bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

expand_prompt_string segmentation faults


From: Eduardo A . Bustamante López
Subject: expand_prompt_string segmentation faults
Date: Fri, 14 Sep 2018 00:26:55 -0700
User-agent: Mutt/1.10.1 (2018-07-13)

Found the following two cases by fuzzing with AFL:

# Case #1: array_expand_index
bash <<'EOF'
x='${p[--b[?]]'; echo ${x@P}
EOF

# Case #1 backtrace
: <<'EOF'
Program received signal SIGSEGV, Segmentation fault.
0x000000000080e0d3 in __strchr_sse2 ()
#0  0x000000000080e0d3 in __strchr_sse2 ()
#1  0x00000000006d954b in mbschr (s=0x0, c=91) at mbschr.c:90
#2  0x000000000058acdf in valid_array_reference (name=0x0, flags=0) at 
arrayfunc.c:899
#3  0x000000000049c4e9 in bind_int_variable (lhs=0x0, rhs=0xbb5228 "-1", 
flags=0) at variables.c:3371
#4  0x00000000004c632c in expr_bind_variable (lhs=0x0, rhs=<optimized out>) at 
expr.c:333
#5  exp0 () at expr.c:1015
#6  exp1 () at expr.c:983
#7  0x00000000004c54ae in exppower () at expr.c:938
#8  0x00000000004c4cf8 in exp2 () at expr.c:863
#9  0x00000000004c4695 in exp3 () at expr.c:837
#10 expshift () at expr.c:813
#11 0x00000000004c3d95 in exp4 () at expr.c:783
#12 exp5 () at expr.c:761
#13 0x00000000004c3a61 in expband () at expr.c:743
#14 expbxor () at expr.c:724
#15 0x00000000004c3621 in expbor () at expr.c:705
#16 expland () at expr.c:678
#17 0x00000000004c2e01 in explor () at expr.c:650
#18 expcond () at expr.c:603
#19 0x00000000004c1f2b in expassign () at expr.c:488
#20 0x00000000004be48e in expcomma () at expr.c:472
#21 subexpr (expr=0xbc9a48 "--b[?]") at expr.c:450
#22 0x00000000004bdba0 in evalexp (expr=0xbc9a48 "--b[?]", flags=<optimized 
out>, validp=0x7fffffffce14) at expr.c:415
#23 0x0000000000589d81 in array_expand_index (var=<optimized out>, s=<optimized 
out>, len=<optimized out>, flags=<optimized out>) at arrayfunc.c:952
#24 0x000000000058b7f5 in array_value_internal (s=0xbc9a08 "p[--b[?]]", 
quoted=<optimized out>, flags=1, rtype=0x7fffffffce9c, indp=<optimized out>) at 
arrayfunc.c:1133
#25 0x000000000053eed1 in parameter_brace_expand_word (name=0xbc9a08 
"p[--b[?]]", var_is_special=0, quoted=1, pflags=<optimized out>, 
indp=0x7fffffffcf40) at subst.c:6584
#26 0x0000000000536c7b in parameter_brace_expand (string=<optimized out>, 
quoted=<optimized out>, pflags=<optimized out>, contains_dollar_at=<optimized 
out>, indexp=<optimized out>, quoted_dollar_atp=<optimized out>) at subst.c:8702
#27 param_expand (string=0xbc5fe8 "${p[--b[?]]", sindex=<optimized out>, 
quoted=<optimized out>, expanded_something=<optimized out>, 
contains_dollar_at=<optimized out>, quoted_dollar_at_p=<optimized out>, 
had_quoted_null_p=0x0, pflags=<optimized out>) at subst.c:9316
