[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
AddressSanitizer: global-buffer-overflow in rl_filename_completion_funct
|
From: |
Eduardo Bustamante |
|
Subject: |
AddressSanitizer: global-buffer-overflow in rl_filename_completion_function |
|
Date: |
Thu, 15 Jun 2017 09:41:08 -0500 |
|
User-agent: |
NeoMutt/20170113 (1.7.2) |
Found by fuzzing `read -e' with AFL. The stacktrace reported by Address
Sanitizer is followed by the base64 encoded crashing input.
==1098==ERROR: AddressSanitizer: global-buffer-overflow on address
0x55e61a6b4c5c at pc 0x55e61a3426ca bp 0x7fff1820a300 sp 0x7fff1820a2f8
READ of size 4 at 0x55e61a6b4c5c thread T0
#0 0x55e61a3426c9 in bash_dequote_filename
(/home/dualbus/src/gnu/bash-build/bash+0x17a6c9)
#1 0x55e61a3e0a08 in rl_filename_completion_function
(/home/dualbus/src/gnu/bash-build/bash+0x218a08)
#2 0x55e61a3df702 in rl_completion_matches
(/home/dualbus/src/gnu/bash-build/bash+0x217702)
#3 0x55e61a3daaab in gen_completion_matches
(/home/dualbus/src/gnu/bash-build/bash+0x212aab)
#4 0x55e61a3dea63 in rl_complete_internal
(/home/dualbus/src/gnu/bash-build/bash+0x216a63)
#5 0x55e61a3d81e0 in rl_complete
(/home/dualbus/src/gnu/bash-build/bash+0x2101e0)
#6 0x55e61a3c430d in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
#7 0x55e61a3c3ee8 in _rl_dispatch
(/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
#8 0x55e61a3c3727 in readline_internal_char
(/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
#9 0x55e61a3c37b9 in readline_internal_charloop
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
#10 0x55e61a3c37dd in readline_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
#11 0x55e61a3c2e93 in readline
(/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
#12 0x55e61a37e136 in edit_line
(/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
#13 0x55e61a37baa4 in read_builtin
(/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
#14 0x55e61a291c89 in execute_builtin
(/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
#15 0x55e61a29389f in execute_builtin_or_function
(/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
#16 0x55e61a29111f in execute_simple_command
(/home/dualbus/src/gnu/bash-build/bash+0xc911f)
#17 0x55e61a27ef42 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
#18 0x55e61a28782e in execute_connection
(/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
#19 0x55e61a27fd17 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
#20 0x55e61a3690f4 in parse_and_execute
(/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
#21 0x55e61a24a401 in run_one_command
(/home/dualbus/src/gnu/bash-build/bash+0x82401)
#22 0x55e61a2488da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
#23 0x7fdab89d22b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#24 0x55e61a247749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x55e61a6b4c5c is located 56 bytes to the right of global variable
'sh_syntabsiz' defined in 'syntax.c:11:5' (0x55e61a6b4c20) of size 4
0x55e61a6b4c5c is located 4 bytes to the left of global variable 'sh_syntaxtab'
defined in 'syntax.c:12:5' (0x55e61a6b4c60) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/dualbus/src/gnu/bash-build/bash+0x17a6c9) in bash_dequote_filename
Shadow bytes around the buggy address:
0x0abd434ce930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abd434ce940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abd434ce950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abd434ce960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abd434ce970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0abd434ce980: 00 00 00 00 04 f9 f9 f9 f9 f9 f9[f9]00 00 00 00
0x0abd434ce990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abd434ce9a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abd434ce9b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abd434ce9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abd434ce9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1098==ABORTING
INPUT
ACEAJDRXGgGm9ltZJwkAGhQBXID////nPlaAPz4/Kj8/Pz8AgAPoKg4YKgUECaEJAAAAZAkJCQkJ
