Re: Remaining memory corruption bugs in readline

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remaining memory corruption bugs in readline

From:	dualbus
Subject:	Re: Remaining memory corruption bugs in readline
Date:	Thu, 8 Jun 2017 10:09:33 -0500
User-agent:	NeoMutt/20170113 (1.7.2)

On Fri, Jun 02, 2017 at 12:07:34AM -0500, dualbus wrote:
[...]
> #1 _rl_get_char_len / update_line
[...]
>   ==5781==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x61900000cc80 at pc 0x7f400d00b063 bp 0x7ffcbce72250 sp 0x7ffcbce71a00
>   READ of size 851 at 0x61900000cc80 thread T0
>       #0 0x7f400d00b062  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062)
>       #1 0x559b50a04821 in _rl_get_char_len 
> ../../../bash/lib/readline/mbutil.c:223
>       #2 0x559b50a048e0 in _rl_compare_chars 
> ../../../bash/lib/readline/mbutil.c:252
>       #3 0x559b509db526 in update_line 
> ../../../bash/lib/readline/display.c:1664
[...]

I have been looking at this specific example for some time now.

The problem is that _rl_get_char_len assumes it's being called with a
\0-terminated string, but under some cases (that I haven't been able to
figure out), there's no \0 at the end, so the strlen reads more than it
should.

-- 
Eduardo Bustamante
https://dualbus.me/

[Prev in Thread]

Current Thread

[Next in Thread]

Remaining memory corruption bugs in readline, dualbus, 2017/06/02
- Re: Remaining memory corruption bugs in readline, dualbus <=
  - Re: Remaining memory corruption bugs in readline, Chet Ramey, 2017/06/08
    - Re: Remaining memory corruption bugs in readline, Chet Ramey, 2017/06/09
    - Re: Remaining memory corruption bugs in readline, Eduardo Bustamante, 2017/06/09

Prev by Date: Re: [PATCH] Memory leak in locale.c set_default_locale
Next by Date: Re: Remaining memory corruption bugs in readline
Previous by thread: Remaining memory corruption bugs in readline
Next by thread: Re: Remaining memory corruption bugs in readline
Index(es):
- Date
- Thread