bug-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

double free or corruption read builtin

From: Eduardo Bustamante
Subject: double free or corruption read builtin
Date: Fri, 5 May 2017 00:45:42 -0500 
dualbus@debian:~/bash-fuzzing/read$ cat -A 6b
M-^_0^A\$
^N

dualbus@debian:~/bash-fuzzing/read$ od -c 6b
0000000 237   0 001   \  \n 016
0000006

(gdb) file ~/src/gnu/bash/bash
Reading symbols from ~/src/gnu/bash/bash...done.
(gdb) r -c 'exec < 6b; read -N3 -d "" IFS; read a b'
Starting program: /home/dualbus/src/gnu/bash/bash -c 'exec < 6b; read
-N3 -d "" IFS; read a b'
*** Error in `/home/dualbus/src/gnu/bash/bash': double free or
corruption (out): 0x00005555558b6ac0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7ffff767dbcb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7ffff7683f96]
/lib/x86_64-linux-gnu/libc.so.6(+0x7778e)[0x7ffff768478e]
/home/dualbus/src/gnu/bash/bash(read_builtin+0x1a58)[0x555555606b82]
/home/dualbus/src/gnu/bash/bash(+0x4e034)[0x5555555a2034]
/home/dualbus/src/gnu/bash/bash(+0x4ef10)[0x5555555a2f10]
/home/dualbus/src/gnu/bash/bash(+0x4d93a)[0x5555555a193a]
/home/dualbus/src/gnu/bash/bash(execute_command_internal+0x80a)[0x55555559b2f0]
/home/dualbus/src/gnu/bash/bash(+0x4a49d)[0x55555559e49d]
/home/dualbus/src/gnu/bash/bash(execute_command_internal+0xbc0)[0x55555559b6a6]
/home/dualbus/src/gnu/bash/bash(parse_and_execute+0x548)[0x5555555fe2d9]
/home/dualbus/src/gnu/bash/bash(+0x2f32f)[0x55555558332f]
/home/dualbus/src/gnu/bash/bash(main+0x83a)[0x5555555824aa]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7ffff762d2b1]
/home/dualbus/src/gnu/bash/bash(_start+0x2a)[0x555555581b6a]
======= Memory map: ========
555555554000-55555568e000 r-xp 00000000 fe:01 17570340
  /home/dualbus/src/gnu/bash/bash
55555588e000-555555891000 r--p 0013a000 fe:01 17570340
  /home/dualbus/src/gnu/bash/bash
555555891000-55555589b000 rw-p 0013d000 fe:01 17570340
  /home/dualbus/src/gnu/bash/bash
55555589b000-5555558c6000 rw-p 00000000 00:00 0                          [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0
7ffff73f6000-7ffff740c000 r-xp 00000000 fe:01 1310769
  /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff740c000-7ffff760b000 ---p 00016000 fe:01 1310769
  /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff760b000-7ffff760c000 r--p 00015000 fe:01 1310769
  /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff760c000-7ffff760d000 rw-p 00016000 fe:01 1310769
  /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff760d000-7ffff77a2000 r-xp 00000000 fe:01 1311151
  /lib/x86_64-linux-gnu/libc-2.24.so
7ffff77a2000-7ffff79a1000 ---p 00195000 fe:01 1311151
  /lib/x86_64-linux-gnu/libc-2.24.so
7ffff79a1000-7ffff79a5000 r--p 00194000 fe:01 1311151
  /lib/x86_64-linux-gnu/libc-2.24.so
7ffff79a5000-7ffff79a7000 rw-p 00198000 fe:01 1311151
  /lib/x86_64-linux-gnu/libc-2.24.so
7ffff79a7000-7ffff79ab000 rw-p 00000000 00:00 0
7ffff79ab000-7ffff79ae000 r-xp 00000000 fe:01 1311170
  /lib/x86_64-linux-gnu/libdl-2.24.so
7ffff79ae000-7ffff7bad000 ---p 00003000 fe:01 1311170
  /lib/x86_64-linux-gnu/libdl-2.24.so
7ffff7bad000-7ffff7bae000 r--p 00002000 fe:01 1311170
  /lib/x86_64-linux-gnu/libdl-2.24.so
7ffff7bae000-7ffff7baf000 rw-p 00003000 fe:01 1311170
  /lib/x86_64-linux-gnu/libdl-2.24.so
7ffff7baf000-7ffff7bd4000 r-xp 00000000 fe:01 1310814
  /lib/x86_64-linux-gnu/libtinfo.so.5.9
7ffff7bd4000-7ffff7dd4000 ---p 00025000 fe:01 1310814
  /lib/x86_64-linux-gnu/libtinfo.so.5.9
7ffff7dd4000-7ffff7dd8000 r--p 00025000 fe:01 1310814
  /lib/x86_64-linux-gnu/libtinfo.so.5.9
7ffff7dd8000-7ffff7dd9000 rw-p 00029000 fe:01 1310814
  /lib/x86_64-linux-gnu/libtinfo.so.5.9
7ffff7dd9000-7ffff7dfc000 r-xp 00000000 fe:01 1310733
  /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7e60000-7ffff7e61000 rw-p 00000000 00:00 0
7ffff7e61000-7ffff7eb2000 r--p 00000000 fe:01 26351510
  /usr/lib/locale/aa_DJ.utf8/LC_CTYPE
7ffff7eb2000-7ffff7fe2000 r--p 00000000 fe:01 26351509
  /usr/lib/locale/aa_DJ.utf8/LC_COLLATE
7ffff7fe2000-7ffff7fe4000 rw-p 00000000 00:00 0
7ffff7fe4000-7ffff7fe5000 r--p 00000000 fe:01 26351533
  /usr/lib/locale/aa_ET/LC_NUMERIC
7ffff7fe5000-7ffff7fe6000 r--p 00000000 fe:01 26480725
  /usr/lib/locale/en_US.utf8/LC_TIME
7ffff7fe6000-7ffff7fe7000 r--p 00000000 fe:01 26355066
  /usr/lib/locale/chr_US/LC_MONETARY
7ffff7fe7000-7ffff7fe8000 r--p 00000000 fe:01 26355282
  /usr/lib/locale/en_AG/LC_MESSAGES/SYS_LC_MESSAGES
7ffff7fe8000-7ffff7fe9000 r--p 00000000 fe:01 26355068
  /usr/lib/locale/chr_US/LC_PAPER
7ffff7fe9000-7ffff7fea000 r--p 00000000 fe:01 26355067
  /usr/lib/locale/chr_US/LC_NAME
7ffff7fea000-7ffff7feb000 r--p 00000000 fe:01 26480723
  /usr/lib/locale/en_US.utf8/LC_ADDRESS
7ffff7feb000-7ffff7fec000 r--p 00000000 fe:01 26355069
  /usr/lib/locale/chr_US/LC_TELEPHONE
7ffff7fec000-7ffff7fed000 r--p 00000000 fe:01 26355064
  /usr/lib/locale/chr_US/LC_MEASUREMENT
7ffff7fed000-7ffff7ff4000 r--s 00000000 fe:01 25449459
  /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
7ffff7ff4000-7ffff7ff5000 r--p 00000000 fe:01 26480724
  /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
7ffff7ff5000-7ffff7ff8000 rw-p 00000000 00:00 0
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00023000 fe:01 1310733
  /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffd000-7ffff7ffe000 rw-p 00024000 fe:01 1310733
  /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
  [vsyscall]

