[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
AddressSanitizer: heap-use-after-free in readtok | PS1='$((b[x++}]))'
From: |
Eduardo A . Bustamante López |
Subject: |
AddressSanitizer: heap-use-after-free in readtok | PS1='$((b[x++}]))' |
Date: |
Tue, 20 Jun 2017 09:58:42 -0500 |
User-agent: |
NeoMutt/20170113 (1.7.2) |
I don't know how to fix this.
dualbus@debian:~/readline$
ASAN_OPTIONS=disable_coredump=0:unmap_shadow_on_exit=1:abort_on_error=1:detect_leaks=0
~/src/gnu/bash-builds/devel-asan/bash
bash-4.4$ PS1='$((b[x++}]))'
bash: x++}: syntax error: invalid arithmetic operator (error token is "}")
=================================================================
==11490==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000001f77
at pc 0x55c081f6ad7e bp 0x7ffd7429f4a0 sp 0x7ffd7429f498
READ of size 1 at 0x602000001f77 thread T0
#0 0x55c081f6ad7d in readtok ../../bash/expr.c:1274
#1 0x55c081f6a32a in exp0 ../../bash/expr.c:1042
#2 0x55c081f6a08e in exp1 ../../bash/expr.c:982
#3 0x55c081f69f7d in exppower ../../bash/expr.c:937
#4 0x55c081f69c62 in exp2 ../../bash/expr.c:862
#5 0x55c081f69b76 in exp3 ../../bash/expr.c:836
#6 0x55c081f69b07 in expshift ../../bash/expr.c:812
#7 0x55c081f69a5a in exp4 ../../bash/expr.c:782
#8 0x55c081f699e3 in exp5 ../../bash/expr.c:760
#9 0x55c081f699a1 in expband ../../bash/expr.c:742
#10 0x55c081f69963 in expbxor ../../bash/expr.c:723
#11 0x55c081f69925 in expbor ../../bash/expr.c:704
#12 0x55c081f69896 in expland ../../bash/expr.c:677
#13 0x55c081f69803 in explor ../../bash/expr.c:649
#14 0x55c081f696c6 in expcond ../../bash/expr.c:602
#15 0x55c081f692f5 in expassign ../../bash/expr.c:487
#16 0x55c081f69240 in expcomma ../../bash/expr.c:467
#17 0x55c081f691cf in subexpr ../../bash/expr.c:449
#18 0x55c081f68f2a in evalexp ../../bash/expr.c:414
#19 0x55c081fb0527 in param_expand ../../bash/subst.c:9159
#20 0x55c081fb2ea4 in expand_word_internal ../../bash/subst.c:9655
#21 0x55c081f93a17 in expand_prompt_string ../../bash/subst.c:3785
#22 0x55c081f2199d in decode_prompt_string ../../bash/parse.y:5973
#23 0x55c081f1f71b in prompt_again ../../bash/parse.y:5484
#24 0x55c081f11c6a in yylex ../../bash/parse.y:2677
#25 0x55c081f068a1 in yyparse
/home/dualbus/src/gnu/bash-builds/devel-asan/y.tab.c:1821
#26 0x55c081f05a72 in parse_command ../../bash/eval.c:294
#27 0x55c081f05cc7 in read_command ../../bash/eval.c:338
#28 0x55c081f04f03 in reader_loop ../../bash/eval.c:140
#29 0x55c081f006ad in main ../../bash/shell.c:794
#30 0x7f9bcc9c02b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#31 0x55c081eff2a9 in _start
(/home/dualbus/src/gnu/bash-builds/devel-asan/bash+0x842a9)
0x602000001f77 is located 7 bytes inside of 8-byte region
[0x602000001f70,0x602000001f78)
freed by thread T0 here:
#0 0x7f9bcd22ea10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
#1 0x55c081f689a9 in expr_unwind ../../bash/expr.c:311
#2 0x55c081f68e9d in evalexp ../../bash/expr.c:404
#3 0x55c081fde64e in array_expand_index ../../bash/arrayfunc.c:947