CfoACQk2CQlfAAAACQACAK9cCQlj/wEbSYChFJQbUyQoeRsKU1O/GxtTJDX//97gLxSWZAAAACoA
/xQiBRsbIBsKG2QfEAAAlf3/4xsZVAQg6of9AABTJCf//xYnAPoZFb0AAID//xmA6xgAGQgICAgJ
GRkZGL09f/8AGf//vb29CAwH+wgIGxAIjwkIKoAMvb2Hvb0ICBoIDBn7CAgICIC9vb0ICJj0CB8A
AgAI/w8fCAj+yUB/kA==
==15163==ERROR: AddressSanitizer: global-buffer-overflow on address
0x5651610c8c5c at pc 0x565160d566ca bp 0x7ffd2a68cf50 sp 0x7ffd2a68cf48
READ of size 4 at 0x5651610c8c5c thread T0
#0 0x565160d566c9 in bash_dequote_filename
(/home/dualbus/src/gnu/bash-build/bash+0x17a6c9)
#1 0x565160df4c30 in rl_filename_completion_function
(/home/dualbus/src/gnu/bash-build/bash+0x218c30)
#2 0x565160df3702 in rl_completion_matches
(/home/dualbus/src/gnu/bash-build/bash+0x217702)
#3 0x565160deeaab in gen_completion_matches
(/home/dualbus/src/gnu/bash-build/bash+0x212aab)
#4 0x565160df2a63 in rl_complete_internal
(/home/dualbus/src/gnu/bash-build/bash+0x216a63)
#5 0x565160dec1e0 in rl_complete
(/home/dualbus/src/gnu/bash-build/bash+0x2101e0)
#6 0x565160dd830d in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
#7 0x565160dd8f47 in _rl_subseq_result
(/home/dualbus/src/gnu/bash-build/bash+0x1fcf47)
#8 0x565160dd8b07 in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fcb07)
#9 0x565160dd8aef in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fcaef)
#10 0x565160dd7ee8 in _rl_dispatch
(/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
#11 0x565160dd7727 in readline_internal_char
(/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
#12 0x565160dd77b9 in readline_internal_charloop
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
#13 0x565160dd77dd in readline_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
#14 0x565160dd6e93 in readline
(/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
#15 0x565160d92136 in edit_line
(/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
#16 0x565160d8faa4 in read_builtin
(/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
#17 0x565160ca5c89 in execute_builtin
(/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
#18 0x565160ca789f in execute_builtin_or_function
(/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
#19 0x565160ca511f in execute_simple_command
(/home/dualbus/src/gnu/bash-build/bash+0xc911f)
#20 0x565160c92f42 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
#21 0x565160c9b82e in execute_connection
(/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
#22 0x565160c93d17 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
#23 0x565160d7d0f4 in parse_and_execute
(/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
#24 0x565160c5e401 in run_one_command
(/home/dualbus/src/gnu/bash-build/bash+0x82401)
#25 0x565160c5c8da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
#26 0x7f4308d562b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#27 0x565160c5b749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x5651610c8c5c is located 56 bytes to the right of global variable
'sh_syntabsiz' defined in 'syntax.c:11:5' (0x5651610c8c20) of size 4
0x5651610c8c5c is located 4 bytes to the left of global variable 'sh_syntaxtab'
defined in 'syntax.c:12:5' (0x5651610c8c60) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/dualbus/src/gnu/bash-build/bash+0x17a6c9) in bash_dequote_filename
Shadow bytes around the buggy address:
0x0acaac211130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0acaac211140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0acaac211150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0acaac211160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0acaac211170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0acaac211180: 00 00 00 00 04 f9 f9 f9 f9 f9 f9[f9]00 00 00 00
0x0acaac211190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0acaac2111a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0acaac2111b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0acaac2111c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0acaac2111d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==15163==ABORTING
INPUT
//0bLbUAAlsQGDIYFRwYGBkYGJgYGPDwXFxcXCQkKCT/fyIbG2FcAP+AC/Hw8FxcXFwkJCgk/38i
