[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: double free corruption bash 4.2.53(1)-release
|
From: |
evil |
|
Subject: |
Re: double free corruption bash 4.2.53(1)-release |
|
Date: |
Thu, 9 Nov 2017 10:56:08 -0700 |
|
User-agent: |
SquirrelMail/1.4.23 [SVN] |
Went ahead and compiled libc and bash with debug symbols. I can't seem to
trigger it when I am actually IN an interactive shell (e.g. having a pts
allocated to myself), but it still triggers with the shell script.
ifrit crash # gdb /bin/bash
GNU gdb (Gentoo 7.10.1 vanilla) 7.10.1
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /bin/bash...Reading symbols from
/usr/lib64/debug//bin/bash-4.2.debug...done.
done.
(gdb) set args crash.sh
(gdb) r
Starting program: /bin/bash crash.sh
4.2.53(1)-release
\u200B
00000000 5c 75 32 30 30 42 0a |\u200B.|
00000007
*** Error in `/bin/bash': double free or corruption (out):
0x000002aaaadafad0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x73867)[0x3fff73de867]
/lib64/libc.so.6(+0x7988f)[0x3fff73e488f]
/lib64/libc.so.6(+0x7a0fe)[0x3fff73e50fe]
/bin/bash(echo_builtin+0x1c6)[0x2aaaab4e7c6]
/bin/bash(+0x3b44d)[0x2aaaaae544d]
/bin/bash(+0x430cb)[0x2aaaaaed0cb]
/bin/bash(+0x3d85c)[0x2aaaaae785c]
/bin/bash(+0x3f301)[0x2aaaaae9301]
/bin/bash(+0x42200)[0x2aaaaaec200]
/bin/bash(+0x407f9)[0x2aaaaaea7f9]
/bin/bash(+0x3f585)[0x2aaaaae9585]
/bin/bash(execute_command+0xd8)[0x2aaaaaeb618]
/bin/bash(reader_loop+0x1cb)[0x2aaaaac990b]
/bin/bash(main+0x1031)[0x2aaaaac7c31]
/lib64/libc.so.6(__libc_start_main+0x114)[0x3fff738b7e4]
/bin/bash(_start+0x29)[0x2aaaaac8539]
======= Memory map: ========
2aaaaaaa000-2aaaab9e000 r-xp 00000000 08:06 122
/bin/bash
2aaaad9d000-2aaaada0000 r--p 000f3000 08:06 122
/bin/bash
2aaaada0000-2aaaada4000 rw-p 000f6000 08:06 122
/bin/bash
2aaaada4000-2aaaadc8000 rw-p 00000000 00:00 0
[heap]
3fff0000000-3fff0021000 rw-p 00000000 00:00 0
3fff0021000-3fff4000000 ---p 00000000 00:00 0
3fff7154000-3fff716a000 r-xp 00000000 08:03 520297
/usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
3fff716a000-3fff7369000 ---p 00016000 08:03 520297
/usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
3fff7369000-3fff736a000 r--p 00015000 08:03 520297
/usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
3fff736a000-3fff736b000 rw-p 00016000 08:03 520297
/usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
3fff736b000-3fff7508000 r-xp 00000000 08:03 444003
/lib64/libc-2.23.so
3fff7508000-3fff7708000 ---p 0019d000 08:03 444003
/lib64/libc-2.23.so
3fff7708000-3fff770c000 r--p 0019d000 08:03 444003
/lib64/libc-2.23.so
3fff770c000-3fff770e000 rw-p 001a1000 08:03 444003
/lib64/libc-2.23.so
3fff770e000-3fff7713000 rw-p 00000000 00:00 0
3fff7713000-3fff7715000 r-xp 00000000 08:03 444000
/lib64/libdl-2.23.so