#4 0x55c081fdf169 in array_value_internal ../../bash/arrayfunc.c:1128
#5 0x55c081fdf917 in get_array_value ../../bash/arrayfunc.c:1198
#6 0x55c081f6aa51 in expr_streval ../../bash/expr.c:1179
#7 0x55c081f6b311 in readtok ../../bash/expr.c:1343
#8 0x55c081f691ca in subexpr ../../bash/expr.c:447
#9 0x55c081f68f2a in evalexp ../../bash/expr.c:414
#10 0x55c081fb0527 in param_expand ../../bash/subst.c:9159
#11 0x55c081fb2ea4 in expand_word_internal ../../bash/subst.c:9655
#12 0x55c081f93a17 in expand_prompt_string ../../bash/subst.c:3785
#13 0x55c081f2199d in decode_prompt_string ../../bash/parse.y:5973
#14 0x55c081f1f71b in prompt_again ../../bash/parse.y:5484
#15 0x55c081f11c6a in yylex ../../bash/parse.y:2677
#16 0x55c081f068a1 in yyparse
/home/dualbus/src/gnu/bash-builds/devel-asan/y.tab.c:1821
#17 0x55c081f05a72 in parse_command ../../bash/eval.c:294
#18 0x55c081f05cc7 in read_command ../../bash/eval.c:338
#19 0x55c081f04f03 in reader_loop ../../bash/eval.c:140
#20 0x55c081f006ad in main ../../bash/shell.c:794
#21 0x7f9bcc9c02b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
previously allocated by thread T0 here:
#0 0x7f9bcd22ed28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x55c08200fa54 in xmalloc ../../bash/xmalloc.c:112
#2 0x55c081f6912e in subexpr ../../bash/expr.c:438
#3 0x55c081f68f2a in evalexp ../../bash/expr.c:414
#4 0x55c081fb0527 in param_expand ../../bash/subst.c:9159
#5 0x55c081fb2ea4 in expand_word_internal ../../bash/subst.c:9655
#6 0x55c081f93a17 in expand_prompt_string ../../bash/subst.c:3785
#7 0x55c081f2199d in decode_prompt_string ../../bash/parse.y:5973
#8 0x55c081f1f71b in prompt_again ../../bash/parse.y:5484
#9 0x55c081f11c6a in yylex ../../bash/parse.y:2677
#10 0x55c081f068a1 in yyparse
/home/dualbus/src/gnu/bash-builds/devel-asan/y.tab.c:1821
#11 0x55c081f05a72 in parse_command ../../bash/eval.c:294
#12 0x55c081f05cc7 in read_command ../../bash/eval.c:338
#13 0x55c081f04f03 in reader_loop ../../bash/eval.c:140
#14 0x55c081f006ad in main ../../bash/shell.c:794
#15 0x7f9bcc9c02b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-use-after-free ../../bash/expr.c:1274 in readtok
Shadow bytes around the buggy address:
0x0c047fff8390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff83a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff83c0: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa fd fa
0x0c047fff83d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff83e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa[fd]fa
0x0c047fff83f0: fa fa 00 fa fa fa fd fd fa fa 00 02 fa fa 00 05
0x0c047fff8400: fa fa 02 fa fa fa 01 fa fa fa 00 05 fa fa fd fd
0x0c047fff8410: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa fd fd
0x0c047fff8420: fa fa fd fd fa fa 00 00 fa fa 00 00 fa fa fd fd
0x0c047fff8430: fa fa fd fa fa fa 00 04 fa fa 00 fa fa fa 00 03
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==11490==ABORTING
Segmentation fault (core dumped)
(gdb) bt
#0 0x000055c081fcd16b in termsig_sighandler (sig=6) at ../../bash/sig.c:533