GxthXJhcXFxcXMzMderMkQAAACIAXFxcXFwkJCYk/38iGxthXJhcXFxc3wDsFxQVFBQAj6sAXFxc
XHwkJCgkIhsbgDUZGRkBGRmOjo6OGxsbGxsbGxsbIBkZGQEZGY6Pjo5/IhsbYVwA/4AL8fDwGxsb
GxsbGxsbIBsbGxsbABsbGxQbGxsbGwAbGxsUBBsFGxsbFAQUEg==
==22733==ERROR: AddressSanitizer: global-buffer-overflow on address
0x55ae41d95c5c at pc 0x55ae41a236ca bp 0x7ffc393df460 sp 0x7ffc393df458
READ of size 4 at 0x55ae41d95c5c thread T0
#0 0x55ae41a236c9 in bash_dequote_filename
(/home/dualbus/src/gnu/bash-build/bash+0x17a6c9)
#1 0x55ae41ac1c30 in rl_filename_completion_function
(/home/dualbus/src/gnu/bash-build/bash+0x218c30)
#2 0x55ae41ac0702 in rl_completion_matches
(/home/dualbus/src/gnu/bash-build/bash+0x217702)
#3 0x55ae41abbaab in gen_completion_matches
(/home/dualbus/src/gnu/bash-build/bash+0x212aab)
#4 0x55ae41abfa63 in rl_complete_internal
(/home/dualbus/src/gnu/bash-build/bash+0x216a63)
#5 0x55ae41ab91e0 in rl_complete
(/home/dualbus/src/gnu/bash-build/bash+0x2101e0)
#6 0x55ae41aa530d in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
#7 0x55ae41aa4ee8 in _rl_dispatch
(/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
#8 0x55ae41aa4727 in readline_internal_char
(/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
#9 0x55ae41aa47b9 in readline_internal_charloop
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
#10 0x55ae41aa47dd in readline_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
#11 0x55ae41aa3e93 in readline
(/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
#12 0x55ae41a5f136 in edit_line
(/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
#13 0x55ae41a5caa4 in read_builtin
(/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
#14 0x55ae41972c89 in execute_builtin
(/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
#15 0x55ae4197489f in execute_builtin_or_function
(/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
#16 0x55ae4197211f in execute_simple_command
(/home/dualbus/src/gnu/bash-build/bash+0xc911f)
#17 0x55ae4195ff42 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
#18 0x55ae4196882e in execute_connection
(/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
#19 0x55ae41960d17 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
#20 0x55ae41a4a0f4 in parse_and_execute
(/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
#21 0x55ae4192b401 in run_one_command
(/home/dualbus/src/gnu/bash-build/bash+0x82401)
#22 0x55ae419298da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
#23 0x7fee1119d2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#24 0x55ae41928749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x55ae41d95c5c is located 56 bytes to the right of global variable
'sh_syntabsiz' defined in 'syntax.c:11:5' (0x55ae41d95c20) of size 4
0x55ae41d95c5c is located 4 bytes to the left of global variable 'sh_syntaxtab'
defined in 'syntax.c:12:5' (0x55ae41d95c60) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/dualbus/src/gnu/bash-build/bash+0x17a6c9) in bash_dequote_filename
Shadow bytes around the buggy address:
0x0ab6483aab30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ab6483aab40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ab6483aab50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ab6483aab60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ab6483aab70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ab6483aab80: 00 00 00 00 04 f9 f9 f9 f9 f9 f9[f9]00 00 00 00
0x0ab6483aab90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ab6483aaba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ab6483aabb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ab6483aabc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ab6483aabd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==22733==ABORTING
INPUT
G+ABawIA+gAYKgUC/w4YKgUiPNHR0dHRGxgqBf9/AFwA/3+i6SR7JF4WKHmxsVQEzTVBXjFBQV1B
KUFVfRb6QBQAAWh/QAAAAAH9fgv9JCg8TUth7u7uGWFNPk1NTU1NZB39TSQJqw5AIRkuGRYZGRkG
Qx/8jjwZEAA8/yoZGRkuHTYZEBkZGRkGQx/8jjwkPI6k+xlW0QAcyAQ/AAMVGVY8KBIoPCgoKCgo
KCgqKCj1KCgoPB0eHh4YF/UoAGQBnGAtJhkQf4AeIAD+0x4eGRSAGwU=
==23291==ERROR: AddressSanitizer: global-buffer-overflow on address