3fff7715000-3fff7915000 ---p 00002000 08:03 444000
/lib64/libdl-2.23.so
3fff7915000-3fff7916000 r--p 00002000 08:03 444000
/lib64/libdl-2.23.so
3fff7916000-3fff7917000 rw-p 00003000 08:03 444000
/lib64/libdl-2.23.so
3fff7917000-3fff797c000 r-xp 00000000 08:03 410922
/lib64/libncurses.so.5.9
3fff797c000-3fff7b7c000 ---p 00065000 08:03 410922
/lib64/libncurses.so.5.9
3fff7b7c000-3fff7b80000 r--p 00065000 08:03 410922
/lib64/libncurses.so.5.9
3fff7b80000-3fff7b81000 rw-p 00069000 08:03 410922
/lib64/libncurses.so.5.9
3fff7b81000-3fff7bce000 r-xp 00000000 08:03 471554
/lib64/libreadline.so.7.0
3fff7bce000-3fff7dcd000 ---p 0004d000 08:03 471554
/lib64/libreadline.so.7.0
3fff7dcd000-3fff7dd0000 r--p 0004c000 08:03 471554
/lib64/libreadline.so.7.0
3fff7dd0000-3fff7dd6000 rw-p 0004f000 08:03 471554
/lib64/libreadline.so.7.0
3fff7dd6000-3fff7dd8000 rw-p 00000000 00:00 0
3fff7dd8000-3fff7dfd000 r-xp 00000000 08:03 444440
/lib64/ld-2.23.so
3fff7fd6000-3fff7fda000 rw-p 00000000 00:00 0
3fff7ff9000-3fff7ffa000 rw-p 00000000 00:00 0
3fff7ffa000-3fff7ffb000 rw-p 00000000 00:00 0
3fff7ffb000-3fff7ffc000 r-xp 00000000 00:00 0
[vdso]
3fff7ffc000-3fff7ffd000 r--p 00024000 08:03 444440
/lib64/ld-2.23.so
3fff7ffd000-3fff7ffe000 rw-p 00025000 08:03 444440
/lib64/ld-2.23.so
3fff7ffe000-3fff7fff000 rw-p 00000000 00:00 0
3fffffde000-3fffffff000 rw-p 00000000 00:00 0
[stack]
ffffffffff600000-ffffffffff601000 r--p 00000000 00:00 0
[vsyscall]
[Inferior 1 (process 15386) exited normally]
(gdb) quit
ifrit crash # gdb bash core
GNU gdb (Gentoo 7.10.1 vanilla) 7.10.1
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from bash...Reading symbols from
/usr/lib64/debug//bin/bash-4.2.debug...done.
done.
[New LWP 15393]
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
Core was generated by `/bin/bash crash.sh'.
Program terminated with signal SIGABRT, Aborted.
#0 0x000003fff739f1bb in __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:54
54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x000003fff739f1bb in __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:54
#1 0x000003fff73a0831 in __GI_abort () at abort.c:89
#2 0x000003fff73de86c in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0x3fff74dfca8 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#3 0x000003fff73e488f in malloc_printerr (action=3, str=0x3fff74dfd70
"double free or corruption (out)", ptr=<optimized out>,
ar_ptr=<optimized out>) at malloc.c:5004
#4 0x000003fff73e50fe in _int_free (av=0x3fff770cb80 <main_arena>,
p=<optimized out>, have_lock=0) at malloc.c:3865
#5 0x000002aaaab4e7c6 in echo_builtin (list=0x2aaaadad920) at ./echo.def:182
#6 0x000002aaaaae544d in execute_builtin
(builtin=builtin@entry=0x2aaaab4e600 <echo_builtin>, flags=<optimized
