bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

null ptr deref in bash


From: Brian Carpenter
Subject: null ptr deref in bash
Date: Mon, 29 Feb 2016 11:57:02 -0600

<<0 r["$(<<0)"] triggers a null ptr deref and segfault in bash 4.2.37(1)-release, 4.3.30(1)-release and 4.3.42(1)-release. This bug was found with American Fuzzy Lop.

valgrind -q ~/bash/bash test00
test00: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `0')
test00: line 1: make_here_document: bad instruction type -808464433
==4137== Invalid read of size 1
==4137==    at 0x4C2C1A2: strlen (vg_replace_strmem.c:412)
==4137==    by 0x47C237: cprintf (print_cmd.c:1508)
==4137==    by 0x48143F: print_heredoc_header (print_cmd.c:1090)
==4137==    by 0x47F8D3: print_redirection (print_cmd.c:1162)
==4137==    by 0x47E5FF: print_heredocs (print_cmd.c:970)
==4137==    by 0x47E5FF: print_redirection_list (print_cmd.c:1062)
==4137==    by 0x47DCBC: print_simple_command (print_cmd.c:957)
==4137==    by 0x48FF25: execute_simple_command (execute_cmd.c:3892)
==4137==    by 0x48FF25: execute_command_internal (execute_cmd.c:788)
==4137==    by 0x4879B4: execute_command (execute_cmd.c:390)
==4137==    by 0x42C9B2: reader_loop (eval.c:160)
==4137==    by 0x429382: main (shell.c:756)
==4137==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==4137==
==4137==
==4137== Process terminating with default action of signal 11 (SIGSEGV)
==4137==  Access not within mapped region at address 0x0
==4137==    at 0x4C2C1A2: strlen (vg_replace_strmem.c:412)
==4137==    by 0x47C237: cprintf (print_cmd.c:1508)
==4137==    by 0x48143F: print_heredoc_header (print_cmd.c:1090)
==4137==    by 0x47F8D3: print_redirection (print_cmd.c:1162)
==4137==    by 0x47E5FF: print_heredocs (print_cmd.c:970)
==4137==    by 0x47E5FF: print_redirection_list (print_cmd.c:1062)
==4137==    by 0x47DCBC: print_simple_command (print_cmd.c:957)
==4137==    by 0x48FF25: execute_simple_command (execute_cmd.c:3892)
==4137==    by 0x48FF25: execute_command_internal (execute_cmd.c:788)
==4137==    by 0x4879B4: execute_command (execute_cmd.c:390)
==4137==    by 0x42C9B2: reader_loop (eval.c:160)
==4137==    by 0x429382: main (shell.c:756)
==4137==  If you believe this happened as a result of a stack
==4137==  overflow in your program's main thread (unlikely but
==4137==  possible), you can try to increase the size of the
==4137==  main thread stack using the --main-stacksize= flag.
==4137==  The main thread stack size used in this run was 8388608.
Segmentation fault

Starting program: /home/geeknik/bash/bash test00
test00: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `0')
test00: line 1: make_here_document: bad instruction type -808464433

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106    ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x000000000047c238 in cprintf (control=<optimized out>) at print_cmd.c:1508
#2  0x0000000000481440 in print_heredoc_header (redirect=<optimized out>)
    at print_cmd.c:1090
#3  0x000000000047f8d4 in print_redirection (redirect=0x9c1808)
    at print_cmd.c:1162
#4  0x000000000047e600 in print_heredocs (heredocs=<optimized out>)
    at print_cmd.c:970
#5  print_redirection_list (redirects=<optimized out>) at print_cmd.c:1062
#6  0x000000000047dcbd in print_simple_command (simple_command=0x9c1288)
    at print_cmd.c:957
#7  0x000000000048ff26 in execute_simple_command (simple_command=0x9c1288,
    pipe_in=<optimized out>, pipe_out=<optimized out>, async=<optimized out>,
    fds_to_close=<optimized out>) at execute_cmd.c:3892
#8  execute_command_internal (command=0x9c1248, asynchronous=0, pipe_in=-1,
    pipe_out=-1, fds_to_close=0x9c1768) at execute_cmd.c:788
#9  0x00000000004879b5 in execute_command (command=0x0) at execute_cmd.c:390
#10 0x000000000042c9b3 in reader_loop () at eval.c:160
#11 0x0000000000429383 in main (argc=<optimized out>, argv=<optimized out>,
    env=<optimized out>) at shell.c:756

Regards,

Brian 'geeknik' Carpenter
https://twitter.com/geeknik



reply via email to

[Prev in Thread] Current Thread [Next in Thread]