bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AddressSanitizer: heap-buffer-overflow lib/readline/bind.c:437 in rl_tra


From: Eduardo Bustamante
Subject: AddressSanitizer: heap-buffer-overflow lib/readline/bind.c:437 in rl_translate_keyseq
Date: Thu, 27 Apr 2017 07:02:25 -0500

dualbus@debian:~/src/gnu/bash$ xxd inputrc
00000000: 225c 432d 2230 3030 200a                 "\C-"000 .

# with ASAN
dualbus@debian:~/src/gnu/bash$ ./bash --noprofile --norc -ic 'bind -f inputrc'
=================================================================
==27315==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000009bb9 at pc 0x5628fdaa420b bp 0x7ffcde1bef40 sp
0x7ffcde1bef38
READ of size 1 at 0x602000009bb9 thread T0
    #0 0x5628fdaa420a in rl_translate_keyseq
/home/dualbus/src/gnu/bash/lib/readline/bind.c:437
    #1 0x5628fdaa2934 in rl_generic_bind
/home/dualbus/src/gnu/bash/lib/readline/bind.c:347
    #2 0x5628fdaa2520 in rl_bind_keyseq
/home/dualbus/src/gnu/bash/lib/readline/bind.c:251
    #3 0x5628fdaa82ab in rl_parse_and_bind
/home/dualbus/src/gnu/bash/lib/readline/bind.c:1405
    #4 0x5628fdaa6103 in _rl_read_init_file
/home/dualbus/src/gnu/bash/lib/readline/bind.c:927
    #5 0x5628fdaa5d4c in rl_read_init_file
/home/dualbus/src/gnu/bash/lib/readline/bind.c:870
    #6 0x5628fda1901c in bind_builtin bind.def:248
    #7 0x5628fd95272b in execute_builtin
/home/dualbus/src/gnu/bash/execute_cmd.c:4603
    #8 0x5628fd954341 in execute_builtin_or_function
/home/dualbus/src/gnu/bash/execute_cmd.c:5101
    #9 0x5628fd951bc1 in execute_simple_command
/home/dualbus/src/gnu/bash/execute_cmd.c:4389
    #10 0x5628fd93fac2 in execute_command_internal
/home/dualbus/src/gnu/bash/execute_cmd.c:811
    #11 0x5628fda294ae in parse_and_execute
/home/dualbus/src/gnu/bash/builtins/evalstring.c:430
    #12 0x5628fd90b121 in run_one_command
/home/dualbus/src/gnu/bash/shell.c:1405
    #13 0x5628fd9095fa in main /home/dualbus/src/gnu/bash/shell.c:718
    #14 0x7fc1396332b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #15 0x5628fd908469 in _start (/home/dualbus/src/gnu/bash/bash+0x7f469)

0x602000009bb9 is located 0 bytes to the right of 9-byte region
[0x602000009bb0,0x602000009bb9)
allocated by thread T0 here:
    #0 0x7fc139ea0d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x5628fda18195 in xmalloc /home/dualbus/src/gnu/bash/xmalloc.c:112
    #2 0x5628fdaa7e6f in rl_parse_and_bind
/home/dualbus/src/gnu/bash/lib/readline/bind.c:1372
    #3 0x5628fdaa6103 in _rl_read_init_file
/home/dualbus/src/gnu/bash/lib/readline/bind.c:927
    #4 0x5628fdaa5d4c in rl_read_init_file
/home/dualbus/src/gnu/bash/lib/readline/bind.c:870
    #5 0x5628fda1901c in bind_builtin bind.def:248
    #6 0x5628fd95272b in execute_builtin
/home/dualbus/src/gnu/bash/execute_cmd.c:4603
    #7 0x5628fd954341 in execute_builtin_or_function
/home/dualbus/src/gnu/bash/execute_cmd.c:5101
    #8 0x5628fd951bc1 in execute_simple_command
/home/dualbus/src/gnu/bash/execute_cmd.c:4389
    #9 0x5628fd93fac2 in execute_command_internal
/home/dualbus/src/gnu/bash/execute_cmd.c:811
    #10 0x5628fda294ae in parse_and_execute
/home/dualbus/src/gnu/bash/builtins/evalstring.c:430
    #11 0x5628fd90b121 in run_one_command
/home/dualbus/src/gnu/bash/shell.c:1405
    #12 0x5628fd9095fa in main /home/dualbus/src/gnu/bash/shell.c:718
    #13 0x7fc1396332b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/dualbus/src/gnu/bash/lib/readline/bind.c:437 in
rl_translate_keyseq
Shadow bytes around the buggy address:
  0x0c047fff9320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9370: fa fa 07 fa fa fa 00[01]fa fa 00 fa fa fa 00 03
  0x0c047fff9380: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 07
  0x0c047fff9390: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff93a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff93b0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff93c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27315==ABORTING

# With Valgrind + without bash malloc
dualbus@debian:~/src/gnu/bash$ valgrind ./bash --noprofile --norc -ic
'bind -f inputrc'
==2112== Memcheck, a memory error detector
==2112== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==2112== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
==2112== Command: ./bash --noprofile --norc -ic bind\ -f\ inputrc
==2112==
==2112== Conditional jump or move depends on uninitialised value(s)
==2112==    at 0x1EE229: rl_translate_keyseq (bind.c:437)
==2112==    by 0x1ED979: rl_generic_bind (bind.c:347)
==2112==    by 0x1ED767: rl_bind_keyseq (bind.c:251)
==2112==    by 0x1EFB79: rl_parse_and_bind (bind.c:1405)
==2112==    by 0x1EEE3F: _rl_read_init_file (bind.c:927)
==2112==    by 0x1EECA8: rl_read_init_file (bind.c:870)
==2112==    by 0x1AAE4B: bind_builtin (bind.def:248)
==2112==    by 0x155FF0: execute_builtin (execute_cmd.c:4603)
==2112==    by 0x156ECC: execute_builtin_or_function (execute_cmd.c:5101)
==2112==    by 0x1558F6: execute_simple_command (execute_cmd.c:4389)
==2112==    by 0x14F2AE: execute_command_internal (execute_cmd.c:811)
==2112==    by 0x1B21E7: parse_and_execute (evalstring.c:430)
==2112==
==2112==
==2112== HEAP SUMMARY:
==2112==     in use at exit: 226,535 bytes in 790 blocks
==2112==   total heap usage: 1,519 allocs, 729 frees, 286,870 bytes allocated
==2112==
==2112== LEAK SUMMARY:
==2112==    definitely lost: 0 bytes in 0 blocks
==2112==    indirectly lost: 0 bytes in 0 blocks
==2112==      possibly lost: 0 bytes in 0 blocks
==2112==    still reachable: 226,535 bytes in 790 blocks
==2112==         suppressed: 0 bytes in 0 blocks
==2112== Rerun with --leak-check=full to see details of leaked memory
==2112==
==2112== For counts of detected and suppressed errors, rerun with: -v
==2112== Use --track-origins=yes to see where uninitialised values come from
==2112== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

# With bash malloc
dualbus@debian:~/src/gnu/bash$ ./bash --noprofile --norc -ic 'bind -f inputrc'

malloc: unknown:0: assertion botched
malloc: 0x557ac4e2f948: allocated: last allocated from unknown:0
free: start and end chunk sizes differ
Aborting...Aborted



reply via email to

[Prev in Thread] Current Thread [Next in Thread]