bug-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Issues with `rl_vi_change_char' function in combination with `_rl_vi_red

From: Eduardo A . Bustamante López
Subject: Issues with `rl_vi_change_char' function in combination with `_rl_vi_redoing = 1'
Date: Sat, 17 Jun 2017 04:27:28 -0500
User-agent: NeoMutt/20170113 (1.7.2) 
# When bash is compiled with multibyte support, the following happens:

- set -o vi
- Type: <a><ESC><r><ñ><.>
- Bash writes \261 to `mb[0]' and '\0' to `mb[1]' (ñ is U+00F1, or in
  UTF-8, \303\261)
- `mb' is of type signed char, and not really suitable to store a wide
  character.

  dualbus@debian:~$ set -o vi
  dualbus@debian:~$ �
  bash: $'\261': command not found


# When bash is compiled w/o multibyte support, the following happens:

  1948 int
  1949 rl_vi_change_char (int count, int key)
  1950 {
  1951   int c;
  1952   char mb[MB_LEN_MAX]; /* MB_LEN_MAX == 1 */
  1953 
  1954   if (_rl_vi_redoing)
  1955     {
  1956       c = _rl_vi_last_replacement;
  1957       mb[0] = c;
  1958       mb[1] = '\0'; /* out of bounds write */
  1959     }

Reproduce with:

- set -o vi
- Type: <a><ESC><r><b><.>
- Bash writes '\0' to `mb[1]', which is out of bounds.

  dualbus@debian:~/src/gnu/bash-build$ ./bash
  bash-4.4$ set -o vi
  bash-4.4$ =================================================================
  ==7881==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7ffe8416f471 at pc 0x55e4ba75d81a bp 0x7ffe8416f420 sp 0x7ffe8416f418
  WRITE of size 1 at 0x7ffe8416f471 thread T0
      #0 0x55e4ba75d819 in rl_vi_change_char 
../../../bash/lib/readline/vi_mode.c:1959
      #1 0x55e4ba74fe3d in _rl_dispatch_subseq 
../../../bash/lib/readline/readline.c:851
      #2 0x55e4ba74fa18 in _rl_dispatch 
../../../bash/lib/readline/readline.c:797
      #3 0x55e4ba752a41 in rl_vi_redo ../../../bash/lib/readline/vi_mode.c:285
      #4 0x55e4ba74fe3d in _rl_dispatch_subseq 
../../../bash/lib/readline/readline.c:851
      #5 0x55e4ba74fa18 in _rl_dispatch 
../../../bash/lib/readline/readline.c:797
      #6 0x55e4ba74f257 in readline_internal_char 
../../../bash/lib/readline/readline.c:629
      #7 0x55e4ba74f2e9 in readline_internal_charloop 
../../../bash/lib/readline/readline.c:656
      #8 0x55e4ba74f30d in readline_internal 
../../../bash/lib/readline/readline.c:670
      #9 0x55e4ba74e9c3 in readline ../../../bash/lib/readline/readline.c:374
      #10 0x55e4ba5ffd01 in yy_readline_get ../bash/parse.y:1464
      #11 0x55e4ba5ffed9 in yy_readline_get ../bash/parse.y:1495
      #12 0x55e4ba5ffb64 in yy_getc ../bash/parse.y:1397
      #13 0x55e4ba601ea4 in shell_getc ../bash/parse.y:2297
      #14 0x55e4ba6048d0 in read_token ../bash/parse.y:3146
      #15 0x55e4ba6032ad in yylex ../bash/parse.y:2683
      #16 0x55e4ba5f7f31 in yyparse 
/home/dualbus/src/gnu/bash-build/y.tab.c:1821
      #17 0x55e4ba5f7102 in parse_command ../bash/eval.c:294
      #18 0x55e4ba5f7357 in read_command ../bash/eval.c:338
      #19 0x55e4ba5f6593 in reader_loop ../bash/eval.c:140
      #20 0x55e4ba5f1d3d in main ../bash/shell.c:794
      #21 0x7ff2e9a7d2b0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
      #22 0x55e4ba5f0939 in _start 
(/home/dualbus/src/gnu/bash-build/bash+0x7b939)
  
  Address 0x7ffe8416f471 is located in stack of thread T0 at offset 33 in frame
      #0 0x55e4ba75d72f in rl_vi_change_char 
../../../bash/lib/readline/vi_mode.c:1950
  
    This frame has 1 object(s):
      [32, 33) 'mb' <== Memory access at offset 33 overflows this variable
  HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism or swapcontext
        (longjmp and C++ exceptions *are* supported)
  SUMMARY: AddressSanitizer: stack-buffer-overflow 
../../../bash/lib/readline/vi_mode.c:1959 in rl_vi_change_char
  Shadow bytes around the buggy address:
    0x100050825e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x100050825e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x100050825e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x100050825e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x100050825e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x100050825e80: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1[01]f4
    0x100050825e90: f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
    0x100050825ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x100050825eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x100050825ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x100050825ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07 
    Heap left redzone:       fa
    Heap right redzone:      fb
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack partial redzone:   f4
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb
  ==7881==ABORTING


Issue found with cppcheck:

  [../bash/lib/readline/vi_mode.c:1958]: (error) Array 'mb[1]' accessed at 
index 1, which is out of bounds.

-- 
Eduardo Bustamante
https://dualbus.me/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]