[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Remaining memory corruption bugs in readline
|
From: |
dualbus |
|
Subject: |
Remaining memory corruption bugs in readline |
|
Date: |
Fri, 2 Jun 2017 00:07:34 -0500 |
|
User-agent: |
NeoMutt/20170113 (1.7.2) |
I'm using the latest `devel' commit as a reference:
dualbus@debian:~/src/gnu/bash$ git show -q HEAD
commit 1110e30870a8782425067a060d89cc411b014418
Author: Chet Ramey <chet.ramey@case.edu>
Date: Wed May 31 15:53:02 2017 -0400
commit bash-snap-20170531 snapshot
Since there are still many memory corruption issues, and I'm not smart
enough to even try and see what's going on here, I'm just enumerate the
different cases I've seen so far (unique stack traces).
All of these were obtained by running:
./bash -c 'read -e' < $input
With isatty check disabled in the `read' builtin.
#1 _rl_get_char_len / update_line
dualbus@debian:~/asan/3f3e$ tail -n +1 crash.5781 input.5781
==> crash.5781 <==
=================================================================
==5781==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61900000cc80 at pc 0x7f400d00b063 bp 0x7ffcbce72250 sp 0x7ffcbce71a00
READ of size 851 at 0x61900000cc80 thread T0
#0 0x7f400d00b062 (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062)
#1 0x559b50a04821 in _rl_get_char_len
../../../bash/lib/readline/mbutil.c:223
#2 0x559b50a048e0 in _rl_compare_chars
../../../bash/lib/readline/mbutil.c:252
#3 0x559b509db526 in update_line ../../../bash/lib/readline/display.c:1664
#4 0x559b509d935b in rl_redisplay
../../../bash/lib/readline/display.c:1150
#5 0x559b509a20be in _rl_internal_char_cleanup
../../../bash/lib/readline/readline.c:514
#6 0x559b509a2494 in readline_internal_char
../../../bash/lib/readline/readline.c:638
#7 0x559b509a24b1 in readline_internal_charloop
../../../bash/lib/readline/readline.c:656
#8 0x559b509a24d5 in readline_internal
../../../bash/lib/readline/readline.c:670
#9 0x559b509a1b8b in readline ../../../bash/lib/readline/readline.c:374
#10 0x559b5095cf60 in edit_line
../../bash/builtins/../../bash/builtins/read.def:1090
#11 0x559b5095a8d1 in read_builtin
../../bash/builtins/../../bash/builtins/read.def:554
#12 0x559b50870c19 in execute_builtin ../bash/execute_cmd.c:4609
#13 0x559b5087282f in execute_builtin_or_function
../bash/execute_cmd.c:5107
#14 0x559b508700af in execute_simple_command ../bash/execute_cmd.c:4395
#15 0x559b5085ded2 in execute_command_internal ../bash/execute_cmd.c:811
#16 0x559b508667be in execute_connection ../bash/execute_cmd.c:2639
#17 0x559b5085eca7 in execute_command_internal ../bash/execute_cmd.c:980
#18 0x559b50947f55 in parse_and_execute
../../bash/builtins/evalstring.c:430
#19 0x559b50829391 in run_one_command ../bash/shell.c:1405
#20 0x559b5082786a in main ../bash/shell.c:718
#21 0x7f400c8232b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#22 0x559b508266d9 in _start
(/home/dualbus/src/gnu/bash-build/bash+0x7f6d9)
0x61900000cc80 is located 0 bytes to the right of 1024-byte region
[0x61900000c880,0x61900000cc80)
allocated by thread T0 here:
#0 0x7f400d090d28 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x559b50936bf6 in xmalloc ../bash/xmalloc.c:112
#2 0x559b509d40f9 in init_line_structures
../../../bash/lib/readline/display.c:608
#3 0x559b509d492c in rl_redisplay ../../../bash/lib/readline/display.c:677
#4 0x559b509a1d88 in readline_internal_setup
../../../bash/lib/readline/readline.c:444
#5 0x559b509a24d0 in readline_internal
../../../bash/lib/readline/readline.c:669
#6 0x559b509a1b8b in readline ../../../bash/lib/readline/readline.c:374
#7 0x559b5095cf60 in edit_line
../../bash/builtins/../../bash/builtins/read.def:1090
#8 0x559b5095a8d1 in read_builtin
../../bash/builtins/../../bash/builtins/read.def:554
#9 0x559b50870c19 in execute_builtin ../bash/execute_cmd.c:4609
