bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AddressSanitizer: heap-buffer-overflow in rl_tilde_expand


From: Eduardo A . Bustamante López
Subject: Re: AddressSanitizer: heap-buffer-overflow in rl_tilde_expand
Date: Fri, 16 Jun 2017 09:43:07 -0500
User-agent: NeoMutt/20170113 (1.7.2)

On Thu, Jun 15, 2017 at 09:39:09AM -0500, Eduardo Bustamante wrote:
> Found by fuzzing `read -e' with AFL. The stacktrace reported by Address
> Sanitizer is followed by the base64 encoded crashing input.
> 
> 
> ==472==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x61100000977f at pc 0x562befba4a14 bp 0x7ffdee172bb0 sp 0x7ffdee172ba8
> READ of size 1 at 0x61100000977f thread T0
>     #0 0x562befba4a13 in rl_tilde_expand 
> (/home/dualbus/src/gnu/bash-build/bash+0x23ba13)

This one looks like an easy fix. When `start = 0', the loop ends up
dereferencing `rl_line_buffer[-1]'. Changing the order of the test does the 
trick.


dualbus@debian:~/src/gnu/bash$ git difftool -y -x 'diff -c' -- 
lib/readline/util.c 
*** /tmp/zFXFei_util.c  2017-06-16 09:34:03.958088209 -0500
--- lib/readline/util.c 2017-06-16 09:33:09.384638705 -0500
***************
*** 193,199 ****
      }
    else if (start >= 0 && rl_line_buffer[start] != '~')
      {
!       for (; !whitespace (rl_line_buffer[start]) && start >= 0; start--)
          ;
        start++;
      }
--- 193,199 ----
      }
    else if (start >= 0 && rl_line_buffer[start] != '~')
      {
!       for (; start >= 0 && !whitespace (rl_line_buffer[start]); start--)
          ;
        start++;
      }

-- 
Eduardo Bustamante
https://dualbus.me/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]