#28 0x0000000000510893 in expand_word_internal (word=0x7fffffffd0b0, 
quoted=<optimized out>, isexp=<optimized out>, contains_dollar_at=<optimized 
out>, expanded_something=<optimized out>) at subst.c:9887
#29 0x000000000050f595 in expand_prompt_string (string=0xbc7ec8 "${p[--b[?]]", 
quoted=1, wflags=<optimized out>) at subst.c:3804
#30 0x0000000000420e71 in decode_prompt_string (string=<optimized out>) at 
./parse.y:6065
#31 0x000000000055059c in string_transform (xc=<optimized out>, v=0xbc7dc8, 
s=0xbc5fc8 "${p[--b[?]]") at subst.c:7468
#32 0x000000000054a2b5 in parameter_brace_transform (varname=<optimized out>, 
value=<optimized out>, ind=<optimized out>, xform=<optimized out>, rtype=0, 
quoted=<optimized out>, pflags=0, flags=<optimized out>) at subst.c:7616
#33 0x000000000053bb17 in parameter_brace_expand (string=<optimized out>, 
quoted=<optimized out>, pflags=<optimized out>, contains_dollar_at=<optimized 
out>, indexp=<optimized out>, quoted_dollar_atp=<optimized out>) at subst.c:8884
#34 param_expand (string=0xbc7e68 "${REPLY@P}", sindex=<optimized out>, 
quoted=<optimized out>, expanded_something=<optimized out>, 
contains_dollar_at=<optimized out>, quoted_dollar_at_p=<optimized out>, 
had_quoted_null_p=<optimized out>, pflags=<optimized out>) at subst.c:9316
#35 0x0000000000510893 in expand_word_internal (word=0xbc7828, 
quoted=<optimized out>, isexp=<optimized out>, contains_dollar_at=<optimized 
out>, expanded_something=<optimized out>) at subst.c:9887
#36 0x0000000000529560 in shell_expand_word_list (tlist=<optimized out>, 
eflags=0) at subst.c:11233
#37 expand_word_list_internal (list=<optimized out>, eflags=<optimized out>) at 
subst.c:11357
#38 0x000000000046f341 in execute_simple_command (simple_command=<optimized 
out>, pipe_in=-1, pipe_out=-1, async=<optimized out>, fds_to_close=<optimized 
out>) at execute_cmd.c:4278
#39 execute_command_internal (command=<optimized out>, asynchronous=<optimized 
out>, pipe_in=<optimized out>, pipe_out=<optimized out>, 
fds_to_close=<optimized out>) at execute_cmd.c:840
#40 0x000000000046b5cb in execute_connection (command=<optimized out>, 
asynchronous=<optimized out>, pipe_in=<optimized out>, pipe_out=<optimized 
out>, fds_to_close=<optimized out>) at execute_cmd.c:2689
#41 execute_command_internal (command=0xbc5e48, asynchronous=<optimized out>, 
pipe_in=<optimized out>, pipe_out=<optimized out>, fds_to_close=<optimized 
out>) at execute_cmd.c:1013
#42 0x0000000000605bcc in parse_and_execute (string=<optimized out>, 
from_file=<optimized out>, flags=4) at evalstring.c:436
#43 0x0000000000409a8c in run_one_command (command=<optimized out>) at 
shell.c:1416
#44 0x00000000004063a7 in main (argc=<optimized out>, argv=<optimized out>, 
env=<optimized out>) at shell.c:735
EOF

