bug-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

double free corruption bash 4.2.53(1)-release

From: evil
Subject: double free corruption bash 4.2.53(1)-release
Date: Thu, 9 Nov 2017 09:19:39 -0700
User-agent: SquirrelMail/1.4.23 [SVN] 
Hi all,

I found a bug in bash 4.2.48+ (doesn't seem to effect bash 4.3)

: <<CODE
#!/bin/bash
ulimit -c unlimited
echo $BASH_VERSION
/usr/bin/printf "\u200b\n";/usr/bin/printf "\u200b\n"|hexdump -C;echo -e
"\u200b\n"|hexdump -C
# ifrit crash # file -s core
# core: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style,
from '/bin/bash crash.sh'
CODE

ifrit crash # gdb bash
GNU gdb (Gentoo 7.10.1 vanilla) 7.10.1
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from bash...(no debugging symbols found)...done.
(gdb) set args crash.sh
(gdb) r
Starting program: /bin/bash crash.sh
4.2.53(1)-release
\u200B
00000000  5c 75 32 30 30 42 0a                              |\u200B.|
00000007
*** Error in `/bin/bash': double free or corruption (out):
0x000002aaaadb0d30 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x73927)[0x3fff73de927]
/lib64/libc.so.6(+0x7994f)[0x3fff73e494f]
/lib64/libc.so.6(+0x7a1be)[0x3fff73e51be]
/bin/bash(echo_builtin+0x1c6)[0x2aaaab4e7c6]
/bin/bash(+0x3b44d)[0x2aaaaae544d]
/bin/bash(+0x430cb)[0x2aaaaaed0cb]
/bin/bash(+0x3d85c)[0x2aaaaae785c]
/bin/bash(+0x3f301)[0x2aaaaae9301]
/bin/bash(+0x42200)[0x2aaaaaec200]
/bin/bash(+0x407f9)[0x2aaaaaea7f9]
/bin/bash(+0x3f585)[0x2aaaaae9585]
/bin/bash(execute_command+0xd8)[0x2aaaaaeb618]
/bin/bash(reader_loop+0x1cb)[0x2aaaaac990b]
/bin/bash(main+0x1031)[0x2aaaaac7c31]
/lib64/libc.so.6(__libc_start_main+0x114)[0x3fff738b8a4]
/bin/bash(_start+0x29)[0x2aaaaac8539]
======= Memory map: ========
2aaaaaaa000-2aaaab9e000 r-xp 00000000 08:06 97                          
/bin/bash
2aaaad9d000-2aaaada0000 r--p 000f3000 08:06 97                          
/bin/bash
2aaaada0000-2aaaada4000 rw-p 000f6000 08:06 97                          
/bin/bash
2aaaada4000-2aaaadc8000 rw-p 00000000 00:00 0                           
[heap]
3fff0000000-3fff0021000 rw-p 00000000 00:00 0
3fff0021000-3fff4000000 ---p 00000000 00:00 0
3fff7154000-3fff716a000 r-xp 00000000 08:03 520297                      
/usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
3fff716a000-3fff7369000 ---p 00016000 08:03 520297                      
/usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
3fff7369000-3fff736a000 r--p 00015000 08:03 520297                      
/usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
3fff736a000-3fff736b000 rw-p 00016000 08:03 520297                      
/usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
3fff736b000-3fff7508000 r-xp 00000000 08:03 444005                      
/lib64/libc-2.23.so
3fff7508000-3fff7708000 ---p 0019d000 08:03 444005                      
/lib64/libc-2.23.so
3fff7708000-3fff770c000 r--p 0019d000 08:03 444005                      
/lib64/libc-2.23.so
3fff770c000-3fff770e000 rw-p 001a1000 08:03 444005                      
/lib64/libc-2.23.so
3fff770e000-3fff7713000 rw-p 00000000 00:00 0
3fff7713000-3fff7715000 r-xp 00000000 08:03 444001                      
/lib64/libdl-2.23.so
3fff7715000-3fff7915000 ---p 00002000 08:03 444001                      
/lib64/libdl-2.23.so
3fff7915000-3fff7916000 r--p 00002000 08:03 444001                      
/lib64/libdl-2.23.so
3fff7916000-3fff7917000 rw-p 00003000 08:03 444001                      
/lib64/libdl-2.23.so
3fff7917000-3fff797c000 r-xp 00000000 08:03 410922                      
/lib64/libncurses.so.5.9
3fff797c000-3fff7b7c000 ---p 00065000 08:03 410922                      
/lib64/libncurses.so.5.9
3fff7b7c000-3fff7b80000 r--p 00065000 08:03 410922                      
/lib64/libncurses.so.5.9
3fff7b80000-3fff7b81000 rw-p 00069000 08:03 410922                      
/lib64/libncurses.so.5.9
3fff7b81000-3fff7bce000 r-xp 00000000 08:03 471554                      
/lib64/libreadline.so.7.0
3fff7bce000-3fff7dcd000 ---p 0004d000 08:03 471554                      
/lib64/libreadline.so.7.0
3fff7dcd000-3fff7dd0000 r--p 0004c000 08:03 471554                      
/lib64/libreadline.so.7.0
3fff7dd0000-3fff7dd6000 rw-p 0004f000 08:03 471554                      
/lib64/libreadline.so.7.0
3fff7dd6000-3fff7dd8000 rw-p 00000000 00:00 0
3fff7dd8000-3fff7dfd000 r-xp 00000000 08:03 444004                      
/lib64/ld-2.23.so
3fff7fd6000-3fff7fda000 rw-p 00000000 00:00 0
3fff7ff9000-3fff7ffa000 rw-p 00000000 00:00 0
3fff7ffa000-3fff7ffb000 rw-p 00000000 00:00 0
3fff7ffb000-3fff7ffc000 r-xp 00000000 00:00 0                           
[vdso]
3fff7ffc000-3fff7ffd000 r--p 00024000 08:03 444004                      
/lib64/ld-2.23.so
3fff7ffd000-3fff7ffe000 rw-p 00025000 08:03 444004                      
/lib64/ld-2.23.so
3fff7ffe000-3fff7fff000 rw-p 00000000 00:00 0
3fffffde000-3fffffff000 rw-p 00000000 00:00 0                           
[stack]
ffffffffff600000-ffffffffff601000 r--p 00000000 00:00 0                 
[vsyscall]
[Inferior 1 (process 3271) exited normally]
(gdb)

Let me know if you need any more information or if you need me to compile
with debugging symbols enabled and do anything for you.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]