[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Out-of-bounds read in parse_comsub()

From: Jakub Wilk
Subject: Out-of-bounds read in parse_comsub()
Date: Thu, 26 Oct 2017 23:07:57 +0200
User-agent: NeoMutt/20170609 (1.8.3)

Machine: i686
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -g -Og -fsanitize=address -Wno-parentheses 
uname output: Linux debian 4.9.0-4-686-pae #1 SMP Debian 4.9.51-1 (2017-09-28) 
i686 GNU/Linux
Machine Type: i686-pc-linux-gnu

Bash Version: 20171020 snapshot

Apparently an out-of-bounds read can happen in parse_comsub() when checking script sytnax. To reproduce, rebuild bash with AddressSanitizer enabled and run:

  $ printf 
'$(00\177%012d\1%d00\177%090d\177%028d(%0267d\177%010d<<-\276%019d\n\n' | bash 
  ==15619==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3b03a00 
at pc 0xb722991e bp 0xbff6d7b8 sp 0xbff6d390
  READ of size 2 at 0xb3b03a00 thread T0
      #0 0xb722991d  (/usr/lib/i386-linux-gnu/libasan.so.4+0x5491d)
      #1 0x4e92d9 in parse_comsub parse.y:3841
      #2 0x4ee81a in read_token_word parse.y:4969
      #3 0x4f0d2a in read_token parse.y:3350
      #4 0x4f137e in yylex parse.y:2691
      #5 0x4f21af in yyparse y.tab.c:1821
      #6 0x4e05e9 in parse_command eval.c:294
      #7 0x4e080d in read_command eval.c:338
      #8 0x4e12d2 in reader_loop eval.c:140
      #9 0x4e0357 in main shell.c:804
      #10 0xb700d285 in __libc_start_main 
      #11 0x4db500  (.../bash+0x3e500)

  0xb3b03a00 is located 0 bytes to the right of 448-byte region 
  allocated by thread T0 here:
      #0 0xb72b41d4 in __interceptor_realloc 
      #1 0x5c35d0 in xrealloc xmalloc.c:133


Found using American Fuzzy Lop:

Jakub Wilk

reply via email to

[Prev in Thread] Current Thread [Next in Thread]