#10 0x559b5087282f in execute_builtin_or_function
../bash/execute_cmd.c:5107
#11 0x559b508700af in execute_simple_command ../bash/execute_cmd.c:4395
#12 0x559b5085ded2 in execute_command_internal ../bash/execute_cmd.c:811
#13 0x559b508667be in execute_connection ../bash/execute_cmd.c:2639
#14 0x559b5085eca7 in execute_command_internal ../bash/execute_cmd.c:980
#15 0x559b50947f55 in parse_and_execute
../../bash/builtins/evalstring.c:430
#16 0x559b50829391 in run_one_command ../bash/shell.c:1405
#17 0x559b5082786a in main ../bash/shell.c:718
#18 0x7f400c8232b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062)
Shadow bytes around the buggy address:
0x0c327fff9940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff9990:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff99a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff99b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff99c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff99d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff99e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5781==ABORTING
==> input.5781 <==
NzY37gEuGyq7FbsVGRkZGTc+Ju4BNz4m7gEuGyq7FbsVGRkZGREKGRkZGQCAATwRgAFgGRk4GQAB
RIAABw4a/4gAEAU=
#2 Memory leak
dualbus@debian:~/asan/d41d$ tail -n +1 crash.11263 input.11263
==> crash.11263 <==
=================================================================
==11263==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 32 byte(s) in 1 object(s) allocated from:
#0 0x7f0bf9186d28 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x5599adcd4bf6 in xmalloc ../bash/xmalloc.c:112
#2 0x5599adbf0253 in make_bare_simple_command ../bash/make_cmd.c:504
#3 0x5599adbf0497 in make_simple_command ../bash/make_cmd.c:531
#4 0x5599adbcded9 in yyparse ../bash/parse.y:734
#5 0x5599adbcaea2 in parse_command ../bash/eval.c:294
#6 0x5599adce5363 in parse_and_execute
../../bash/builtins/evalstring.c:346
#7 0x5599adc6345f in command_substitute ../bash/subst.c:6107
#8 0x5599adc78439 in expand_word_internal ../bash/subst.c:9720
#9 0x5599adc5825b in call_expand_word_internal ../bash/subst.c:3650
#10 0x5599adc591c0 in expand_word ../bash/subst.c:3928
#11 0x5599adcbad34 in shell_expand_line ../bash/bashline.c:2735
#12 0x5599add41005 in _rl_dispatch_subseq
../../../bash/lib/readline/readline.c:851
#13 0x5599add417e7 in _rl_dispatch_subseq
../../../bash/lib/readline/readline.c:985
#14 0x5599add40be0 in _rl_dispatch
../../../bash/lib/readline/readline.c:797
#15 0x5599add4041f in readline_internal_char
../../../bash/lib/readline/readline.c:629
#16 0x5599add404b1 in readline_internal_charloop
../../../bash/lib/readline/readline.c:656
#17 0x5599add404d5 in readline_internal
../../../bash/lib/readline/readline.c:670
#18 0x5599add3fb8b in readline ../../../bash/lib/readline/readline.c:374
#19 0x5599adcfaf60 in edit_line
../../bash/builtins/../../bash/builtins/read.def:1090
#20 0x5599adcf88d1 in read_builtin
../../bash/builtins/../../bash/builtins/read.def:554
#21 0x5599adc0ec19 in execute_builtin ../bash/execute_cmd.c:4609
#22 0x5599adc1082f in execute_builtin_or_function
../bash/execute_cmd.c:5107
#23 0x5599adc0e0af in execute_simple_command ../bash/execute_cmd.c:4395
#24 0x5599adbfbed2 in execute_command_internal ../bash/execute_cmd.c:811
#25 0x5599adc047be in execute_connection ../bash/execute_cmd.c:2639
#26 0x5599adbfcca7 in execute_command_internal ../bash/execute_cmd.c:980
#27 0x5599adce5f55 in parse_and_execute
../../bash/builtins/evalstring.c:430
#28 0x5599adbc7391 in run_one_command ../bash/shell.c:1405
#29 0x5599adbc586a in main ../bash/shell.c:718
Indirect leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7f0bf9186d28 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x5599adcd4bf6 in xmalloc ../bash/xmalloc.c:112
#2 0x5599adbf0261 in make_bare_simple_command ../bash/make_cmd.c:505