out>, flags@entry=64,
subshell=subshell@entry=1, words=0x2aaaadafb60) at execute_cmd.c:4113
#7 0x000002aaaaaed0cb in execute_subshell_builtin_or_function
(words=words@entry=0x2aaaadafb60, redirects=0x0,
builtin=builtin@entry=0x2aaaab4e600 <echo_builtin>, var=var@entry=0x0,
pipe_in=pipe_in@entry=-1, pipe_out=pipe_out@entry=-1,
async=0, fds_to_close=0x2aaaadaf9d0, flags=64) at execute_cmd.c:4460
#8 0x000002aaaaae785c in execute_simple_command
(simple_command=<optimized out>, pipe_in=<optimized out>,
pipe_in@entry=-1,
pipe_out=<optimized out>, pipe_out@entry=4, async=async@entry=0,
fds_to_close=fds_to_close@entry=0x2aaaadaf9d0) at execute_cmd.c:3940
#9 0x000002aaaaae9301 in execute_command_internal (command=0x2aaaadaee60,
asynchronous=asynchronous@entry=0, pipe_in=pipe_in@entry=-1,
pipe_out=4, fds_to_close=fds_to_close@entry=0x2aaaadaf9d0) at
execute_cmd.c:735
#10 0x000002aaaaaec200 in execute_command_internal
(fds_to_close=0x2aaaadaf9d0, pipe_out=<optimized out>, pipe_in=-1,
asynchronous=0,
command=<optimized out>) at execute_cmd.c:540
#11 execute_pipeline (command=command@entry=0x2aaaadaf890,
asynchronous=asynchronous@entry=0, pipe_in=pipe_in@entry=-1,
pipe_out=pipe_out@entry=-1,
fds_to_close=fds_to_close@entry=0x2aaaadaf920) at execute_cmd.c:2178
#12 0x000002aaaaaea7f9 in execute_connection (fds_to_close=0x2aaaadaf920,
pipe_out=-1, pipe_in=-1, asynchronous=0, command=0x2aaaadaf890)
at execute_cmd.c:2342
#13 execute_command_internal (command=0x2aaaadaf890,
asynchronous=asynchronous@entry=0, pipe_in=pipe_in@entry=-1,
pipe_out=pipe_out@entry=-1,
fds_to_close=fds_to_close@entry=0x2aaaadaf920) at execute_cmd.c:891
#14 0x000002aaaaae9585 in execute_command_internal
(fds_to_close=0x2aaaadaf920, pipe_out=-1, pipe_in=-1, asynchronous=0,
command=<optimized out>) at execute_cmd.c:540
#15 execute_connection (fds_to_close=0x2aaaadaf920, pipe_out=-1,
pipe_in=-1, asynchronous=0, command=0x2aaaadaf8f0) at execute_cmd.c:2330
#16 execute_command_internal (command=command@entry=0x2aaaadaf8f0,
asynchronous=asynchronous@entry=0, pipe_in=pipe_in@entry=-1,
pipe_out=pipe_out@entry=-1,
fds_to_close=fds_to_close@entry=0x2aaaadaf920) at execute_cmd.c:891
#17 0x000002aaaaaeb618 in execute_command_internal
(fds_to_close=0x2aaaadaf920, pipe_out=-1, pipe_in=-1, asynchronous=0,
command=0x2aaaadaf8f0) at execute_cmd.c:540
#18 execute_command (command=0x2aaaadaf8f0) at execute_cmd.c:382
#19 0x000002aaaaac990b in reader_loop () at eval.c:152
#20 0x000002aaaaac7c31 in main (argc=2, argv=0x3ffffffe708,
env=0x3ffffffe720) at shell.c:749
(gdb)
ifrit crash # gdb /bin/bash
GNU gdb (Gentoo 7.10.1 vanilla) 7.10.1
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /bin/bash...Reading symbols from
/usr/lib64/debug//bin/bash-4.2.debug...done.
done.