0x55dc526e9c5c at pc 0x55dc523776ca bp 0x7ffd94ca3770 sp 0x7ffd94ca3768
READ of size 4 at 0x55dc526e9c5c thread T0
#0 0x55dc523776c9 in bash_dequote_filename
(/home/dualbus/src/gnu/bash-build/bash+0x17a6c9)
#1 0x55dc52415c30 in rl_filename_completion_function
(/home/dualbus/src/gnu/bash-build/bash+0x218c30)
#2 0x55dc52414702 in rl_completion_matches
(/home/dualbus/src/gnu/bash-build/bash+0x217702)
#3 0x55dc5240faab in gen_completion_matches
(/home/dualbus/src/gnu/bash-build/bash+0x212aab)
#4 0x55dc52413a63 in rl_complete_internal
(/home/dualbus/src/gnu/bash-build/bash+0x216a63)
#5 0x55dc5240d1e0 in rl_complete
(/home/dualbus/src/gnu/bash-build/bash+0x2101e0)
#6 0x55dc523f930d in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
#7 0x55dc523f9f47 in _rl_subseq_result
(/home/dualbus/src/gnu/bash-build/bash+0x1fcf47)
#8 0x55dc523f9b07 in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fcb07)
#9 0x55dc523f9aef in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fcaef)
#10 0x55dc523f8ee8 in _rl_dispatch
(/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
#11 0x55dc523f8727 in readline_internal_char
(/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
#12 0x55dc523f87b9 in readline_internal_charloop
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
#13 0x55dc523f87dd in readline_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
#14 0x55dc523f7e93 in readline
(/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
#15 0x55dc523b3136 in edit_line
(/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
#16 0x55dc523b0aa4 in read_builtin
(/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
#17 0x55dc522c6c89 in execute_builtin
(/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
#18 0x55dc522c889f in execute_builtin_or_function
(/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
#19 0x55dc522c611f in execute_simple_command
(/home/dualbus/src/gnu/bash-build/bash+0xc911f)
#20 0x55dc522b3f42 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
#21 0x55dc522bc82e in execute_connection
(/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
#22 0x55dc522b4d17 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
#23 0x55dc5239e0f4 in parse_and_execute
(/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
#24 0x55dc5227f401 in run_one_command
(/home/dualbus/src/gnu/bash-build/bash+0x82401)
#25 0x55dc5227d8da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
#26 0x7fc98b7912b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#27 0x55dc5227c749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x55dc526e9c5c is located 56 bytes to the right of global variable
'sh_syntabsiz' defined in 'syntax.c:11:5' (0x55dc526e9c20) of size 4
0x55dc526e9c5c is located 4 bytes to the left of global variable 'sh_syntaxtab'
defined in 'syntax.c:12:5' (0x55dc526e9c60) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/dualbus/src/gnu/bash-build/bash+0x17a6c9) in bash_dequote_filename
Shadow bytes around the buggy address:
0x0abc0a4d5330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abc0a4d5340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abc0a4d5350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abc0a4d5360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abc0a4d5370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0abc0a4d5380: 00 00 00 00 04 f9 f9 f9 f9 f9 f9[f9]00 00 00 00
0x0abc0a4d5390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abc0a4d53a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abc0a4d53b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abc0a4d53c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abc0a4d53d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==23291==ABORTING
INPUT
BtAQV1sAAAABIAQqBQMQPXAFAgAAASAEQAUDEABdPQABFC1JAAABXFuYAABAXFsAf/8BIAQiBQMU
DhgqBSpfoxAO+CoFEicbqKiVuwAQ/xQbG1MkG3kF/3sQEBBQEBAQEBAQEBAhECwQEBADFQIbfyQt
lhQbG1NnZ3l5cnl5eXl5eXl5eXl5iHl5eXl5QFVW/BvnoAAhBDMZGRkZAACAABkBSygofx4eHhgZ
nAAAPQtAJi4ZLQEmAht/JC2WFBsbU2cZBkMAQCg5GAABSygofx4eAAEAAAAAPQtCJhknAAAQ/xQb
G1MkG3kF/3sQEBAQEGQeAAACAB4eGesZGQFLKBgAASgoKH8eHh4YGZwAAD0LQCYZEBpknAAAPQtA
