[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: double free or corruption read builtin
From: |
Eduardo Bustamante |
Subject: |
Re: double free or corruption read builtin |
Date: |
Fri, 5 May 2017 08:38:46 -0500 |
I'm not sure if this one is related or a separate bug:
dualbus@debian:~$ ~/src/gnu/bash/bash -c 'read -rN3 IFS; read' <<< $'\001\$\\'
=================================================================
==5485==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60b00000a1cf at pc 0x555ed4236df2 bp 0x7ffc327d20a0 sp
0x7ffc327d2098
WRITE of size 1 at 0x60b00000a1cf thread T0
#0 0x555ed4236df1 in read_builtin read.def:684
#1 0x555ed414c9ca in execute_builtin
/home/dualbus/src/gnu/bash/execute_cmd.c:4605
#2 0x555ed414e5e0 in execute_builtin_or_function
/home/dualbus/src/gnu/bash/execute_cmd.c:5103
#3 0x555ed414be60 in execute_simple_command
/home/dualbus/src/gnu/bash/execute_cmd.c:4391
#4 0x555ed4139d5f in execute_command_internal
/home/dualbus/src/gnu/bash/execute_cmd.c:811
#5 0x555ed414264b in execute_connection
/home/dualbus/src/gnu/bash/execute_cmd.c:2639
#6 0x555ed413ab34 in execute_command_internal
/home/dualbus/src/gnu/bash/execute_cmd.c:980
#7 0x555ed4223904 in parse_and_execute
/home/dualbus/src/gnu/bash/builtins/evalstring.c:430
#8 0x555ed4105331 in run_one_command /home/dualbus/src/gnu/bash/shell.c:1405
#9 0x555ed410380a in main /home/dualbus/src/gnu/bash/shell.c:718
#10 0x7f04ad0682b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#11 0x555ed4102679 in _start (/home/dualbus/src/gnu/bash/bash+0x7f679)
0x60b00000a1cf is located 1 bytes to the left of 112-byte region
[0x60b00000a1d0,0x60b00000a240)
allocated by thread T0 here:
#0 0x7f04ad8d5d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x555ed42125eb in xmalloc /home/dualbus/src/gnu/bash/xmalloc.c:112
#2 0x555ed4235575 in read_builtin read.def:361
#3 0x555ed414c9ca in execute_builtin
/home/dualbus/src/gnu/bash/execute_cmd.c:4605
#4 0x555ed414e5e0 in execute_builtin_or_function
/home/dualbus/src/gnu/bash/execute_cmd.c:5103
#5 0x555ed414be60 in execute_simple_command
/home/dualbus/src/gnu/bash/execute_cmd.c:4391
#6 0x555ed4139d5f in execute_command_internal
/home/dualbus/src/gnu/bash/execute_cmd.c:811
#7 0x555ed414264b in execute_connection
/home/dualbus/src/gnu/bash/execute_cmd.c:2639
#8 0x555ed413ab34 in execute_command_internal
/home/dualbus/src/gnu/bash/execute_cmd.c:980
#9 0x555ed4223904 in parse_and_execute
/home/dualbus/src/gnu/bash/builtins/evalstring.c:430
#10 0x555ed4105331 in run_one_command
/home/dualbus/src/gnu/bash/shell.c:1405
#11 0x555ed410380a in main /home/dualbus/src/gnu/bash/shell.c:718
#12 0x7f04ad0682b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow read.def:684 in read_builtin
Shadow bytes around the buggy address:
0x0c167fff93e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff93f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c167fff9430: fa fa fa fa fa fa fa fa fa[fa]00 00 00 00 00 00
0x0c167fff9440: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c167fff9450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c167fff9460: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x0c167fff9470: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
0x0c167fff9480: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5485==ABORTING
dualbus@debian:~$ ~/src/gnu/bash/bash -c 'read -rN3 IFS; read' <<<
$'\001\$\\\nx'
*** Error in `/home/dualbus/src/gnu/bash/bash': double free or
corruption (out): 0x0000555e691b5040 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7efc21f00bcb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7efc21f06f96]
/lib/x86_64-linux-gnu/libc.so.6(+0x7778e)[0x7efc21f0778e]
/home/dualbus/src/gnu/bash/bash(read_builtin+0x164f)[0x555e685d1779]
/home/dualbus/src/gnu/bash/bash(+0x4e034)[0x555e6856d034]
/home/dualbus/src/gnu/bash/bash(+0x4ef10)[0x555e6856df10]
/home/dualbus/src/gnu/bash/bash(+0x4d93a)[0x555e6856c93a]
/home/dualbus/src/gnu/bash/bash(execute_command_internal+0x80a)[0x555e685662f0]
/home/dualbus/src/gnu/bash/bash(+0x4a49d)[0x555e6856949d]
/home/dualbus/src/gnu/bash/bash(execute_command_internal+0xbc0)[0x555e685666a6]