#3 0x5599adbf0497 in make_simple_command ../bash/make_cmd.c:531
#4 0x5599adbcded9 in yyparse ../bash/parse.y:734
#5 0x5599adbcaea2 in parse_command ../bash/eval.c:294
#6 0x5599adce5363 in parse_and_execute
../../bash/builtins/evalstring.c:346
#7 0x5599adc6345f in command_substitute ../bash/subst.c:6107
#8 0x5599adc78439 in expand_word_internal ../bash/subst.c:9720
#9 0x5599adc5825b in call_expand_word_internal ../bash/subst.c:3650
#10 0x5599adc591c0 in expand_word ../bash/subst.c:3928
#11 0x5599adcbad34 in shell_expand_line ../bash/bashline.c:2735
#12 0x5599add41005 in _rl_dispatch_subseq
../../../bash/lib/readline/readline.c:851
#13 0x5599add417e7 in _rl_dispatch_subseq
../../../bash/lib/readline/readline.c:985
#14 0x5599add40be0 in _rl_dispatch
../../../bash/lib/readline/readline.c:797
#15 0x5599add4041f in readline_internal_char
../../../bash/lib/readline/readline.c:629
#16 0x5599add404b1 in readline_internal_charloop
../../../bash/lib/readline/readline.c:656
#17 0x5599add404d5 in readline_internal
../../../bash/lib/readline/readline.c:670
#18 0x5599add3fb8b in readline ../../../bash/lib/readline/readline.c:374
#19 0x5599adcfaf60 in edit_line
../../bash/builtins/../../bash/builtins/read.def:1090
#20 0x5599adcf88d1 in read_builtin
../../bash/builtins/../../bash/builtins/read.def:554
#21 0x5599adc0ec19 in execute_builtin ../bash/execute_cmd.c:4609
#22 0x5599adc1082f in execute_builtin_or_function
../bash/execute_cmd.c:5107
#23 0x5599adc0e0af in execute_simple_command ../bash/execute_cmd.c:4395
#24 0x5599adbfbed2 in execute_command_internal ../bash/execute_cmd.c:811
#25 0x5599adc047be in execute_connection ../bash/execute_cmd.c:2639
#26 0x5599adbfcca7 in execute_command_internal ../bash/execute_cmd.c:980
#27 0x5599adce5f55 in parse_and_execute
../../bash/builtins/evalstring.c:430
#28 0x5599adbc7391 in run_one_command ../bash/shell.c:1405
#29 0x5599adbc586a in main ../bash/shell.c:718
SUMMARY: AddressSanitizer: 56 byte(s) leaked in 2 allocation(s).
==> input.11263 <==
AAIbLbUAAlsQGDIYFRwYGBkTGJgZGBgYGAAXGBkYGvgXFBg2
#3 _rl_find_prev_mbchar_internal / update_line
dualbus@debian:~/asan/a9fd$ tail -n +1 crash.21027 input.21027
==> crash.21027 <==
=================================================================
==21027==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61900000cc80 at pc 0x7fb18d925063 bp 0x7fffd7a0e960 sp 0x7fffd7a0e110
READ of size 942 at 0x61900000cc80 thread T0
#0 0x7fb18d925062 (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062)
#1 0x55f2feff057f in _rl_find_prev_mbchar_internal
../../../bash/lib/readline/mbutil.c:162
#2 0x55f2feff1057 in _rl_find_prev_mbchar
../../../bash/lib/readline/mbutil.c:369
#3 0x55f2fefc792d in update_line ../../../bash/lib/readline/display.c:1720
#4 0x55f2fefc535b in rl_redisplay
../../../bash/lib/readline/display.c:1150
#5 0x55f2fef8e0be in _rl_internal_char_cleanup
../../../bash/lib/readline/readline.c:514
#6 0x55f2fef8e494 in readline_internal_char
../../../bash/lib/readline/readline.c:638
#7 0x55f2fef8e4b1 in readline_internal_charloop
../../../bash/lib/readline/readline.c:656
#8 0x55f2fef8e4d5 in readline_internal
../../../bash/lib/readline/readline.c:670
#9 0x55f2fef8db8b in readline ../../../bash/lib/readline/readline.c:374
#10 0x55f2fef48f60 in edit_line
../../bash/builtins/../../bash/builtins/read.def:1090
#11 0x55f2fef468d1 in read_builtin
../../bash/builtins/../../bash/builtins/read.def:554
#12 0x55f2fee5cc19 in execute_builtin ../bash/execute_cmd.c:4609
#13 0x55f2fee5e82f in execute_builtin_or_function
../bash/execute_cmd.c:5107
#14 0x55f2fee5c0af in execute_simple_command ../bash/execute_cmd.c:4395
#15 0x55f2fee49ed2 in execute_command_internal ../bash/execute_cmd.c:811
#16 0x55f2fee527be in execute_connection ../bash/execute_cmd.c:2639