JhkQGmQeOQD8wQB5GRSmHjkA/MGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYEAeRkUphsF
==27624==ERROR: AddressSanitizer: global-buffer-overflow on address
0x55e20518ac5c at pc 0x55e204e186ca bp 0x7fff45327ba0 sp 0x7fff45327b98
READ of size 4 at 0x55e20518ac5c thread T0
#0 0x55e204e186c9 in bash_dequote_filename
(/home/dualbus/src/gnu/bash-build/bash+0x17a6c9)
#1 0x55e204eb6a08 in rl_filename_completion_function
(/home/dualbus/src/gnu/bash-build/bash+0x218a08)
#2 0x55e204eb5702 in rl_completion_matches
(/home/dualbus/src/gnu/bash-build/bash+0x217702)
#3 0x55e204eb0aab in gen_completion_matches
(/home/dualbus/src/gnu/bash-build/bash+0x212aab)
#4 0x55e204eb4a63 in rl_complete_internal
(/home/dualbus/src/gnu/bash-build/bash+0x216a63)
#5 0x55e204eae1e0 in rl_complete
(/home/dualbus/src/gnu/bash-build/bash+0x2101e0)
#6 0x55e204e9a30d in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
#7 0x55e204e99ee8 in _rl_dispatch
(/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
#8 0x55e204e99727 in readline_internal_char
(/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
#9 0x55e204e997b9 in readline_internal_charloop
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
#10 0x55e204e997dd in readline_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
#11 0x55e204e98e93 in readline
(/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
#12 0x55e204e54136 in edit_line
(/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
#13 0x55e204e51aa4 in read_builtin
(/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
#14 0x55e204d67c89 in execute_builtin
(/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
#15 0x55e204d6989f in execute_builtin_or_function
(/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
#16 0x55e204d6711f in execute_simple_command
(/home/dualbus/src/gnu/bash-build/bash+0xc911f)
#17 0x55e204d54f42 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
#18 0x55e204d5d82e in execute_connection
(/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
#19 0x55e204d55d17 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
#20 0x55e204e3f0f4 in parse_and_execute
(/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
#21 0x55e204d20401 in run_one_command
(/home/dualbus/src/gnu/bash-build/bash+0x82401)
#22 0x55e204d1e8da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
#23 0x7f21e44ed2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#24 0x55e204d1d749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x55e20518ac5c is located 56 bytes to the right of global variable
'sh_syntabsiz' defined in 'syntax.c:11:5' (0x55e20518ac20) of size 4
0x55e20518ac5c is located 4 bytes to the left of global variable 'sh_syntaxtab'
defined in 'syntax.c:12:5' (0x55e20518ac60) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/dualbus/src/gnu/bash-build/bash+0x17a6c9) in bash_dequote_filename
Shadow bytes around the buggy address:
0x0abcc0a29530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abcc0a29540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abcc0a29550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abcc0a29560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abcc0a29570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0abcc0a29580: 00 00 00 00 04 f9 f9 f9 f9 f9 f9[f9]00 00 00 00
0x0abcc0a29590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abcc0a295a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abcc0a295b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abcc0a295c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abcc0a295d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27624==ABORTING
INPUT
G+ABf2QB0YDR0QL5JgkAGhQBXAlfAAAACQACAK9cCQli/wEbU4CfFJQbUyQo4C8UlmQA/AAqAP8U
IgUgGAobZB8WJwD6GRW9AACA//8ZgOsYABkIAwgICQcZGRi9PX//ABn//729vQgMB/sICBsQCI8J
CCqADL29h729CAgaCHgZ+wgICAiAvb29CAiY9AgfAAIACP8PHwgI/tlAf5A=
==2732==ERROR: AddressSanitizer: global-buffer-overflow on address
0x55b2cee4cc5c at pc 0x55b2ceada6ca bp 0x7ffe47c5ab90 sp 0x7ffe47c5ab88
READ of size 4 at 0x55b2cee4cc5c thread T0
#0 0x55b2ceada6c9 in bash_dequote_filename
(/home/dualbus/src/gnu/bash-build/bash+0x17a6c9)