/home/dualbus/src/gnu/bash/bash(parse_and_execute+0x548)[0x555e685c92d9]
/home/dualbus/src/gnu/bash/bash(+0x2f32f)[0x555e6854e32f]
/home/dualbus/src/gnu/bash/bash(main+0x83a)[0x555e6854d4aa]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7efc21eb02b1]
/home/dualbus/src/gnu/bash/bash(_start+0x2a)[0x555e6854cb6a]
======= Memory map: ========
555e6851f000-555e68659000 r-xp 00000000 fe:01 17568537
/home/dualbus/src/gnu/bash/bash
555e68859000-555e6885c000 r--p 0013a000 fe:01 17568537
/home/dualbus/src/gnu/bash/bash
555e6885c000-555e68866000 rw-p 0013d000 fe:01 17568537
/home/dualbus/src/gnu/bash/bash
555e68866000-555e68870000 rw-p 00000000 00:00 0
555e691a4000-555e691c5000 rw-p 00000000 00:00 0 [heap]
7efc1c000000-7efc1c021000 rw-p 00000000 00:00 0
7efc1c021000-7efc20000000 ---p 00000000 00:00 0
7efc21c79000-7efc21c8f000 r-xp 00000000 fe:01 1310769
/lib/x86_64-linux-gnu/libgcc_s.so.1
7efc21c8f000-7efc21e8e000 ---p 00016000 fe:01 1310769
/lib/x86_64-linux-gnu/libgcc_s.so.1
7efc21e8e000-7efc21e8f000 r--p 00015000 fe:01 1310769
/lib/x86_64-linux-gnu/libgcc_s.so.1
7efc21e8f000-7efc21e90000 rw-p 00016000 fe:01 1310769
/lib/x86_64-linux-gnu/libgcc_s.so.1
7efc21e90000-7efc22025000 r-xp 00000000 fe:01 1311151
/lib/x86_64-linux-gnu/libc-2.24.so
7efc22025000-7efc22224000 ---p 00195000 fe:01 1311151
/lib/x86_64-linux-gnu/libc-2.24.so
7efc22224000-7efc22228000 r--p 00194000 fe:01 1311151
/lib/x86_64-linux-gnu/libc-2.24.so
7efc22228000-7efc2222a000 rw-p 00198000 fe:01 1311151
/lib/x86_64-linux-gnu/libc-2.24.so
7efc2222a000-7efc2222e000 rw-p 00000000 00:00 0
7efc2222e000-7efc22231000 r-xp 00000000 fe:01 1311170
/lib/x86_64-linux-gnu/libdl-2.24.so
7efc22231000-7efc22430000 ---p 00003000 fe:01 1311170
/lib/x86_64-linux-gnu/libdl-2.24.so
7efc22430000-7efc22431000 r--p 00002000 fe:01 1311170
/lib/x86_64-linux-gnu/libdl-2.24.so
7efc22431000-7efc22432000 rw-p 00003000 fe:01 1311170
/lib/x86_64-linux-gnu/libdl-2.24.so
7efc22432000-7efc22457000 r-xp 00000000 fe:01 1310814
/lib/x86_64-linux-gnu/libtinfo.so.5.9
7efc22457000-7efc22657000 ---p 00025000 fe:01 1310814
/lib/x86_64-linux-gnu/libtinfo.so.5.9
7efc22657000-7efc2265b000 r--p 00025000 fe:01 1310814
/lib/x86_64-linux-gnu/libtinfo.so.5.9
7efc2265b000-7efc2265c000 rw-p 00029000 fe:01 1310814
/lib/x86_64-linux-gnu/libtinfo.so.5.9
7efc2265c000-7efc2267f000 r-xp 00000000 fe:01 1310733
/lib/x86_64-linux-gnu/ld-2.24.so
7efc226e7000-7efc226e8000 rw-p 00000000 00:00 0
7efc226e8000-7efc22739000 r--p 00000000 fe:01 26351510
/usr/lib/locale/aa_DJ.utf8/LC_CTYPE
7efc22739000-7efc22869000 r--p 00000000 fe:01 26351509
/usr/lib/locale/aa_DJ.utf8/LC_COLLATE
7efc22869000-7efc2286b000 rw-p 00000000 00:00 0
7efc2286b000-7efc2286c000 r--p 00000000 fe:01 26351533
/usr/lib/locale/aa_ET/LC_NUMERIC
7efc2286c000-7efc2286d000 r--p 00000000 fe:01 26480725
/usr/lib/locale/en_US.utf8/LC_TIME
7efc2286d000-7efc2286e000 r--p 00000000 fe:01 26355066
/usr/lib/locale/chr_US/LC_MONETARY
7efc2286e000-7efc2286f000 r--p 00000000 fe:01 26355282
/usr/lib/locale/en_AG/LC_MESSAGES/SYS_LC_MESSAGES
7efc2286f000-7efc22870000 r--p 00000000 fe:01 26355068
/usr/lib/locale/chr_US/LC_PAPER
7efc22870000-7efc22871000 r--p 00000000 fe:01 26355067
/usr/lib/locale/chr_US/LC_NAME
7efc22871000-7efc22872000 r--p 00000000 fe:01 26480723
/usr/lib/locale/en_US.utf8/LC_ADDRESS
7efc22872000-7efc22873000 r--p 00000000 fe:01 26355069
/usr/lib/locale/chr_US/LC_TELEPHONE
7efc22873000-7efc22874000 r--p 00000000 fe:01 26355064
/usr/lib/locale/chr_US/LC_MEASUREMENT
7efc22874000-7efc2287b000 r--s 00000000 fe:01 25449459
/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
7efc2287b000-7efc2287c000 r--p 00000000 fe:01 26480724
/usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
7efc2287c000-7efc2287f000 rw-p 00000000 00:00 0
7efc2287f000-7efc22880000 r--p 00023000 fe:01 1310733
/lib/x86_64-linux-gnu/ld-2.24.so
7efc22880000-7efc22881000 rw-p 00024000 fe:01 1310733
/lib/x86_64-linux-gnu/ld-2.24.so
7efc22881000-7efc22882000 rw-p 00000000 00:00 0
7ffe88352000-7ffe88373000 rw-p 00000000 00:00 0 [stack]
7ffe883b3000-7ffe883b5000 r--p 00000000 00:00 0 [vvar]
7ffe883b5000-7ffe883b7000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]
Aborted