bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: double free or corruption read builtin


From: Eduardo Bustamante
Subject: Re: double free or corruption read builtin
Date: Fri, 5 May 2017 08:38:46 -0500

I'm not sure if this one is related or a separate bug:

dualbus@debian:~$ ~/src/gnu/bash/bash -c 'read -rN3 IFS; read' <<< $'\001\$\\'
=================================================================
==5485==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60b00000a1cf at pc 0x555ed4236df2 bp 0x7ffc327d20a0 sp
0x7ffc327d2098
WRITE of size 1 at 0x60b00000a1cf thread T0
    #0 0x555ed4236df1 in read_builtin read.def:684
    #1 0x555ed414c9ca in execute_builtin
/home/dualbus/src/gnu/bash/execute_cmd.c:4605
    #2 0x555ed414e5e0 in execute_builtin_or_function
/home/dualbus/src/gnu/bash/execute_cmd.c:5103
    #3 0x555ed414be60 in execute_simple_command
/home/dualbus/src/gnu/bash/execute_cmd.c:4391
    #4 0x555ed4139d5f in execute_command_internal
/home/dualbus/src/gnu/bash/execute_cmd.c:811
    #5 0x555ed414264b in execute_connection
/home/dualbus/src/gnu/bash/execute_cmd.c:2639
    #6 0x555ed413ab34 in execute_command_internal
/home/dualbus/src/gnu/bash/execute_cmd.c:980
    #7 0x555ed4223904 in parse_and_execute
/home/dualbus/src/gnu/bash/builtins/evalstring.c:430
    #8 0x555ed4105331 in run_one_command /home/dualbus/src/gnu/bash/shell.c:1405
    #9 0x555ed410380a in main /home/dualbus/src/gnu/bash/shell.c:718
    #10 0x7f04ad0682b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #11 0x555ed4102679 in _start (/home/dualbus/src/gnu/bash/bash+0x7f679)

0x60b00000a1cf is located 1 bytes to the left of 112-byte region
[0x60b00000a1d0,0x60b00000a240)
allocated by thread T0 here:
    #0 0x7f04ad8d5d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x555ed42125eb in xmalloc /home/dualbus/src/gnu/bash/xmalloc.c:112
    #2 0x555ed4235575 in read_builtin read.def:361
    #3 0x555ed414c9ca in execute_builtin
/home/dualbus/src/gnu/bash/execute_cmd.c:4605
    #4 0x555ed414e5e0 in execute_builtin_or_function
/home/dualbus/src/gnu/bash/execute_cmd.c:5103
    #5 0x555ed414be60 in execute_simple_command
/home/dualbus/src/gnu/bash/execute_cmd.c:4391
    #6 0x555ed4139d5f in execute_command_internal
/home/dualbus/src/gnu/bash/execute_cmd.c:811
    #7 0x555ed414264b in execute_connection
/home/dualbus/src/gnu/bash/execute_cmd.c:2639
    #8 0x555ed413ab34 in execute_command_internal
/home/dualbus/src/gnu/bash/execute_cmd.c:980
    #9 0x555ed4223904 in parse_and_execute
/home/dualbus/src/gnu/bash/builtins/evalstring.c:430
    #10 0x555ed4105331 in run_one_command
/home/dualbus/src/gnu/bash/shell.c:1405
    #11 0x555ed410380a in main /home/dualbus/src/gnu/bash/shell.c:718
    #12 0x7f04ad0682b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-buffer-overflow read.def:684 in read_builtin
Shadow bytes around the buggy address:
  0x0c167fff93e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff93f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c167fff9430: fa fa fa fa fa fa fa fa fa[fa]00 00 00 00 00 00
  0x0c167fff9440: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c167fff9450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c167fff9460: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c167fff9470: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c167fff9480: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5485==ABORTING