# Case #2
bash <<'EOF'
x='$[++K[+]]/'; echo ${x@P}
EOF

# Case #2 backtrace
: <<'EOF'
Program received signal SIGSEGV, Segmentation fault.
0x000000000080e0d3 in __strchr_sse2 ()
#0  0x000000000080e0d3 in __strchr_sse2 ()
#1  0x00000000006d954b in mbschr (s=0x0, c=91) at mbschr.c:90
#2  0x000000000058acdf in valid_array_reference (name=0x0, flags=0) at 
arrayfunc.c:899
#3  0x000000000049c4e9 in bind_int_variable (lhs=0x0, rhs=0xbb5248 "1", 
flags=0) at variables.c:3371
#4  0x00000000004c632c in expr_bind_variable (lhs=0x0, rhs=<optimized out>) at 
expr.c:333
#5  exp0 () at expr.c:1015
#6  exp1 () at expr.c:983
#7  0x00000000004c54ae in exppower () at expr.c:938
#8  0x00000000004c4cf8 in exp2 () at expr.c:863
#9  0x00000000004c4695 in exp3 () at expr.c:837
#10 expshift () at expr.c:813
#11 0x00000000004c3d95 in exp4 () at expr.c:783
#12 exp5 () at expr.c:761
#13 0x00000000004c3a61 in expband () at expr.c:743
#14 expbxor () at expr.c:724
#15 0x00000000004c3621 in expbor () at expr.c:705
#16 expland () at expr.c:678
#17 0x00000000004c2e01 in explor () at expr.c:650
#18 expcond () at expr.c:603
#19 0x00000000004c1f2b in expassign () at expr.c:488
#20 0x00000000004be48e in expcomma () at expr.c:472
#21 subexpr (expr=0xbcc9a8 "++K[+]") at expr.c:450
#22 0x00000000004bdba0 in evalexp (expr=0xbcc9a8 "++K[+]", flags=<optimized 
out>, validp=0x7fffffffdee0) at expr.c:415
#23 0x0000000000531828 in param_expand (string=0xbcc968 "$[++K[+]]/", 
sindex=<optimized out>, quoted=<optimized out>, expanded_something=<optimized 
out>, contains_dollar_at=<optimized out>, quoted_dollar_at_p=<optimized out>, 
had_quoted_null_p=0x0, pflags=<optimized out>) at subst.c:9391
#24 0x0000000000510893 in expand_word_internal (word=0x7fffffffe050, 
quoted=<optimized out>, isexp=<optimized out>, contains_dollar_at=<optimized 
out>, expanded_something=<optimized out>) at subst.c:9887
#25 0x000000000050f595 in expand_prompt_string (string=0xbcc948 "$[++K[+]]/", 
quoted=0, wflags=<optimized out>) at subst.c:3804
#26 0x00000000005b82a8 in bash_directory_completion_hook (dirname=0xb182f8 
<rl_filename_completion_function.dirname>) at bashline.c:3284
#27 0x00000000007057c7 in rl_filename_completion_function (text=<optimized 
out>, state=<optimized out>) at complete.c:2508
#28 0x000000000070bacd in rl_completion_matches (text=0xbcc8c8 "$[++K[+]]/", 
entry_function=0x7051c0 <rl_filename_completion_function>) at complete.c:2185
#29 0x000000000070819f in gen_completion_matches (text=0xbcc8c8 "$[++K[+]]/", 
start=<optimized out>, end=<optimized out>, our_func=0x7051c0 
<rl_filename_completion_function>, found_quote=<optimized out>, 
quote_char=<optimized out>) at complete.c:1228
#30 0x00000000006fd828 in rl_complete_internal (what_to_do=9) at complete.c:2013
#31 0x00000000006de509 in _rl_dispatch_subseq (key=9, map=0xb104d0 
<vi_insertion_keymap>, got_subseq=0) at readline.c:852
#32 0x00000000006dc6ce in _rl_dispatch (key=0, map=0x5b) at readline.c:798
#33 readline_internal_char () at readline.c:632
#34 0x00000000006da72d in readline_internal_charloop () at readline.c:659
#35 readline_internal () at readline.c:671
#36 readline (prompt=0x8e11cf "") at readline.c:377
#37 0x0000000000629741 in edit_line (p=<optimized out>, itext=<optimized out>) 
at ./read.def:1104
#38 read_builtin (list=<optimized out>) at ./read.def:563
#39 0x0000000000483417 in execute_builtin (builtin=0x6268c0 <read_builtin>, 
words=<optimized out>, flags=<optimized out>, subshell=0) at execute_cmd.c:4677
#40 0x00000000004725d4 in execute_builtin_or_function (redirects=<optimized 
out>, fds_to_close=<optimized out>, flags=<optimized out>, words=<optimized 
out>, builtin=<optimized out>, var=<optimized out>) at execute_cmd.c:5185
#41 execute_simple_command (simple_command=<optimized out>, pipe_in=<optimized 
out>, pipe_out=<optimized out>, async=<optimized out>, fds_to_close=<optimized 
out>) at execute_cmd.c:4449
#42 execute_command_internal (command=<optimized out>, asynchronous=<optimized 
out>, pipe_in=<optimized out>, pipe_out=<optimized out>, 
fds_to_close=<optimized out>) at execute_cmd.c:840
#43 0x000000000046b5cb in execute_connection (command=<optimized out>, 
asynchronous=<optimized out>, pipe_in=<optimized out>, pipe_out=<optimized 
out>, fds_to_close=<optimized out>) at execute_cmd.c:2689
#44 execute_command_internal (command=0xbc5d88, asynchronous=<optimized out>, 
pipe_in=<optimized out>, pipe_out=<optimized out>, fds_to_close=<optimized 
out>) at execute_cmd.c:1013
#45 0x0000000000605bcc in parse_and_execute (string=<optimized out>, 
from_file=<optimized out>, flags=4) at evalstring.c:436
#46 0x0000000000409a8c in run_one_command (command=<optimized out>) at 
shell.c:1416
#47 0x00000000004063a7 in main (argc=<optimized out>, argv=<optimized out>, 
env=<optimized out>) at shell.c:735
EOF



reply via email to

[Prev in Thread] Current Thread [Next in Thread]