bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AddressSanitizer: heap-buffer-overflow in rl_kill_text


From: Chet Ramey
Subject: Re: AddressSanitizer: heap-buffer-overflow in rl_kill_text
Date: Fri, 16 Jun 2017 14:11:02 -0400
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.2.0

On 6/16/17 11:10 AM, Eduardo A. Bustamante López wrote:
> On Thu, Jun 15, 2017 at 09:42:41AM -0500, Eduardo Bustamante wrote:
>> Found by fuzzing `read -e' with AFL. The stacktrace reported by Address
>> Sanitizer is followed by the base64 encoded crashing input.
>>
>>
>> ==11018==ERROR: AddressSanitizer: heap-buffer-overflow on address 
>> 0x60700000ccc0 at pc 0x559bb60f1be7 bp 0x7ffc36ec8710 sp 0x7ffc36ec8708
>> READ of size 8 at 0x60700000ccc0 thread T0
>>     #0 0x559bb60f1be6 in _rl_copy_to_kill_ring 
>> (/home/dualbus/src/gnu/bash-build/bash+0x23cbe6)
> 
> Easy fix. When `rl_kill_ring_length == rl_max_kills (10)', all of the entries
> in the kill ring are shifted. The loop has an off-by-one error though.

This is one possible fix. There is also the asymmetry in the xrealloc
below.

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    address@hidden    http://cnswww.cns.cwru.edu/~chet/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]