(gdb) set args crash.sh
(gdb) r
Starting program: /bin/bash crash.sh
4.2.53(1)-release
\u200B
00000000 5c 75 32 30 30 42 0a |\u200B.|
00000007
*** Error in `/bin/bash': double free or corruption (out):
0x000002aaaadafad0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x73867)[0x3fff73de867]
/lib64/libc.so.6(+0x7988f)[0x3fff73e488f]
/lib64/libc.so.6(+0x7a0fe)[0x3fff73e50fe]
/bin/bash(echo_builtin+0x1c6)[0x2aaaab4e7c6]
/bin/bash(+0x3b44d)[0x2aaaaae544d]
/bin/bash(+0x430cb)[0x2aaaaaed0cb]
/bin/bash(+0x3d85c)[0x2aaaaae785c]
/bin/bash(+0x3f301)[0x2aaaaae9301]
/bin/bash(+0x42200)[0x2aaaaaec200]
/bin/bash(+0x407f9)[0x2aaaaaea7f9]
/bin/bash(+0x3f585)[0x2aaaaae9585]
/bin/bash(execute_command+0xd8)[0x2aaaaaeb618]
/bin/bash(reader_loop+0x1cb)[0x2aaaaac990b]
/bin/bash(main+0x1031)[0x2aaaaac7c31]
/lib64/libc.so.6(__libc_start_main+0x114)[0x3fff738b7e4]
/bin/bash(_start+0x29)[0x2aaaaac8539]
======= Memory map: ========
2aaaaaaa000-2aaaab9e000 r-xp 00000000 08:06 122
/bin/bash
2aaaad9d000-2aaaada0000 r--p 000f3000 08:06 122
/bin/bash
2aaaada0000-2aaaada4000 rw-p 000f6000 08:06 122
/bin/bash
2aaaada4000-2aaaadc8000 rw-p 00000000 00:00 0
[heap]
3fff0000000-3fff0021000 rw-p 00000000 00:00 0
3fff0021000-3fff4000000 ---p 00000000 00:00 0
3fff7154000-3fff716a000 r-xp 00000000 08:03 520297
/usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
3fff716a000-3fff7369000 ---p 00016000 08:03 520297
/usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
3fff7369000-3fff736a000 r--p 00015000 08:03 520297
/usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
3fff736a000-3fff736b000 rw-p 00016000 08:03 520297
/usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
3fff736b000-3fff7508000 r-xp 00000000 08:03 444003
/lib64/libc-2.23.so
3fff7508000-3fff7708000 ---p 0019d000 08:03 444003
/lib64/libc-2.23.so
3fff7708000-3fff770c000 r--p 0019d000 08:03 444003
/lib64/libc-2.23.so
3fff770c000-3fff770e000 rw-p 001a1000 08:03 444003
/lib64/libc-2.23.so
3fff770e000-3fff7713000 rw-p 00000000 00:00 0
3fff7713000-3fff7715000 r-xp 00000000 08:03 444000
/lib64/libdl-2.23.so
3fff7715000-3fff7915000 ---p 00002000 08:03 444000
/lib64/libdl-2.23.so
3fff7915000-3fff7916000 r--p 00002000 08:03 444000
/lib64/libdl-2.23.so
3fff7916000-3fff7917000 rw-p 00003000 08:03 444000
/lib64/libdl-2.23.so
3fff7917000-3fff797c000 r-xp 00000000 08:03 410922
/lib64/libncurses.so.5.9
3fff797c000-3fff7b7c000 ---p 00065000 08:03 410922
/lib64/libncurses.so.5.9
3fff7b7c000-3fff7b80000 r--p 00065000 08:03 410922
/lib64/libncurses.so.5.9
3fff7b80000-3fff7b81000 rw-p 00069000 08:03 410922
/lib64/libncurses.so.5.9
3fff7b81000-3fff7bce000 r-xp 00000000 08:03 471554
/lib64/libreadline.so.7.0
3fff7bce000-3fff7dcd000 ---p 0004d000 08:03 471554
/lib64/libreadline.so.7.0
3fff7dcd000-3fff7dd0000 r--p 0004c000 08:03 471554
/lib64/libreadline.so.7.0
3fff7dd0000-3fff7dd6000 rw-p 0004f000 08:03 471554
/lib64/libreadline.so.7.0
3fff7dd6000-3fff7dd8000 rw-p 00000000 00:00 0
3fff7dd8000-3fff7dfd000 r-xp 00000000 08:03 444440
/lib64/ld-2.23.so
3fff7fd6000-3fff7fda000 rw-p 00000000 00:00 0
3fff7ff9000-3fff7ffa000 rw-p 00000000 00:00 0
3fff7ffa000-3fff7ffb000 rw-p 00000000 00:00 0
3fff7ffb000-3fff7ffc000 r-xp 00000000 00:00 0
[vdso]
3fff7ffc000-3fff7ffd000 r--p 00024000 08:03 444440
/lib64/ld-2.23.so
3fff7ffd000-3fff7ffe000 rw-p 00025000 08:03 444440
/lib64/ld-2.23.so
3fff7ffe000-3fff7fff000 rw-p 00000000 00:00 0
3fffffde000-3fffffff000 rw-p 00000000 00:00 0
[stack]
ffffffffff600000-ffffffffff601000 r--p 00000000 00:00 0
[vsyscall]
[Inferior 1 (process 15386) exited normally]
(gdb) quit
ifrit crash # gdb bash core
GNU gdb (Gentoo 7.10.1 vanilla) 7.10.1
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from bash...Reading symbols from
/usr/lib64/debug//bin/bash-4.2.debug...done.
done.
