[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AddressSanitizer: heap-buffer-overflow in rl_delete
|
From: |
Eduardo A . Bustamante López |
|
Subject: |
Re: AddressSanitizer: heap-buffer-overflow in rl_delete |
|
Date: |
Fri, 16 Jun 2017 09:27:39 -0500 |
|
User-agent: |
NeoMutt/20170113 (1.7.2) |
On Thu, Jun 15, 2017 at 09:36:58AM -0500, Eduardo Bustamante wrote:
> Found by fuzzing `read -e' with AFL. The stacktrace reported by Address
> Sanitizer is followed by the base64 encoded crashing input.
>
>
> ==1736==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x611000009880 at pc 0x7f464da3a063 bp 0x7ffe86032fe0 sp 0x7ffe86032790
> READ of size 115 at 0x611000009880 thread T0
> #0 0x7f464da3a062 (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062)
> #1 0x5634e38634c3 in _rl_find_next_mbchar_internal
> (/home/dualbus/src/gnu/bash-build/bash+0x25d4c3)
> #2 0x5634e3864375 in _rl_find_next_mbchar
> (/home/dualbus/src/gnu/bash-build/bash+0x25e375)
> #3 0x5634e3850c0e in rl_delete
> (/home/dualbus/src/gnu/bash-build/bash+0x24ac0e)
OK. Here's an easy way to reproduce this.
- Start on an empty rl_line_buffer
- Call `set-mark' with a numeric argument (a large number, e.g. 500, is better).
- Call `exchange-point-and-mark' so that now rl_point = 500
- Call `delete-char'
- Bash crashes
The _rl_set_mark_at_pos function already checks for `position > rl_end',
so I'm not sure how to fix this.
--
Eduardo Bustamante
https://dualbus.me/