[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Another out of bounds heap read in bash completion
From: |
Hanno Böck |
Subject: |
Another out of bounds heap read in bash completion |
Date: |
Tue, 7 Jul 2015 00:46:40 +0200 |
Hi,
With Address Sanitizer I discovered another out of bounds read issue in
bash. This is different from the issue I recently reported here and
for which Chet already provided a patch:
https://lists.gnu.org/archive/html/bug-bash/2015-06/msg00089.html
To reproduce:
a) compile bash with CFLAGS="-fsanitize=address -g"
b) type in a=/ a
c) go back with the cursor behind the backslash and press tab
This is the stack trace from address sanitizer:
==28776==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020001014af at pc 0x4c7c0f bp 0x7ffe122a3490 sp 0x7ffe122a3480
READ of size 1 at 0x6020001014af thread T0
#0 0x4c7c0e in bind_compfunc_variables
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:986
#1 0x4ca913 in gen_shell_function_matches
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:1133
#2 0x4ca913 in gen_compspec_completions
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:1411
#3 0x4cc221 in gen_progcomp_completions
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:1581
#4 0x4cc5a1 in programmable_completions
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:1633
#5 0x4bd184 in attempt_shell_completion
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/bashline.c:1517
#6 0x7f79530ed482 (/lib64/libreadline.so.6+0x3a482)
#7 0x7f79530ed8bc in rl_complete_internal (/lib64/libreadline.so.6+0x3a8bc)
#8 0x7f79530d8c0d in _rl_dispatch_subseq (/lib64/libreadline.so.6+0x25c0d)
#9 0x7f79530d948c in readline_internal_char
(/lib64/libreadline.so.6+0x2648c)
#10 0x7f79530da354 in readline (/lib64/libreadline.so.6+0x27354)
#11 0x410457 in yy_readline_get parse.y:1448
#12 0x414dad in yy_getc parse.y:1382
#13 0x414dad in shell_getc parse.y:2283
#14 0x419c19 in read_token parse.y:3050
#15 0x41f721 in yylex parse.y:2637
#16 0x41f721 in yyparse
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/y.tab.c:2037
#17 0x40f2ab in parse_command
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/eval.c:238
#18 0x40f4b1 in read_command
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/eval.c:282
#19 0x40f99e in reader_loop
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/eval.c:145
#20 0x40ba04 in main
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/shell.c:756
#21 0x7f7952820aa4 in __libc_start_main (/lib64/libc.so.6+0x21aa4)
#22 0x40db2d (/bin/bash+0x40db2d)
0x6020001014af is located 1 bytes to the left of 2-byte region
[0x6020001014b0,0x6020001014b2)
allocated by thread T0 here:
#0 0x7f79533a77c7 in malloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x577c7)
#1 0x4cd72a in xmalloc
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/xmalloc.c:112
SUMMARY: AddressSanitizer: heap-buffer-overflow
/var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:986
bind_compfunc_variables
Shadow bytes around the buggy address:
0x0c0480018240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480018250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480018260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480018270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 02 fa
0x0c0480018280: fa fa 00 02 fa fa 00 02 fa fa 02 fa fa fa fd fa
=>0x0c0480018290: fa fa fd fd fa[fa]02 fa fa fa 02 fa fa fa fd fa
0x0c04800182a0: fa fa 02 fa fa fa 06 fa fa fa fd fa fa fa fd fa
0x0c04800182b0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c04800182c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c04800182d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c04800182e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==28776==ABORTING
--
Hanno Böck
http://hboeck.de/
mail/jabber: hanno@hboeck.de
GPG: BBB51E42
pgpBInBrAkuTf.pgp
Description: OpenPGP digital signature
- Another out of bounds heap read in bash completion,
Hanno Böck <=
- Re: Another out of bounds heap read in bash completion, Chet Ramey, 2015/07/10
- Re: Another out of bounds heap read in bash completion, Hanno Böck, 2015/07/10
- Re: Another out of bounds heap read in bash completion, Chet Ramey, 2015/07/10
- Re: Another out of bounds heap read in bash completion, Hanno Böck, 2015/07/10
- Re: Another out of bounds heap read in bash completion, Chet Ramey, 2015/07/10
- Re: Another out of bounds heap read in bash completion, Hanno Böck, 2015/07/10
- Re: Another out of bounds heap read in bash completion, Chet Ramey, 2015/07/10
- Re: Another out of bounds heap read in bash completion, Hanno Böck, 2015/07/10