[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Heap buffer overread in token_is_assignment
|
From: |
jeremy |
|
Subject: |
Heap buffer overread in token_is_assignment |
|
Date: |
Tue, 20 Feb 2018 21:07:57 +0100 |
|
User-agent: |
Mutt/1.9.3 (2018-01-21) |
Configuration Information [Automatically generated, do not change]:
Machine: i686
OS: linux-gnu
Compiler: afl-gcc
Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='i686'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='i686-pc-linux-gnu'
-DCONF_VENDOR='pc' -DLOCALEDIR='/usr/local/share/locale' -DPACKAGE='bash'
-DSHELL -DHAVE_CONFIG_H -I. -I. -I./include -I./lib -fsanitize=address
-Wno-parentheses -Wno-format-security
uname output: Linux jefeus-vm 4.9.0-4-686-pae #1 SMP Debian 4.9.65-3+deb9u1
(2017-12-23) i686 GNU/Linux
Machine Type: i686-pc-linux-gnu
Bash Version: 4.4
Patch Level: 19
Release Status: release
Description:
When calling bash -e <file> (where <file> is the attached file) a heap
buffer overread occurs in token_is_assignment at parse.y:4657 (It may be
interesting
to note that the attached file consists of an arbitrary character, an ampersand
and
496 "=" signs whereby 496=2^9-16). Below is a
detailed backtrace of this bug:
=================================================================
==22011==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4b02570 at
pc 0x00575be1 bp 0xbfe86508 sp 0xbfe864fc
READ of size 1 at 0xb4b02570 thread T0
#0 0x575be0 in token_is_assignment parse.y:4657
#1 0x575be0 in read_token_word parse.y:4961
#2 0x555d6a in read_token parse.y:3296
#3 0x55c226 in yylex parse.y:2675
#4 0x55c226 in yyparse /home/jefeus/bash/y.tab.c:1834
#5 0x536820 in parse_command /home/jefeus/bash/eval.c:261
#6 0x536820 in read_command /home/jefeus/bash/eval.c:305
#7 0x537684 in reader_loop /home/jefeus/bash/eval.c:149
#8 0x52d44c in main /home/jefeus/bash/shell.c:792
#9 0xb6ffc455 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18455)
#10 0x533cef (/home/jefeus/bash/bash+0x62cef)
0xb4b02570 is located 0 bytes to the right of 496-byte region
[0xb4b02380,0xb4b02570)
allocated by thread T0 here:
#0 0xb72a9e74 in malloc (/usr/lib/i386-linux-gnu/libasan.so.4+0xdee74)
#1 0x7d8bd0 in xrealloc /home/jefeus/bash/xmalloc.c:133
SUMMARY: AddressSanitizer: heap-buffer-overflow parse.y:4657 in
token_is_assignment
Shadow bytes around the buggy address:
0x36960450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36960460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36960470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36960480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36960490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x369604a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa
0x369604b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x369604c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x369604d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x369604e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x369604f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==22011==ABORTING
Repeat-By:
In order to get bash to run with the compiler flags mentioned
above, one must add the --without-bash-malloc or else bash
segfaults on startup.
min
Description: Text document
- Heap buffer overread in token_is_assignment,
jeremy <=