[New LWP 15393]
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
Core was generated by `/bin/bash crash.sh'.
Program terminated with signal SIGABRT, Aborted.
#0 0x000003fff739f1bb in __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:54
54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x000003fff739f1bb in __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:54
#1 0x000003fff73a0831 in __GI_abort () at abort.c:89
#2 0x000003fff73de86c in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0x3fff74dfca8 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#3 0x000003fff73e488f in malloc_printerr (action=3, str=0x3fff74dfd70
"double free or corruption (out)", ptr=<optimized out>,
ar_ptr=<optimized out>) at malloc.c:5004
#4 0x000003fff73e50fe in _int_free (av=0x3fff770cb80 <main_arena>,
p=<optimized out>, have_lock=0) at malloc.c:3865
#5 0x000002aaaab4e7c6 in echo_builtin (list=0x2aaaadad920) at ./echo.def:182
#6 0x000002aaaaae544d in execute_builtin
(builtin=builtin@entry=0x2aaaab4e600 <echo_builtin>, flags=<optimized
out>, flags@entry=64,
subshell=subshell@entry=1, words=0x2aaaadafb60) at execute_cmd.c:4113
#7 0x000002aaaaaed0cb in execute_subshell_builtin_or_function
(words=words@entry=0x2aaaadafb60, redirects=0x0,
builtin=builtin@entry=0x2aaaab4e600 <echo_builtin>, var=var@entry=0x0,
pipe_in=pipe_in@entry=-1, pipe_out=pipe_out@entry=-1,
async=0, fds_to_close=0x2aaaadaf9d0, flags=64) at execute_cmd.c:4460
#8 0x000002aaaaae785c in execute_simple_command
(simple_command=<optimized out>, pipe_in=<optimized out>,
pipe_in@entry=-1,
pipe_out=<optimized out>, pipe_out@entry=4, async=async@entry=0,
fds_to_close=fds_to_close@entry=0x2aaaadaf9d0) at execute_cmd.c:3940
#9 0x000002aaaaae9301 in execute_command_internal (command=0x2aaaadaee60,
asynchronous=asynchronous@entry=0, pipe_in=pipe_in@entry=-1,
pipe_out=4, fds_to_close=fds_to_close@entry=0x2aaaadaf9d0) at
execute_cmd.c:735
#10 0x000002aaaaaec200 in execute_command_internal
(fds_to_close=0x2aaaadaf9d0, pipe_out=<optimized out>, pipe_in=-1,
asynchronous=0,
command=<optimized out>) at execute_cmd.c:540
#11 execute_pipeline (command=command@entry=0x2aaaadaf890,
asynchronous=asynchronous@entry=0, pipe_in=pipe_in@entry=-1,
pipe_out=pipe_out@entry=-1,
fds_to_close=fds_to_close@entry=0x2aaaadaf920) at execute_cmd.c:2178
#12 0x000002aaaaaea7f9 in execute_connection (fds_to_close=0x2aaaadaf920,
pipe_out=-1, pipe_in=-1, asynchronous=0, command=0x2aaaadaf890)
at execute_cmd.c:2342
#13 execute_command_internal (command=0x2aaaadaf890,
asynchronous=asynchronous@entry=0, pipe_in=pipe_in@entry=-1,
pipe_out=pipe_out@entry=-1,
fds_to_close=fds_to_close@entry=0x2aaaadaf920) at execute_cmd.c:891
#14 0x000002aaaaae9585 in execute_command_internal
(fds_to_close=0x2aaaadaf920, pipe_out=-1, pipe_in=-1, asynchronous=0,
command=<optimized out>) at execute_cmd.c:540
