asan report in bash_add

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

asan report in bash_add_history

From:	Grisha Levit
Subject:	asan report in bash_add_history
Date:	Tue, 7 Mar 2023 11:56:29 -0500

./bash --norc -in <<<$'\\\n.'

bashhist.c:899:8: runtime error: addition of unsigned offset to
0x00010700d190 overflowed to 0x00010700d18f

ERROR: AddressSanitizer: heap-buffer-overflow on address
0x00010700d18f at pc 0x0001045fe1b8 bp 0x00016bb1f350 sp
0x00016bb1f348
READ of size 1 at 0x00010700d18f thread T0

    frame #5: 0x00000001045fe1b8 bash`bash_add_history(line=".") at
bashhist.c:899:8
    frame #6: 0x00000001045fd0c8 bash`maybe_add_history(line=".") at
bashhist.c:759:2
    frame #7: 0x00000001045fca34 bash`pre_process_line(line=".",
print_changes=1, addit=1) at bashhist.c:628:5
    frame #8: 0x000000010432df50
bash`shell_getc(remove_quoted_newline=1) at parse.y:2508:17
    frame #9: 0x000000010432786c bash`read_token(command=0) at parse.y:3432:23

(lldb) fr s 5
frame #5: 0x00000001045fe1b8 bash`bash_add_history(line=".") at bashhist.c:899:8
   896   curlen = strlen (current->line);
   897
   898   if (dstack.delimiter_depth == 0 && current->line[curlen - 1] == '\\' &&
-> 899       current->line[curlen - 2] != '\\')
   900     {
   901       current->line[curlen - 1] = '\0';
   902       curlen--;

(lldb) fr v current->line curlen
(char *) current->line = 0x000000010700d190 "\\"
(size_t) curlen = 1

[Prev in Thread]

Current Thread

[Next in Thread]

asan report in bash_add_history, Grisha Levit <=
- Re: asan report in bash_add_history, Chet Ramey, 2023/03/14

Prev by Date: Re: global-buffer-overflow in parse.y
Next by Date: asan report in spname
Previous by thread: Re: Vulnerability Report(No SPF Record)
Next by thread: Re: asan report in bash_add_history
Index(es):
- Date
- Thread