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff76413fa in __GI_abort () at abort.c:89
#2  0x00007ffff767dbd0 in __libc_message (do_abort=do_abort@entry=2,
    fmt=fmt@entry=0x7ffff7772bd0 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff7683f96 in malloc_printerr (action=3,
str=0x7ffff7772c98 "double free or corruption (out)", ptr=<optimized
out>,
    ar_ptr=<optimized out>) at malloc.c:5046
#4  0x00007ffff768478e in _int_free (av=0x7ffff79a5b00 <main_arena>,
p=0x5555558b6ab0, have_lock=0) at malloc.c:3902
#5  0x0000555555606b82 in read_builtin (list=0x5555558b69a0) at ./read.def:921
#6  0x00005555555a2034 in execute_builtin (builtin=0x55555560512a
<read_builtin>, words=0x5555558b6aa0, flags=0, subshell=0)
    at execute_cmd.c:4605
#7  0x00005555555a2f10 in execute_builtin_or_function
(words=0x5555558b6aa0, builtin=0x55555560512a <read_builtin>, var=0x0,
    redirects=0x0, fds_to_close=0x5555558b6180, flags=0) at execute_cmd.c:5103
#8  0x00005555555a193a in execute_simple_command
(simple_command=0x5555558b6060, pipe_in=-1, pipe_out=-1, async=0,
    fds_to_close=0x5555558b6180) at execute_cmd.c:4391
#9  0x000055555559b2f0 in execute_command_internal
(command=0x5555558b6030, asynchronous=0, pipe_in=-1, pipe_out=-1,
    fds_to_close=0x5555558b6180) at execute_cmd.c:811
#10 0x000055555559e49d in execute_connection (command=0x5555558b6150,
asynchronous=0, pipe_in=-1, pipe_out=-1,
    fds_to_close=0x5555558b6180) at execute_cmd.c:2639
#11 0x000055555559b6a6 in execute_command_internal
(command=0x5555558b6150, asynchronous=0, pipe_in=-1, pipe_out=-1,
    fds_to_close=0x5555558b6180) at execute_cmd.c:980
#12 0x00005555555fe2d9 in parse_and_execute (string=0x5555558b3db0
"exec < 6b; read -N3 -d \"\" IFS; read a b",
    from_file=0x555555656b70 "-c", flags=4) at evalstring.c:430
#13 0x000055555558332f in run_one_command (command=0x7fffffffe700
"exec < 6b; read -N3 -d \"\" IFS; read a b") at shell.c:1405
#14 0x00005555555824aa in main (argc=3, argv=0x7fffffffe448,
env=0x7fffffffe468) at shell.c:718
reply via email to
[Prev in Thread] Current Thread [Next in Thread]