dualbus@debian:~$ ~/src/gnu/bash/bash -c 'read -rN3 IFS; read' <<<
$'\001\$\\\nx'
*** Error in `/home/dualbus/src/gnu/bash/bash': double free or
corruption (out): 0x0000555e691b5040 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7efc21f00bcb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7efc21f06f96]
/lib/x86_64-linux-gnu/libc.so.6(+0x7778e)[0x7efc21f0778e]
/home/dualbus/src/gnu/bash/bash(read_builtin+0x164f)[0x555e685d1779]
/home/dualbus/src/gnu/bash/bash(+0x4e034)[0x555e6856d034]
/home/dualbus/src/gnu/bash/bash(+0x4ef10)[0x555e6856df10]
/home/dualbus/src/gnu/bash/bash(+0x4d93a)[0x555e6856c93a]
/home/dualbus/src/gnu/bash/bash(execute_command_internal+0x80a)[0x555e685662f0]
/home/dualbus/src/gnu/bash/bash(+0x4a49d)[0x555e6856949d]
/home/dualbus/src/gnu/bash/bash(execute_command_internal+0xbc0)[0x555e685666a6]
/home/dualbus/src/gnu/bash/bash(parse_and_execute+0x548)[0x555e685c92d9]
/home/dualbus/src/gnu/bash/bash(+0x2f32f)[0x555e6854e32f]
/home/dualbus/src/gnu/bash/bash(main+0x83a)[0x555e6854d4aa]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7efc21eb02b1]
/home/dualbus/src/gnu/bash/bash(_start+0x2a)[0x555e6854cb6a]
======= Memory map: ========
555e6851f000-555e68659000 r-xp 00000000 fe:01 17568537
  /home/dualbus/src/gnu/bash/bash
555e68859000-555e6885c000 r--p 0013a000 fe:01 17568537
  /home/dualbus/src/gnu/bash/bash
555e6885c000-555e68866000 rw-p 0013d000 fe:01 17568537
  /home/dualbus/src/gnu/bash/bash
555e68866000-555e68870000 rw-p 00000000 00:00 0
555e691a4000-555e691c5000 rw-p 00000000 00:00 0                          [heap]
7efc1c000000-7efc1c021000 rw-p 00000000 00:00 0
7efc1c021000-7efc20000000 ---p 00000000 00:00 0
7efc21c79000-7efc21c8f000 r-xp 00000000 fe:01 1310769
  /lib/x86_64-linux-gnu/libgcc_s.so.1
7efc21c8f000-7efc21e8e000 ---p 00016000 fe:01 1310769
  /lib/x86_64-linux-gnu/libgcc_s.so.1
7efc21e8e000-7efc21e8f000 r--p 00015000 fe:01 1310769
  /lib/x86_64-linux-gnu/libgcc_s.so.1
7efc21e8f000-7efc21e90000 rw-p 00016000 fe:01 1310769
  /lib/x86_64-linux-gnu/libgcc_s.so.1
7efc21e90000-7efc22025000 r-xp 00000000 fe:01 1311151
  /lib/x86_64-linux-gnu/libc-2.24.so
7efc22025000-7efc22224000 ---p 00195000 fe:01 1311151
  /lib/x86_64-linux-gnu/libc-2.24.so
7efc22224000-7efc22228000 r--p 00194000 fe:01 1311151
  /lib/x86_64-linux-gnu/libc-2.24.so
7efc22228000-7efc2222a000 rw-p 00198000 fe:01 1311151
  /lib/x86_64-linux-gnu/libc-2.24.so
7efc2222a000-7efc2222e000 rw-p 00000000 00:00 0
7efc2222e000-7efc22231000 r-xp 00000000 fe:01 1311170
  /lib/x86_64-linux-gnu/libdl-2.24.so
7efc22231000-7efc22430000 ---p 00003000 fe:01 1311170
  /lib/x86_64-linux-gnu/libdl-2.24.so
7efc22430000-7efc22431000 r--p 00002000 fe:01 1311170
  /lib/x86_64-linux-gnu/libdl-2.24.so
7efc22431000-7efc22432000 rw-p 00003000 fe:01 1311170
  /lib/x86_64-linux-gnu/libdl-2.24.so
7efc22432000-7efc22457000 r-xp 00000000 fe:01 1310814
  /lib/x86_64-linux-gnu/libtinfo.so.5.9
7efc22457000-7efc22657000 ---p 00025000 fe:01 1310814
  /lib/x86_64-linux-gnu/libtinfo.so.5.9
7efc22657000-7efc2265b000 r--p 00025000 fe:01 1310814
  /lib/x86_64-linux-gnu/libtinfo.so.5.9
7efc2265b000-7efc2265c000 rw-p 00029000 fe:01 1310814
  /lib/x86_64-linux-gnu/libtinfo.so.5.9
7efc2265c000-7efc2267f000 r-xp 00000000 fe:01 1310733
  /lib/x86_64-linux-gnu/ld-2.24.so
7efc226e7000-7efc226e8000 rw-p 00000000 00:00 0
7efc226e8000-7efc22739000 r--p 00000000 fe:01 26351510
  /usr/lib/locale/aa_DJ.utf8/LC_CTYPE
7efc22739000-7efc22869000 r--p 00000000 fe:01 26351509
  /usr/lib/locale/aa_DJ.utf8/LC_COLLATE
7efc22869000-7efc2286b000 rw-p 00000000 00:00 0
7efc2286b000-7efc2286c000 r--p 00000000 fe:01 26351533
  /usr/lib/locale/aa_ET/LC_NUMERIC
7efc2286c000-7efc2286d000 r--p 00000000 fe:01 26480725
  /usr/lib/locale/en_US.utf8/LC_TIME
7efc2286d000-7efc2286e000 r--p 00000000 fe:01 26355066
  /usr/lib/locale/chr_US/LC_MONETARY
7efc2286e000-7efc2286f000 r--p 00000000 fe:01 26355282
  /usr/lib/locale/en_AG/LC_MESSAGES/SYS_LC_MESSAGES
7efc2286f000-7efc22870000 r--p 00000000 fe:01 26355068
  /usr/lib/locale/chr_US/LC_PAPER
7efc22870000-7efc22871000 r--p 00000000 fe:01 26355067
  /usr/lib/locale/chr_US/LC_NAME
7efc22871000-7efc22872000 r--p 00000000 fe:01 26480723
  /usr/lib/locale/en_US.utf8/LC_ADDRESS
7efc22872000-7efc22873000 r--p 00000000 fe:01 26355069
  /usr/lib/locale/chr_US/LC_TELEPHONE
7efc22873000-7efc22874000 r--p 00000000 fe:01 26355064
  /usr/lib/locale/chr_US/LC_MEASUREMENT
7efc22874000-7efc2287b000 r--s 00000000 fe:01 25449459
  /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
7efc2287b000-7efc2287c000 r--p 00000000 fe:01 26480724
  /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
7efc2287c000-7efc2287f000 rw-p 00000000 00:00 0
7efc2287f000-7efc22880000 r--p 00023000 fe:01 1310733
  /lib/x86_64-linux-gnu/ld-2.24.so
7efc22880000-7efc22881000 rw-p 00024000 fe:01 1310733
  /lib/x86_64-linux-gnu/ld-2.24.so
7efc22881000-7efc22882000 rw-p 00000000 00:00 0
7ffe88352000-7ffe88373000 rw-p 00000000 00:00 0                          [stack]
7ffe883b3000-7ffe883b5000 r--p 00000000 00:00 0                          [vvar]
7ffe883b5000-7ffe883b7000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
  [vsyscall]
Aborted



reply via email to

[Prev in Thread] Current Thread [Next in Thread]