Segmentation fault in lib/readline/undo.c

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Segmentation fault in lib/readline/undo.c - rl_do_undo

From:	Eduardo A . Bustamante López
Subject:	Segmentation fault in lib/readline/undo.c - rl_do_undo
Date:	Mon, 7 Jan 2019 01:16:05 -0800
User-agent:	Mutt/1.10.1 (2018-07-13)

I found this with AFL. I think it's related to the problem reported here:
http://lists.nongnu.org/archive/html/bug-bash/2018-09/msg00045.html

debian@debian-fuzz:/mnt$ cat -A rl_do_undo
^RM-CM-!M-CM-CM-!M-C^[.^[^[00000^P^@0000^P^Q0^[-^P^Q0^[^W0^@0&/^[^[^[--^W^_~0^@0^@-^L^D^@^@'/^[B^@0^B^@M-
 
^[^[M-^T^[M-mM-^?^[F-^W^_0^[M-^@0^P^@^@^@^@^D^I^@^[M-UM-UM-UM-NM-U^@M-^@^@M-=$^@01^@01^["0^?M-^?M-^?M-^?0M-r0^@'0M-^?^@^@^@M-CM-CM-!M-C^[.^[^[--^W00^P^@00(-^P^Q;^[-^P^Q0^[^W0^@n&/^[^[^[--^W^_~0^@0^@-^L^D^@^@'/^[B^@M-^T^B^@M-
 
^[^[M-^T^[M-mM-^?^[F-^W^_0^[M-^@0^P^@^@^@^@^D^I^@^[M-UM-UM-UM-NM-U^@M-^@^@M-=$^@01^@01^["0^?M-^?M-^?M-^?0M-r0^@'0M-^?^@^@^@@^N\0^[11#0-^P^@^@^@^@^D^I^@^[M-UM-=M-UM-NM-U^@M-^@^@M-=$^@J^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^PM-eM-KM-YM-@M-nM-n^ZM-{0M-xM-|^@}}^L0#^A^Cd^\#^@^X^E^X^E^@M-^?M-^?^[^I^I0000^@^@^@M-^?\^O^@000M-^R00M-,0^@^@M-^?\^O^@qq0M-^Dq^@0^P^I^[^I^I0000^E^@M-^?M-^?0M-v^P^P^P^P^P^P^PM-eM-KM-YM-@M-nM-n^ZM-{0M-xM-|^@}}^L0#^A^Cd^\#^@^X^E^X^E^@M-^?M-^?^[^I^@^@M-^@^@0^@^@^@M-^?\^O^@0^?0M-^R00M-,0^@^@M-^?\^O^@00000^@0^P^I^[^I^Iu000^E^@M-^?M-^?0M-vM-Q^A^@0^P^I^]0^I000000^@^@^@M-^?\^O^GM-^?\^Oq0q^[^I^I^I^@^@M-h^C@^N\0^[11#0-^P^@^@^@^@^D^I^@^[M-UM-UM-UM-NM-U^@M-^@^@M-=$^@0^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^PM-eM-KM-YM-@M-nM-n^ZM-{0M-xM-|^@00^L0#^A^Cd^\#^@^X^E^X^E^@M-^?M-^?^[^I^I0000^@^@^@M-^?\^O^@000M-^R00M-,0^@^@M-^?\^O^@qq0M-^Dq^@0^P^I^[^I^Iu000^E^@M-^?M-^?0M-v^P^P^P^P^P^P^PM-eM-KM-YM-@M-nM-n^ZM-{0M-xM-|^@}}^L0#^A^Cd^\#^@^X^E^X^E^@M-^?M-^?^[^I^I0000^@^@^@M-^?\^O^@00M-^?M-^R00M-,0^@^@M-^?\^O^@00000^@0^P^I^[^I^I0000^E^@M-^?M-^?0M-vM-Q^A^@0^P^I^]0^I000000^@^@^@M-^?\^O^GM-^?\^Oq0q^[^I^I^I^@^@M-h^C^E^@000M-v

