AddressSanitizer: heap-use-after-free _rl_free_undo

bug-bash
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
AddressSanitizer: heap-use-after-free _rl_free_undo_list

From:	Eduardo Bustamante
Subject:	AddressSanitizer: heap-use-after-free _rl_free_undo_list
Date:	Wed, 3 May 2017 08:26:58 -0500
dualbus@debian:~/src/gnu/bash$ xxd ../cases/1
00000000: 3010 1f0e                                0...

dualbus@debian:~/src/gnu/bash$ cat -A ../cases/1
0^P^_^N

To reproduce,

- run: ./bash -c 'read -e' # it doesn't seem to happen for interactive bash
- then type the following sequence: 0 \C-p \C-_ \C-n <ret>

(in my keyboard, \C-_ is <ctrl>-<shift>-<->)

dualbus@debian:~/src/gnu/bash$ ./bash -c 'read -e'
0
=================================================================
==24334==ERROR: AddressSanitizer: heap-use-after-free on address
0x60300000c100 at pc 0x55ad664b341d bp 0x7fff83ff6580 sp
0x7fff83ff6578
READ of size 8 at 0x60300000c100 thread T0
    #0 0x55ad664b341c in _rl_free_undo_list
/home/dualbus/src/gnu/bash/lib/readline/undo.c:106
    #1 0x55ad664b34d6 in rl_free_undo_list
/home/dualbus/src/gnu/bash/lib/readline/undo.c:122
    #2 0x55ad6646f757 in readline_internal_teardown
/home/dualbus/src/gnu/bash/lib/readline/readline.c:482
    #3 0x55ad6646fccf in readline_internal
/home/dualbus/src/gnu/bash/lib/readline/readline.c:671
    #4 0x55ad6646f378 in readline
/home/dualbus/src/gnu/bash/lib/readline/readline.c:374
    #5 0x55ad6642a74d in edit_line read.def:1069
    #6 0x55ad664281dd in read_builtin read.def:550
    #7 0x55ad6633e93a in execute_builtin
/home/dualbus/src/gnu/bash/execute_cmd.c:4605
    #8 0x55ad66340550 in execute_builtin_or_function
/home/dualbus/src/gnu/bash/execute_cmd.c:5103
    #9 0x55ad6633ddd0 in execute_simple_command
/home/dualbus/src/gnu/bash/execute_cmd.c:4391
    #10 0x55ad6632bccf in execute_command_internal
/home/dualbus/src/gnu/bash/execute_cmd.c:811
    #11 0x55ad66415858 in parse_and_execute
/home/dualbus/src/gnu/bash/builtins/evalstring.c:430
    #12 0x55ad662f72a1 in run_one_command
/home/dualbus/src/gnu/bash/shell.c:1405
    #13 0x55ad662f577a in main /home/dualbus/src/gnu/bash/shell.c:718
    #14 0x7f41165482b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #15 0x55ad662f45e9 in _start (/home/dualbus/src/gnu/bash/bash+0x7f5e9)

0x60300000c100 is located 0 bytes inside of 32-byte region
[0x60300000c100,0x60300000c120)
freed by thread T0 here:
    #0 0x7f4116db5a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
    #1 0x55ad66404600 in xfree /home/dualbus/src/gnu/bash/xmalloc.c:148
    #2 0x55ad664b3e4f in rl_do_undo
/home/dualbus/src/gnu/bash/lib/readline/undo.c:240
    #3 0x55ad664b41aa in rl_undo_command
/home/dualbus/src/gnu/bash/lib/readline/undo.c:331
    #4 0x55ad664707f2 in _rl_dispatch_subseq
/home/dualbus/src/gnu/bash/lib/readline/readline.c:851
    #5 0x55ad664703cd in _rl_dispatch
/home/dualbus/src/gnu/bash/lib/readline/readline.c:797
    #6 0x55ad6646fc0c in readline_internal_char
/home/dualbus/src/gnu/bash/lib/readline/readline.c:629
    #7 0x55ad6646fc9e in readline_internal_charloop
/home/dualbus/src/gnu/bash/lib/readline/readline.c:656
    #8 0x55ad6646fcc2 in readline_internal
/home/dualbus/src/gnu/bash/lib/readline/readline.c:670
    #9 0x55ad6646f378 in readline
/home/dualbus/src/gnu/bash/lib/readline/readline.c:374
    #10 0x55ad6642a74d in edit_line read.def:1069
    #11 0x55ad664281dd in read_builtin read.def:550
    #12 0x55ad6633e93a in execute_builtin
/home/dualbus/src/gnu/bash/execute_cmd.c:4605
    #13 0x55ad66340550 in execute_builtin_or_function
/home/dualbus/src/gnu/bash/execute_cmd.c:5103
    #14 0x55ad6633ddd0 in execute_simple_command
/home/dualbus/src/gnu/bash/execute_cmd.c:4391
    #15 0x55ad6632bccf in execute_command_internal
/home/dualbus/src/gnu/bash/execute_cmd.c:811
    #16 0x55ad66415858 in parse_and_execute
/home/dualbus/src/gnu/bash/builtins/evalstring.c:430
    #17 0x55ad662f72a1 in run_one_command
/home/dualbus/src/gnu/bash/shell.c:1405
    #18 0x55ad662f577a in main /home/dualbus/src/gnu/bash/shell.c:718
    #19 0x7f41165482b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