#15 execute_connection (fds_to_close=0x2aaaadaf920, pipe_out=-1,
pipe_in=-1, asynchronous=0, command=0x2aaaadaf8f0) at execute_cmd.c:2330
#16 execute_command_internal (command=command@entry=0x2aaaadaf8f0,
asynchronous=asynchronous@entry=0, pipe_in=pipe_in@entry=-1,
pipe_out=pipe_out@entry=-1,
fds_to_close=fds_to_close@entry=0x2aaaadaf920) at execute_cmd.c:891
#17 0x000002aaaaaeb618 in execute_command_internal
(fds_to_close=0x2aaaadaf920, pipe_out=-1, pipe_in=-1, asynchronous=0,
command=0x2aaaadaf8f0) at execute_cmd.c:540
#18 execute_command (command=0x2aaaadaf8f0) at execute_cmd.c:382
#19 0x000002aaaaac990b in reader_loop () at eval.c:152
#20 0x000002aaaaac7c31 in main (argc=2, argv=0x3ffffffe708,
env=0x3ffffffe720) at shell.c:749
(gdb)
> Hi all,
>
> I found a bug in bash 4.2.48+ (doesn't seem to effect bash 4.3)
>
> : <<CODE
> #!/bin/bash
> ulimit -c unlimited
> echo $BASH_VERSION
> /usr/bin/printf "\u200b\n";/usr/bin/printf "\u200b\n"|hexdump -C;echo -e
> "\u200b\n"|hexdump -C
> # ifrit crash # file -s core
> # core: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style,
> from '/bin/bash crash.sh'
> CODE
>
> ifrit crash # gdb bash
> GNU gdb (Gentoo 7.10.1 vanilla) 7.10.1
> Copyright (C) 2015 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later
> <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law. Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-pc-linux-gnu".
> Type "show configuration" for configuration details.
> For bug reporting instructions, please see:
> <https://bugs.gentoo.org/>.
> Find the GDB manual and other documentation resources online at:
> <http://www.gnu.org/software/gdb/documentation/>.
> For help, type "help".
> Type "apropos word" to search for commands related to "word"...
> Reading symbols from bash...(no debugging symbols found)...done.
> (gdb) set args crash.sh
> (gdb) r
> Starting program: /bin/bash crash.sh
> 4.2.53(1)-release
> \u200B
> 00000000 5c 75 32 30 30 42 0a |\u200B.|
> 00000007
> *** Error in `/bin/bash': double free or corruption (out):
> 0x000002aaaadb0d30 ***
> ======= Backtrace: =========
> /lib64/libc.so.6(+0x73927)[0x3fff73de927]
> /lib64/libc.so.6(+0x7994f)[0x3fff73e494f]
> /lib64/libc.so.6(+0x7a1be)[0x3fff73e51be]
> /bin/bash(echo_builtin+0x1c6)[0x2aaaab4e7c6]
> /bin/bash(+0x3b44d)[0x2aaaaae544d]
> /bin/bash(+0x430cb)[0x2aaaaaed0cb]
> /bin/bash(+0x3d85c)[0x2aaaaae785c]
> /bin/bash(+0x3f301)[0x2aaaaae9301]
> /bin/bash(+0x42200)[0x2aaaaaec200]
> /bin/bash(+0x407f9)[0x2aaaaaea7f9]
> /bin/bash(+0x3f585)[0x2aaaaae9585]
> /bin/bash(execute_command+0xd8)[0x2aaaaaeb618]
> /bin/bash(reader_loop+0x1cb)[0x2aaaaac990b]
> /bin/bash(main+0x1031)[0x2aaaaac7c31]
> /lib64/libc.so.6(__libc_start_main+0x114)[0x3fff738b8a4]
> /bin/bash(_start+0x29)[0x2aaaaac8539]
> ======= Memory map: ========
> 2aaaaaaa000-2aaaab9e000 r-xp 00000000 08:06 97
> /bin/bash