debian@debian-fuzz:/mnt$ base64 < rl_do_undo
EsOhw8OhwxsuGxswMDAwMBAAMDAwMBARMBstEBEwGxcwADAmLxsbGy0tFx9+MAAwAC0MBAAAJy8b
QgAwAgCgGxuUG+3/G0YtFx8wG4AwEAAAAAAECQAb1dXVztUAgAC9JAAwMQAwMRsiMH////8w8jAA
JzD/AAAAw8OhwxsuGxstLRcwMBAAMDAoLRAROxstEBEwGxcwAG4mLxsbGy0tFx9+MAAwAC0MBAAA
Jy8bQgCUAgCgGxuUG+3/G0YtFx8wG4AwEAAAAAAECQAb1dXVztUAgAC9JAAwMQAwMRsiMH////8w
8jAAJzD/AAAAQA5cMBsxMSMwLRAAAAAABAkAG9W91c7VAIAAvSQAShAQEBAQEBAQEBAQEBAQEBAQ
EBAQ5cvZwO7uGvsw+PwAfX0MMCMBA2QcIwAYBRgFAP//GwkJMDAwMAAAAP9cDwAwMDCSMDCsMAAA
/1wPAHFxMIRxADAQCRsJCTAwMDAFAP//MPYQEBAQEBAQ5cvZwO7uGvsw+PwAfX0MMCMBA2QcIwAY
BRgFAP//GwkAAIAAMAAAAP9cDwAwfzCSMDCsMAAA/1wPADAwMDAwADAQCRsJCXUwMDAFAP//MPbR
AQAwEAkdMAkwMDAwMDAAAAD/XA8H/1wPcTBxGwkJCQAA6ANADlwwGzExIzAtEAAAAAAECQAb1dXV
ztUAgAC9JAAwEBAQEBAQEBAQEBAQEBAQEBAQEBDly9nA7u4a+zD4/AAwMAwwIwEDZBwjABgFGAUA
//8bCQkwMDAwAAAA/1wPADAwMJIwMKwwAAD/XA8AcXEwhHEAMBAJGwkJdTAwMAUA//8w9hAQEBAQ
EBDly9nA7u4a+zD4/AB9fQwwIwEDZBwjABgFGAUA//8bCQkwMDAwAAAA/1wPADAw/5IwMKwwAAD/
XA8AMDAwMDAAMBAJGwkJMDAwMAUA//8w9tEBADAQCR0wCTAwMDAwMAAAAP9cDwf/XA9xMHEbCQkJ
AADoAwUAMDAw9g==

debian@debian-fuzz:/mnt$ LC_ALL=zh_CN.gbk  ~/build/bash --noprofile --norc -c 
'PATH= read -e < rl_do_undo' >/dev/null 2>&1; echo $?
Segmentation fault
139


And the backtrace:

(gdb) bt
#0  0x0000555555656672 in rl_do_undo () at 
../../../bash-5.0-rc1/lib/readline/undo.c:255
#1  0x0000555555656807 in rl_revert_line (count=1, key=0) at 
../../../bash-5.0-rc1/lib/readline/undo.c:339
#2  0x000055555563956b in readline_internal_teardown (eof=0) at 
../../../bash-5.0-rc1/lib/readline/readline.c:471
#3  0x000055555563995c in readline_internal () at 
../../../bash-5.0-rc1/lib/readline/readline.c:672
#4  0x0000555555639367 in readline (prompt=0x555555680f84 "") at 
../../../bash-5.0-rc1/lib/readline/readline.c:377
#5  0x0000555555611bcf in edit_line (p=0x555555680f84 "", itext=0x0) at 
../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:1107
#6  0x00005555556108f8 in read_builtin (list=0x0) at 
../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:566
#7  0x00005555555a5afa in execute_builtin (builtin=0x55555560fa73 
<read_builtin>, words=0x555555761ea8, flags=0, subshell=0) at 
../bash-5.0-rc1/execute_cmd.c:4706
#8  0x00005555555a6aa2 in execute_builtin_or_function (words=0x555555761ea8, 
builtin=0x55555560fa73 <read_builtin>, var=0x0, redirects=0x555555761c08, 
fds_to_close=0x555555761be8, flags=0)
    at ../bash-5.0-rc1/execute_cmd.c:5214
#9  0x00005555555a5365 in execute_simple_command 
(simple_command=0x555555761ac8, pipe_in=-1, pipe_out=-1, async=0, 
fds_to_close=0x555555761be8) at ../bash-5.0-rc1/execute_cmd.c:4476
#10 0x000055555559e9f4 in execute_command_internal (command=0x555555761a88, 
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x555555761be8) at 
../bash-5.0-rc1/execute_cmd.c:842
#11 0x000055555560858a in parse_and_execute (string=0x5555557616c8 "PATH= read 
-e < rl_do_undo", from_file=0x5555556690f0 "-c", flags=4) at 
../../bash-5.0-rc1/builtins/evalstring.c:436
#12 0x000055555558564a in run_one_command (command=0x7fffffffe284 "PATH= read 
-e < rl_do_undo") at ../bash-5.0-rc1/shell.c:1426
#13 0x0000555555584789 in main (argc=5, argv=0x7fffffffdfe8, 
env=0x7fffffffe018) at ../bash-5.0-rc1/shell.c:741
(gdb) x/12xb &search
0x7fffffffd7f8: 0x30    0x30    0x30    0x30    0x30    0x30    0x00    0x07
0x7fffffffd800: 0x08    0x3c    0x76    0x55
(gdb) frame 0
#0  0x0000555555656672 in rl_do_undo () at 
../../../bash-5.0-rc1/lib/readline/undo.c:255
255                   while (search->next)
(gdb) p search
$2 = (UNDO_LIST *) 0x700303030303030


The problem is that 0x700303030303030 isn't a real memory location. I'm not
sure how that value gets there (my current assumption is that it's
uninitialized memory).