#1 0x55b2ceb78c30 in rl_filename_completion_function
(/home/dualbus/src/gnu/bash-build/bash+0x218c30)
#2 0x55b2ceb77702 in rl_completion_matches
(/home/dualbus/src/gnu/bash-build/bash+0x217702)
#3 0x55b2ceb72aab in gen_completion_matches
(/home/dualbus/src/gnu/bash-build/bash+0x212aab)
#4 0x55b2ceb76a63 in rl_complete_internal
(/home/dualbus/src/gnu/bash-build/bash+0x216a63)
#5 0x55b2ceac7a94 in bash_brace_completion
(/home/dualbus/src/gnu/bash-build/bash+0x167a94)
#6 0x55b2ceb5c30d in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
#7 0x55b2ceb5caef in _rl_dispatch_subseq
(/home/dualbus/src/gnu/bash-build/bash+0x1fcaef)
#8 0x55b2ceb5bee8 in _rl_dispatch
(/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
#9 0x55b2ceb5b727 in readline_internal_char
(/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
#10 0x55b2ceb5b7b9 in readline_internal_charloop
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
#11 0x55b2ceb5b7dd in readline_internal
(/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
#12 0x55b2ceb5ae93 in readline
(/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
#13 0x55b2ceb16136 in edit_line
(/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
#14 0x55b2ceb13aa4 in read_builtin
(/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
#15 0x55b2cea29c89 in execute_builtin
(/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
#16 0x55b2cea2b89f in execute_builtin_or_function
(/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
#17 0x55b2cea2911f in execute_simple_command
(/home/dualbus/src/gnu/bash-build/bash+0xc911f)
#18 0x55b2cea16f42 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
#19 0x55b2cea1f82e in execute_connection
(/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
#20 0x55b2cea17d17 in execute_command_internal
(/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
#21 0x55b2ceb010f4 in parse_and_execute
(/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
#22 0x55b2ce9e2401 in run_one_command
(/home/dualbus/src/gnu/bash-build/bash+0x82401)
#23 0x55b2ce9e08da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
#24 0x7fbbd390b2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#25 0x55b2ce9df749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x55b2cee4cc5c is located 56 bytes to the right of global variable
'sh_syntabsiz' defined in 'syntax.c:11:5' (0x55b2cee4cc20) of size 4
0x55b2cee4cc5c is located 4 bytes to the left of global variable 'sh_syntaxtab'
defined in 'syntax.c:12:5' (0x55b2cee4cc60) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/dualbus/src/gnu/bash-build/bash+0x17a6c9) in bash_dequote_filename
Shadow bytes around the buggy address:
0x0ab6d9dc1930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ab6d9dc1940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ab6d9dc1950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ab6d9dc1960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ab6d9dc1970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ab6d9dc1980: 00 00 00 00 04 f9 f9 f9 f9 f9 f9[f9]00 00 00 00
0x0ab6d9dc1990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ab6d9dc19a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ab6d9dc19b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ab6d9dc19c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ab6d9dc19d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2732==ABORTING
INPUT
GyoQExgaNUxSAAIAAAcbVABAKwCX7ZYQGxsbChsUEDw8PEg8PP9/GfdPAABTYC48i6sB//9/YEAA
AAMbGTw8PDw8VP8BGxlgBHt7e3t7e3sQlvwAcQ7/IuAMFBAbGxsrAKEBAJqampqSljyAFH8bGxlU
9t7XllMkLZYAABAgUxP6GhveLwCV/ZYQGxsb/3///yR7e3t7e94vFAAA//8bKgCh8QJ///IbkCEk
+iADVP8bG28AGwIbUyQoeRv/GvpAFJQABAIbU+KVG1QE3iYUvxQbGwAC/VMbLxtUBBsbAAL9Uxsv
G1QEGxsbG1QAQCsAl+2WEBsbGwobFJYUGxsbSAAAQAAAg+2WEBsbGwrqdwAR+nx8YoB/aNkDMmRR
UVFR/fwAdgQbAhtdGxsfAIAUAACiEPwAlgQbAv1TGxUbABsbGVT//3//lgTelhQbGht7e/ogA1T/
GxtTJAp5G/8aDBSUAAR7/3t7e/oMFJQABHt7e3u/3hEUlhQbGxsqAKEUAoAAGxsbOBsfGxsE/+0F
--
Eduardo Bustamante
https://dualbus.me/
- AddressSanitizer: global-buffer-overflow in rl_filename_completion_function,
Eduardo Bustamante <=