:630
    #8 0x5b68cd in readline_internal_charloop 
/mnt/ram/bash-4.4-alpha/lib/readline/readline.c:657
    #9 0x5b68f6 in readline_internal 
/mnt/ram/bash-4.4-alpha/lib/readline/readline.c:671
    #10 0x5b5f1e in readline /mnt/ram/bash-4.4-alpha/lib/readline/readline.c:376
    #11 0x42ea53 in yy_readline_get /usr/homes/chet/src/bash/src/parse.y:1452
    #12 0x42e8ff in yy_getc /usr/homes/chet/src/bash/src/parse.y:1386
    #13 0x430c31 in shell_getc /usr/homes/chet/src/bash/src/parse.y:2288
    #14 0x433468 in read_token /usr/homes/chet/src/bash/src/parse.y:3080
    #15 0x432144 in yylex /usr/homes/chet/src/bash/src/parse.y:2662
    #16 0x4270b1 in yyparse /mnt/ram/bash-4.4-alpha/y.tab.c:1830
    #17 0x426117 in parse_command /mnt/ram/bash-4.4-alpha/eval.c:241
    #18 0x426358 in read_command /mnt/ram/bash-4.4-alpha/eval.c:285
    #19 0x425921 in reader_loop /mnt/ram/bash-4.4-alpha/eval.c:148
    #20 0x420bdf in main /mnt/ram/bash-4.4-alpha/shell.c:760
    #21 0x7feffcaebf9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #22 0x41f948 (/mnt/ram/bash-4.4-alpha/bash+0x41f948)

0x602000002d6f is located 1 bytes to the left of 2-byte region 
[0x602000002d70,0x602000002d72)
allocated by thread T0 here:
    #0 0x7feffd31b787 in malloc 
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x57787)
    #1 0x52f7c1 in xmalloc /mnt/ram/bash-4.4-alpha/xmalloc.c:112
    #2 0x5cc9bf in remove_duplicate_matches 
/mnt/ram/bash-4.4-alpha/lib/readline/complete.c:1266
    #3 0x5ce21b in postprocess_matches 
/mnt/ram/bash-4.4-alpha/lib/readline/complete.c:1485
    #4 0x5d0dcb in rl_complete_internal 
/mnt/ram/bash-4.4-alpha/lib/readline/complete.c:2053
    #5 0x5c986a in rl_complete 
/mnt/ram/bash-4.4-alpha/lib/readline/complete.c:431
    #6 0x5b7457 in _rl_dispatch_subseq 
/mnt/ram/bash-4.4-alpha/lib/readline/readline.c:860
    #7 0x5b7032 in _rl_dispatch 
/mnt/ram/bash-4.4-alpha/lib/readline/readline.c:803
    #8 0x5b683d in readline_internal_char 
/mnt/ram/bash-4.4-alpha/lib/readline/readline.c:630
    #9 0x5b68cd in readline_internal_charloop 
/mnt/ram/bash-4.4-alpha/lib/readline/readline.c:657
    #10 0x5b68f6 in readline_internal 
/mnt/ram/bash-4.4-alpha/lib/readline/readline.c:671
    #11 0x5b5f1e in readline /mnt/ram/bash-4.4-alpha/lib/readline/readline.c:376
    #12 0x42ea53 in yy_readline_get /usr/homes/chet/src/bash/src/parse.y:1452
    #13 0x42e8ff in yy_getc /usr/homes/chet/src/bash/src/parse.y:1386
    #14 0x430c31 in shell_getc /usr/homes/chet/src/bash/src/parse.y:2288
    #15 0x433468 in read_token /usr/homes/chet/src/bash/src/parse.y:3080
    #16 0x432144 in yylex /usr/homes/chet/src/bash/src/parse.y:2662
    #17 0x4270b1 in yyparse /mnt/ram/bash-4.4-alpha/y.tab.c:1830
    #18 0x426117 in parse_command /mnt/ram/bash-4.4-alpha/eval.c:241
    #19 0x426358 in read_command /mnt/ram/bash-4.4-alpha/eval.c:285
    #20 0x425921 in reader_loop /mnt/ram/bash-4.4-alpha/eval.c:148
    #21 0x420bdf in main /mnt/ram/bash-4.4-alpha/shell.c:760
    #22 0x7feffcaebf9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/mnt/ram/bash-4.4-alpha/lib/readline/complete.c:738 printable_part
Shadow bytes around the buggy address:
  0x0c047fff8550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff85a0: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]02 fa
  0x0c047fff85b0: fa fa fd fa fa fa 07 fa fa fa 06 fa fa fa 00 05
  0x0c047fff85c0: fa fa 06 fa fa fa 06 fa fa fa 06 fa fa fa 06 fa
  0x0c047fff85d0: fa fa 06 fa fa fa 00 fa fa fa 06 fa fa fa 07 fa
  0x0c047fff85e0: fa fa 07 fa fa fa 07 fa fa fa 06 fa fa fa 07 fa
  0x0c047fff85f0: fa fa 00 fa fa fa 06 fa fa fa 06 fa fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==5999==ABORTING


-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42

pgpouNvCNi6oX.pgp
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

Another out of bounds heap read in bash completion, Hanno Böck, 2015/07/06
- Re: Another out of bounds heap read in bash completion, Chet Ramey, 2015/07/10
  - Re: Another out of bounds heap read in bash completion, Hanno Böck <=
    - Re: Another out of bounds heap read in bash completion, Chet Ramey, 2015/07/10
    - Re: Another out of bounds heap read in bash completion, Hanno Böck, 2015/07/10
    - Re: Another out of bounds heap read in bash completion, Chet Ramey, 2015/07/10
    - Re: Another out of bounds heap read in bash completion, Hanno Böck, 2015/07/10
    - Re: Another out of bounds heap read in bash completion, Chet Ramey, 2015/07/10
    - Re: Another out of bounds heap read in bash completion, Hanno Böck, 2015/07/10
    - Re: Another out of bounds heap read in bash completion, Chet Ramey, 2015/07/10
    - Re: Another out of bounds heap read in bash completion, Hanno Böck, 2015/07/10

Prev by Date: Re: Another out of bounds heap read in bash completion
Next by Date: Re: Another out of bounds heap read in bash completion
Previous by thread: Re: Another out of bounds heap read in bash completion
Next by thread: Re: Another out of bounds heap read in bash completion
Index(es):
- Date
- Thread