#17 0x55f2fee4aca7 in execute_command_internal ../bash/execute_cmd.c:980
#18 0x55f2fef33f55 in parse_and_execute
../../bash/builtins/evalstring.c:430
#19 0x55f2fee15391 in run_one_command ../bash/shell.c:1405
#20 0x55f2fee1386a in main ../bash/shell.c:718
#21 0x7fb18d13d2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#22 0x55f2fee126d9 in _start
(/home/dualbus/src/gnu/bash-build/bash+0x7f6d9)
0x61900000cc80 is located 0 bytes to the right of 1024-byte region
[0x61900000c880,0x61900000cc80)
allocated by thread T0 here:
#0 0x7fb18d9aad28 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x55f2fef22bf6 in xmalloc ../bash/xmalloc.c:112
#2 0x55f2fefc00f9 in init_line_structures
../../../bash/lib/readline/display.c:608
#3 0x55f2fefc092c in rl_redisplay ../../../bash/lib/readline/display.c:677
#4 0x55f2fef8dd88 in readline_internal_setup
../../../bash/lib/readline/readline.c:444
#5 0x55f2fef8e4d0 in readline_internal
../../../bash/lib/readline/readline.c:669
#6 0x55f2fef8db8b in readline ../../../bash/lib/readline/readline.c:374
#7 0x55f2fef48f60 in edit_line
../../bash/builtins/../../bash/builtins/read.def:1090
#8 0x55f2fef468d1 in read_builtin
../../bash/builtins/../../bash/builtins/read.def:554
#9 0x55f2fee5cc19 in execute_builtin ../bash/execute_cmd.c:4609
#10 0x55f2fee5e82f in execute_builtin_or_function
../bash/execute_cmd.c:5107
#11 0x55f2fee5c0af in execute_simple_command ../bash/execute_cmd.c:4395
#12 0x55f2fee49ed2 in execute_command_internal ../bash/execute_cmd.c:811
#13 0x55f2fee527be in execute_connection ../bash/execute_cmd.c:2639
#14 0x55f2fee4aca7 in execute_command_internal ../bash/execute_cmd.c:980
#15 0x55f2fef33f55 in parse_and_execute
../../bash/builtins/evalstring.c:430
#16 0x55f2fee15391 in run_one_command ../bash/shell.c:1405
#17 0x55f2fee1386a in main ../bash/shell.c:718
#18 0x7fb18d13d2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062)
Shadow bytes around the buggy address:
0x0c327fff9940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff9990:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff99a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff99b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff99c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff99d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff99e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==21027==ABORTING
==> input.21027 <==
AAIbLbUAAlsQGDIYFRwYGBkYGJgYGBf5MQAYGBgwGAEAAEAYGBgYAAAEAJIY+xcYGRgYGDkXGDY=
#4 _rl_get_char_len / update_line
dualbus@debian:~/asan/51ea$ tail -n +1 crash.8188 input.8188
==> crash.8188 <==
=================================================================
==8188==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61d00001d480 at pc 0x7f51dd3ca063 bp 0x7ffd8c2b8100 sp 0x7ffd8c2b78b0
READ of size 1434 at 0x61d00001d480 thread T0
#0 0x7f51dd3ca062 (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062)
#1 0x564c2a549821 in _rl_get_char_len
../../../bash/lib/readline/mbutil.c:223
#2 0x564c2a5498e0 in _rl_compare_chars
../../../bash/lib/readline/mbutil.c:252
#3 0x564c2a520526 in update_line ../../../bash/lib/readline/display.c:1664
#4 0x564c2a51e35b in rl_redisplay
../../../bash/lib/readline/display.c:1150
#5 0x564c2a523ec7 in rl_message ../../../bash/lib/readline/display.c:2643
#6 0x564c2a51267e in rl_display_search
../../../bash/lib/readline/isearch.c:196
#7 0x564c2a517901 in rl_search_history
../../../bash/lib/readline/isearch.c:750
#8 0x564c2a5124c3 in rl_forward_search_history
../../../bash/lib/readline/isearch.c:144
#9 0x564c2a4e8005 in _rl_dispatch_subseq
../../../bash/lib/readline/readline.c:851
#10 0x564c2a4e7be0 in _rl_dispatch
../../../bash/lib/readline/readline.c:797
#11 0x564c2a4e741f in readline_internal_char
../../../bash/lib/readline/readline.c:629
#12 0x564c2a4e74b1 in readline_internal_charloop