#1 <signal handler called>
#2 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#3 0x00007f9bcc9d43fa in __GI_abort () at abort.c:89
#4 0x00007f9bcd248329 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.3
#5 0x00007f9bcd23d9ab in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.3
#6 0x00007f9bcd237b57 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.3
#7 0x00007f9bcd2381e8 in __asan_report_load1 () from
/usr/lib/x86_64-linux-gnu/libasan.so.3
#8 0x000055c081f6ad7e in readtok () at ../../bash/expr.c:1274
#9 0x000055c081f6a32b in exp0 () at ../../bash/expr.c:1042
#10 0x000055c081f6a08f in exp1 () at ../../bash/expr.c:982
#11 0x000055c081f69f7e in exppower () at ../../bash/expr.c:937
#12 0x000055c081f69c63 in exp2 () at ../../bash/expr.c:862
#13 0x000055c081f69b77 in exp3 () at ../../bash/expr.c:836
#14 0x000055c081f69b08 in expshift () at ../../bash/expr.c:812
#15 0x000055c081f69a5b in exp4 () at ../../bash/expr.c:782
#16 0x000055c081f699e4 in exp5 () at ../../bash/expr.c:760
#17 0x000055c081f699a2 in expband () at ../../bash/expr.c:742
#18 0x000055c081f69964 in expbxor () at ../../bash/expr.c:723
#19 0x000055c081f69926 in expbor () at ../../bash/expr.c:704
#20 0x000055c081f69897 in expland () at ../../bash/expr.c:677
#21 0x000055c081f69804 in explor () at ../../bash/expr.c:649
#22 0x000055c081f696c7 in expcond () at ../../bash/expr.c:602
#23 0x000055c081f692f6 in expassign () at ../../bash/expr.c:487
#24 0x000055c081f69241 in expcomma () at ../../bash/expr.c:467
#25 0x000055c081f691d0 in subexpr (expr=0x602000001f90 "b[x++}]") at
../../bash/expr.c:449
#26 0x000055c081f68f2b in evalexp (expr=0x602000001f90 "b[x++}]", flags=1,
validp=0x7ffd7429fdc0) at ../../bash/expr.c:414
#27 0x000055c081fb0528 in param_expand (string=0x602000001ff0 "$((b[x++}]))",
sindex=0x7ffd7429ffc0, quoted=1, expanded_something=0x0,
contains_dollar_at=0x7ffd742a0080,
quoted_dollar_at_p=0x7ffd742a0000, had_quoted_null_p=0x7ffd742a0040,
pflags=0) at ../../bash/subst.c:9159
#28 0x000055c081fb2ea5 in expand_word_internal (word=0x7ffd742a0240, quoted=1,
isexp=0, contains_dollar_at=0x0, expanded_something=0x0) at
../../bash/subst.c:9655
#29 0x000055c081f93a18 in expand_prompt_string (string=0x604000008d50
"$((b[x++}]))", quoted=1, wflags=0) at ../../bash/subst.c:3785
#30 0x000055c081f2199e in decode_prompt_string (string=0x60200000205d "") at
../../bash/parse.y:5973
#31 0x000055c081f1f71c in prompt_again () at ../../bash/parse.y:5484
#32 0x000055c081f11c6b in yylex () at ../../bash/parse.y:2677
#33 0x000055c081f068a2 in yyparse () at y.tab.c:1821
#34 0x000055c081f05a73 in parse_command () at ../../bash/eval.c:294
#35 0x000055c081f05cc8 in read_command () at ../../bash/eval.c:338
#36 0x000055c081f04f04 in reader_loop () at ../../bash/eval.c:140
#37 0x000055c081f006ae in main (argc=1, argv=0x7ffd742a29f8,
env=0x7ffd742a2a08) at ../../bash/shell.c:794
--
Eduardo Bustamante
https://dualbus.me/
- AddressSanitizer: heap-use-after-free in readtok | PS1='$((b[x++}]))',
Eduardo A . Bustamante López <=