The furthest I got in the debugging is setting a watchpoint to see when
rl_undo_list is set to this value, but it wasn't that useful:


Hardware watchpoint 1: (rl_undo_list && rl_undo_list->next == 0x700257164597171)

Old value = 0
New value = 1
rl_do_undo () at ../../../bash-5.0-rc1/lib/readline/undo.c:230
230           release->next = 0;        /* XXX */

(gdb) p rl_undo_list
$1 = (UNDO_LIST *) 0x55555574c548
(gdb) p rl_undo_list->next
$2 = (struct undo_list *) 0x700257164597171

(gdb) bt
#0  rl_do_undo () at ../../../bash-5.0-rc1/lib/readline/undo.c:230
#1  0x0000555555656807 in rl_revert_line (count=1, key=0) at 
../../../bash-5.0-rc1/lib/readline/undo.c:339
#2  0x000055555563956b in readline_internal_teardown (eof=0) at 
../../../bash-5.0-rc1/lib/readline/readline.c:471
#3  0x000055555563995c in readline_internal () at 
../../../bash-5.0-rc1/lib/readline/readline.c:672
#4  0x0000555555639367 in readline (prompt=0x555555680f84 "") at 
../../../bash-5.0-rc1/lib/readline/readline.c:377
#5  0x0000555555611bcf in edit_line (p=0x555555680f84 "", itext=0x0) at 
../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:1107
#6  0x00005555556108f8 in read_builtin (list=0x0) at 
../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:566
#7  0x00005555555a5afa in execute_builtin (builtin=0x55555560fa73 
<read_builtin>, words=0x555555761e08, flags=0, subshell=0) at 
../bash-5.0-rc1/execute_cmd.c:4706
#8  0x00005555555a6aa2 in execute_builtin_or_function (words=0x555555761e08, 
builtin=0x55555560fa73 <read_builtin>, var=0x0, redirects=0x555555761b88, 
fds_to_close=0x555555761bc8, flags=0)
    at ../bash-5.0-rc1/execute_cmd.c:5214
#9  0x00005555555a5365 in execute_simple_command 
(simple_command=0x555555761a88, pipe_in=-1, pipe_out=-1, async=0, 
fds_to_close=0x555555761bc8) at ../bash-5.0-rc1/execute_cmd.c:4476
#10 0x000055555559e9f4 in execute_command_internal (command=0x555555761a48, 
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x555555761bc8) at 
../bash-5.0-rc1/execute_cmd.c:842
#11 0x000055555560858a in parse_and_execute (string=0x555555763008 "PATH= read 
-e <./out/11/crashes/id:000034,sig:11,src:013851+017955,op:splice,rep:16", 
from_file=0x5555556690f0 "-c", 
    flags=4) at ../../bash-5.0-rc1/builtins/evalstring.c:436
#12 0x000055555558564a in run_one_command (command=0x7fffffffe24b "PATH= read 
-e <./out/11/crashes/id:000034,sig:11,src:013851+017955,op:splice,rep:16") at 
../bash-5.0-rc1/shell.c:1426
#13 0x0000555555584789 in main (argc=5, argv=0x7fffffffdfa8, 
env=0x7fffffffdfd8) at ../bash-5.0-rc1/shell.c:741

(gdb) l
225           _rl_doing_an_undo = 0;
226           RL_UNSETSTATE(RL_STATE_UNDOING);
227
228           release = rl_undo_list;
229           rl_undo_list = rl_undo_list->next;
230           release->next = 0;        /* XXX */
231
232           /* If we are editing a history entry, make sure the change is 
replicated
233              in the history entry's line */
234           cur = current_history ();

[Prev in Thread]

Current Thread

[Next in Thread]

Segmentation fault in lib/readline/undo.c - rl_do_undo, Eduardo A . Bustamante López <=
- Re: Segmentation fault in lib/readline/undo.c - rl_do_undo, Eduardo A . Bustamante López, 2019/01/07

Prev by Date: Re: $RANDOM not Cryptographically secure pseudorandom number generator
Next by Date: Re: "return" should not continue script execution, even if used inappropriately
Previous by thread: realloc: start and end chunk sizes differ - rl_extend_line_buffer in lib/readline/util.c
Next by thread: Re: Segmentation fault in lib/readline/undo.c - rl_do_undo
Index(es):
- Date
- Thread