> 2aaaad9d000-2aaaada0000 r--p 000f3000 08:06 97
> /bin/bash
> 2aaaada0000-2aaaada4000 rw-p 000f6000 08:06 97
> /bin/bash
> 2aaaada4000-2aaaadc8000 rw-p 00000000 00:00 0
> [heap]
> 3fff0000000-3fff0021000 rw-p 00000000 00:00 0
> 3fff0021000-3fff4000000 ---p 00000000 00:00 0
> 3fff7154000-3fff716a000 r-xp 00000000 08:03 520297
> /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
> 3fff716a000-3fff7369000 ---p 00016000 08:03 520297
> /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
> 3fff7369000-3fff736a000 r--p 00015000 08:03 520297
> /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
> 3fff736a000-3fff736b000 rw-p 00016000 08:03 520297
> /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
> 3fff736b000-3fff7508000 r-xp 00000000 08:03 444005
> /lib64/libc-2.23.so
> 3fff7508000-3fff7708000 ---p 0019d000 08:03 444005
> /lib64/libc-2.23.so
> 3fff7708000-3fff770c000 r--p 0019d000 08:03 444005
> /lib64/libc-2.23.so
> 3fff770c000-3fff770e000 rw-p 001a1000 08:03 444005
> /lib64/libc-2.23.so
> 3fff770e000-3fff7713000 rw-p 00000000 00:00 0
> 3fff7713000-3fff7715000 r-xp 00000000 08:03 444001
> /lib64/libdl-2.23.so
> 3fff7715000-3fff7915000 ---p 00002000 08:03 444001
> /lib64/libdl-2.23.so
> 3fff7915000-3fff7916000 r--p 00002000 08:03 444001
> /lib64/libdl-2.23.so
> 3fff7916000-3fff7917000 rw-p 00003000 08:03 444001
> /lib64/libdl-2.23.so
> 3fff7917000-3fff797c000 r-xp 00000000 08:03 410922
> /lib64/libncurses.so.5.9
> 3fff797c000-3fff7b7c000 ---p 00065000 08:03 410922
> /lib64/libncurses.so.5.9
> 3fff7b7c000-3fff7b80000 r--p 00065000 08:03 410922
> /lib64/libncurses.so.5.9
> 3fff7b80000-3fff7b81000 rw-p 00069000 08:03 410922
> /lib64/libncurses.so.5.9
> 3fff7b81000-3fff7bce000 r-xp 00000000 08:03 471554
> /lib64/libreadline.so.7.0
> 3fff7bce000-3fff7dcd000 ---p 0004d000 08:03 471554
> /lib64/libreadline.so.7.0
> 3fff7dcd000-3fff7dd0000 r--p 0004c000 08:03 471554
> /lib64/libreadline.so.7.0
> 3fff7dd0000-3fff7dd6000 rw-p 0004f000 08:03 471554
> /lib64/libreadline.so.7.0
> 3fff7dd6000-3fff7dd8000 rw-p 00000000 00:00 0
> 3fff7dd8000-3fff7dfd000 r-xp 00000000 08:03 444004
> /lib64/ld-2.23.so
> 3fff7fd6000-3fff7fda000 rw-p 00000000 00:00 0
> 3fff7ff9000-3fff7ffa000 rw-p 00000000 00:00 0
> 3fff7ffa000-3fff7ffb000 rw-p 00000000 00:00 0
> 3fff7ffb000-3fff7ffc000 r-xp 00000000 00:00 0
> [vdso]
> 3fff7ffc000-3fff7ffd000 r--p 00024000 08:03 444004
> /lib64/ld-2.23.so
> 3fff7ffd000-3fff7ffe000 rw-p 00025000 08:03 444004
> /lib64/ld-2.23.so
> 3fff7ffe000-3fff7fff000 rw-p 00000000 00:00 0
> 3fffffde000-3fffffff000 rw-p 00000000 00:00 0
> [stack]
> ffffffffff600000-ffffffffff601000 r--p 00000000 00:00 0
> [vsyscall]
> [Inferior 1 (process 3271) exited normally]
> (gdb)
>
> Let me know if you need any more information or if you need me to compile
> with debugging symbols enabled and do anything for you.
>