bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AddressSanitizer: heap-buffer-overflow in rl_kill_text


From: Eduardo A . Bustamante López
Subject: Re: AddressSanitizer: heap-buffer-overflow in rl_kill_text
Date: Fri, 16 Jun 2017 10:10:28 -0500
User-agent: NeoMutt/20170113 (1.7.2)

On Thu, Jun 15, 2017 at 09:42:41AM -0500, Eduardo Bustamante wrote:
> Found by fuzzing `read -e' with AFL. The stacktrace reported by Address
> Sanitizer is followed by the base64 encoded crashing input.
> 
> 
> ==11018==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x60700000ccc0 at pc 0x559bb60f1be7 bp 0x7ffc36ec8710 sp 0x7ffc36ec8708
> READ of size 8 at 0x60700000ccc0 thread T0
>     #0 0x559bb60f1be6 in _rl_copy_to_kill_ring 
> (/home/dualbus/src/gnu/bash-build/bash+0x23cbe6)

Easy fix. When `rl_kill_ring_length == rl_max_kills (10)', all of the entries
in the kill ring are shifted. The loop has an off-by-one error though.

I also think that using `rl_max_kills' in the loop instead of `slot' makes the
code easier to read.

address@hidden:~/src/gnu/bash$ git difftool -y -x 'diff -c' -- 
lib/readline/kill.c 
*** /tmp/uLCFvH_kill.c  2017-06-16 10:04:43.472930262 -0500
--- lib/readline/kill.c 2017-06-16 10:04:20.048344312 -0500
***************
*** 113,119 ****
            {
              register int i;
              xfree (rl_kill_ring[0]);
!             for (i = 0; i < slot; i++)
                rl_kill_ring[i] = rl_kill_ring[i + 1];
            }
          else
--- 113,119 ----
            {
              register int i;
              xfree (rl_kill_ring[0]);
!             for (i = 0; i < rl_max_kills - 1; i++)
                rl_kill_ring[i] = rl_kill_ring[i + 1];
            }
          else

-- 
Eduardo Bustamante
https://dualbus.me/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]