../../../bash/lib/readline/readline.c:656
#13 0x564c2a4e74d5 in readline_internal
../../../bash/lib/readline/readline.c:670
#14 0x564c2a4e6b8b in readline ../../../bash/lib/readline/readline.c:374
#15 0x564c2a4a1f60 in edit_line
../../bash/builtins/../../bash/builtins/read.def:1090
#16 0x564c2a49f8d1 in read_builtin
../../bash/builtins/../../bash/builtins/read.def:554
#17 0x564c2a3b5c19 in execute_builtin ../bash/execute_cmd.c:4609
#18 0x564c2a3b782f in execute_builtin_or_function
../bash/execute_cmd.c:5107
#19 0x564c2a3b50af in execute_simple_command ../bash/execute_cmd.c:4395
#20 0x564c2a3a2ed2 in execute_command_internal ../bash/execute_cmd.c:811
#21 0x564c2a3ab7be in execute_connection ../bash/execute_cmd.c:2639
#22 0x564c2a3a3ca7 in execute_command_internal ../bash/execute_cmd.c:980
#23 0x564c2a48cf55 in parse_and_execute
../../bash/builtins/evalstring.c:430
#24 0x564c2a36e391 in run_one_command ../bash/shell.c:1405
#25 0x564c2a36c86a in main ../bash/shell.c:718
#26 0x7f51dcbe22b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#27 0x564c2a36b6d9 in _start
(/home/dualbus/src/gnu/bash-build/bash+0x7f6d9)
0x61d00001d480 is located 0 bytes to the right of 2048-byte region
[0x61d00001cc80,0x61d00001d480)
allocated by thread T0 here:
#0 0x7f51dd450090 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090)
#1 0x564c2a47bc61 in xrealloc ../bash/xmalloc.c:133
#2 0x564c2a51a850 in rl_redisplay ../../../bash/lib/readline/display.c:929
#3 0x564c2a4e70be in _rl_internal_char_cleanup
../../../bash/lib/readline/readline.c:514
#4 0x564c2a4e7494 in readline_internal_char
../../../bash/lib/readline/readline.c:638
#5 0x564c2a4e74b1 in readline_internal_charloop
../../../bash/lib/readline/readline.c:656
#6 0x564c2a4e74d5 in readline_internal
../../../bash/lib/readline/readline.c:670
#7 0x564c2a4e6b8b in readline ../../../bash/lib/readline/readline.c:374
#8 0x564c2a4a1f60 in edit_line
../../bash/builtins/../../bash/builtins/read.def:1090
#9 0x564c2a49f8d1 in read_builtin
../../bash/builtins/../../bash/builtins/read.def:554
#10 0x564c2a3b5c19 in execute_builtin ../bash/execute_cmd.c:4609
#11 0x564c2a3b782f in execute_builtin_or_function
../bash/execute_cmd.c:5107
#12 0x564c2a3b50af in execute_simple_command ../bash/execute_cmd.c:4395
#13 0x564c2a3a2ed2 in execute_command_internal ../bash/execute_cmd.c:811
#14 0x564c2a3ab7be in execute_connection ../bash/execute_cmd.c:2639
#15 0x564c2a3a3ca7 in execute_command_internal ../bash/execute_cmd.c:980
#16 0x564c2a48cf55 in parse_and_execute
../../bash/builtins/evalstring.c:430
#17 0x564c2a36e391 in run_one_command ../bash/shell.c:1405
#18 0x564c2a36c86a in main ../bash/shell.c:718
#19 0x7f51dcbe22b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062)
Shadow bytes around the buggy address:
0x0c3a7fffba40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffba50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffba60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffba70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffba80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fffba90:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffbaa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffbab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffbac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffbad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffbae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8188==ABORTING
==> input.8188 <==
G////3/MhxWAbN28ICAg+vr6zGwhGQCA/xkZGSsZGToZA+j/GRkZGRkYvAAAEACAKR0ZPj4ZGf86
UBcZBf//BRAAgCkeGT4+GRn/OlAXGRkZGP4ZIRkAgP/4GBkZGRmUlJSUlJSUlEtLHBMZWmBKP0sZ
GRkZH7S8GRn/ICE=
The rest of the traces I'm seeing seem to be variations of the above.
--
Eduardo Bustamante
https://dualbus.me/
- Remaining memory corruption bugs in readline,
dualbus <=