previously allocated by thread T0 here:
    #0 0x7f4116db5d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x55ad6640453f in xmalloc /home/dualbus/src/gnu/bash/xmalloc.c:112
    #2 0x55ad664b3252 in alloc_undo_entry
/home/dualbus/src/gnu/bash/lib/readline/undo.c:75
    #3 0x55ad664b33a1 in rl_add_undo
/home/dualbus/src/gnu/bash/lib/readline/undo.c:92
    #4 0x55ad664b9ec1 in rl_insert_text
/home/dualbus/src/gnu/bash/lib/readline/text.c:112
    #5 0x55ad664bcf22 in _rl_insert_char
/home/dualbus/src/gnu/bash/lib/readline/text.c:863
    #6 0x55ad664bd2d4 in rl_insert
/home/dualbus/src/gnu/bash/lib/readline/text.c:912
    #7 0x55ad664707f2 in _rl_dispatch_subseq
/home/dualbus/src/gnu/bash/lib/readline/readline.c:851
    #8 0x55ad664703cd in _rl_dispatch
/home/dualbus/src/gnu/bash/lib/readline/readline.c:797
    #9 0x55ad6646fc0c in readline_internal_char
/home/dualbus/src/gnu/bash/lib/readline/readline.c:629
    #10 0x55ad6646fc9e in readline_internal_charloop
/home/dualbus/src/gnu/bash/lib/readline/readline.c:656
    #11 0x55ad6646fcc2 in readline_internal
/home/dualbus/src/gnu/bash/lib/readline/readline.c:670
    #12 0x55ad6646f378 in readline
/home/dualbus/src/gnu/bash/lib/readline/readline.c:374
    #13 0x55ad6642a74d in edit_line read.def:1069
    #14 0x55ad664281dd in read_builtin read.def:550
    #15 0x55ad6633e93a in execute_builtin
/home/dualbus/src/gnu/bash/execute_cmd.c:4605
    #16 0x55ad66340550 in execute_builtin_or_function
/home/dualbus/src/gnu/bash/execute_cmd.c:5103
    #17 0x55ad6633ddd0 in execute_simple_command
/home/dualbus/src/gnu/bash/execute_cmd.c:4391
    #18 0x55ad6632bccf in execute_command_internal
/home/dualbus/src/gnu/bash/execute_cmd.c:811
    #19 0x55ad66415858 in parse_and_execute
/home/dualbus/src/gnu/bash/builtins/evalstring.c:430
    #20 0x55ad662f72a1 in run_one_command
/home/dualbus/src/gnu/bash/shell.c:1405
    #21 0x55ad662f577a in main /home/dualbus/src/gnu/bash/shell.c:718
    #22 0x7f41165482b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-use-after-free
/home/dualbus/src/gnu/bash/lib/readline/undo.c:106 in
_rl_free_undo_list
Shadow bytes around the buggy address:
  0x0c067fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff97e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff97f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9810: fa fa fa fa fa fa fa fa fa fa fd fd fd fa fa fa
=>0x0c067fff9820:[fd]fd fd fd fa fa 00 00 04 fa fa fa fd fd fd fd
  0x0c067fff9830: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff9840: 00 02 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fff9850: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff9860: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff9870: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24334==ABORTING


Found by fuzzing with AFL using the following modification:

dualbus@debian:~/src/gnu/bash$ git diff -- builtins/read.def
diff --git a/builtins/read.def b/builtins/read.def
index e6db4393..245ed69f 100644
--- a/builtins/read.def
+++ b/builtins/read.def
@@ -389,6 +389,7 @@ read_builtin (list)
     input_is_pipe = 1;
 #endif

+#if 0
   /* If the -p, -e or -s flags were given, but input is not coming from the
      terminal, turn them off. */
   if ((prompt || edit || silent) && input_is_tty == 0)
@@ -399,6 +400,7 @@ read_builtin (list)
 #endif
       edit = silent = 0;
     }
+#endif

 #if defined (READLINE)
   if (edit)
[Prev in Thread]
Current Thread
[Next in Thread]
AddressSanitizer: heap-use-after-free _rl_free_undo_list, Eduardo Bustamante <=
- Re: AddressSanitizer: heap-use-after-free _rl_free_undo_list, Chet Ramey, 2017/05/03
Prev by Date: Re: Inconsistent behavior between 'wait' and 'builtin wait'
Next by Date: Re: Inconsistent behavior between 'wait' and 'builtin wait'
Previous by thread: Re: Racing condition leads to unstable exit code
Next by thread: Re: AddressSanitizer: heap-use-after-free _rl_free_undo_list
Index(es):
- Date
- Thread