[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Heap buffer overread in extract_delimited_string

From: jeremy
Subject: Heap buffer overread in extract_delimited_string
Date: Tue, 20 Feb 2018 20:39:24 +0100
User-agent: Mutt/1.9.3 (2018-01-21)

Configuration Information [Automatically generated, do not change]:
Machine: i686
OS: linux-gnu
Compiler: afl-gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='i686' 
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='i686-pc-linux-gnu' 
-DCONF_VENDOR='pc' -DLOCALEDIR='/usr/local/share/locale' -DPACKAGE='bash' 
-DSHELL -DHAVE_CONFIG_H   -I.  -I. -I./include -I./lib   -fsanitize=address 
-Wno-parentheses -Wno-format-security
uname output: Linux jefeus-vm 4.9.0-4-686-pae #1 SMP Debian 4.9.65-3+deb9u1 
(2017-12-23) i686 GNU/Linux
Machine Type: i686-pc-linux-gnu

Bash Version: 4.4
Patch Level: 19
Release Status: release

        When calling bash -e <file> (where <file> is the attached file) a heap
buffer overread occurs in extract_delimited_string at subst.c:1335. Below is a
detailed backtrace of this bug:

==7523==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb53018f5 at 
pc 0x00611484 bp 0xbfdb7018 sp 0xbfdb700c
READ of size 1 at 0xb53018f5 thread T0
    #0 0x611483 in extract_delimited_string /home/jefeus/bash/subst.c:1335
    #1 0x64174a in extract_arithmetic_subst /home/jefeus/bash/subst.c:1255
    #2 0x64174a in param_expand /home/jefeus/bash/subst.c:8867
    #3 0x649260 in expand_word_internal /home/jefeus/bash/subst.c:9315
    #4 0x66122c in call_expand_word_internal /home/jefeus/bash/subst.c:3614
    #5 0x66122c in expand_string_internal /home/jefeus/bash/subst.c:3649
    #6 0x66122c in expand_string_leave_quoted /home/jefeus/bash/subst.c:3777
    #7 0x66122c in expand_string /home/jefeus/bash/subst.c:3825
    #8 0x738c51 in write_here_document /home/jefeus/bash/redir.c:394
    #9 0x738c51 in here_document_to_fd /home/jefeus/bash/redir.c:478
    #10 0x738c51 in do_redirection_internal /home/jefeus/bash/redir.c:972
    #11 0x73f5c0 in do_redirections /home/jefeus/bash/redir.c:234
    #12 0x498823 in execute_null_command /home/jefeus/bash/execute_cmd.c:3899
    #13 0x498823 in execute_simple_command /home/jefeus/bash/execute_cmd.c:4173
    #14 0x54c7ed in execute_command_internal /home/jefeus/bash/execute_cmd.c:807
    #15 0x54c7ed in execute_command /home/jefeus/bash/execute_cmd.c:405
    #16 0x4b5ba4 in reader_loop /home/jefeus/bash/eval.c:180
    #17 0x4ab44c in main /home/jefeus/bash/shell.c:792
    #18 0xb6f31455 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18455)
    #19 0x4b1cef  (/home/jefeus/bash/bash+0x62cef)

0xb53018f5 is located 0 bytes to the right of 5-byte region 
allocated by thread T0 here:
    #0 0xb71dee74 in malloc (/usr/lib/i386-linux-gnu/libasan.so.4+0xdee74)
    #1 0x756aea in xmalloc /home/jefeus/bash/xmalloc.c:112

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jefeus/bash/subst.c:1335 
in extract_delimited_string
Shadow bytes around the buggy address:
  0x36a602c0: fa fa 00 00 fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x36a602d0: fa fa 03 fa fa fa 04 fa fa fa 04 fa fa fa 00 00
  0x36a602e0: fa fa 00 06 fa fa 02 fa fa fa fa fa fa fa fa fa
  0x36a602f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a60300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36a60310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[05]fa
  0x36a60320: fa fa 00 05 fa fa fd fa fa fa 00 fa fa fa fd fa
  0x36a60330: fa fa 00 fa fa fa 06 fa fa fa 02 fa fa fa 00 00
  0x36a60340: fa fa fd fa fa fa 00 fa fa fa 05 fa fa fa fd fa
  0x36a60350: fa fa 00 03 fa fa 00 fa fa fa 05 fa fa fa 02 fa
  0x36a60360: fa fa fd fa fa fa 00 03 fa fa 00 03 fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

        In order to get bash to run with the compiler flags mentioned
above, one must add the --without-bash-malloc or else bash segfaults on startup.
It might be worth the effort to include the configure options in the bashbug
configure information, as it may contain vital information as is the case here.

Attachment: min
Description: Text document

reply via email to

[Prev in Thread] Current Thread [Next in Thread]