Buffer overflow in string_extract_double_quoted

bug-bash
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Buffer overflow in string_extract_double_quoted - subst.c

From:	Eduardo A . Bustamante López
Subject:	Buffer overflow in string_extract_double_quoted - subst.c
Date:	Mon, 7 Jan 2019 02:02:24 -0800
User-agent:	Mutt/1.10.1 (2018-07-13)
Found by fuzzing `read -e' with AFL:

debian@debian-fuzz:/mnt$ cat -A dispose_word 
"^[^EM-b^_M-u$$(M-J^^_^Q$
^[^E

debian@debian-fuzz:/mnt$ base64 < dispose_word 
IhsF4h/1JCQoyl4fEQobBQ==

debian@debian-fuzz:/mnt$ LC_ALL=zh_CN.gbk ~/build-gdb/bash --noprofile --norc 
-c 'PATH= read -e < dispose_word' 
hi
"��$$(
TRACE: pid 15530: xparse_dolparen:0: base[5] != RPAREN (40), base = `"��$$(
'
TRACE: pid 15530: xparse_dolparen:0: *indp (5) < orig_ind (6), orig_string = `
'

malloc: ../bash-5.0-rc1/dispose_cmd.c:249: assertion botched
malloc: 0x55d956dc4de8: allocated: last allocated from 
../bash-5.0-rc1/subst.c:866
free: start and end chunk sizes differ
Aborting...Aborted

(...)

Aborting...
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7df4535 in __GI_abort () at abort.c:79
#2  0x00005555555b39b5 in programming_error (format=0x555555686bd8 "free: start 
and end chunk sizes differ") at ../bash-5.0-rc1/error.c:175
#3  0x000055555566523d in xbotch (mem=0x555555765da8, e=8, s=0x555555686bd8 
"free: start and end chunk sizes differ", file=0x55555566c268 
"../bash-5.0-rc1/dispose_cmd.c", line=249)
    at ../../../bash-5.0-rc1/lib/malloc/malloc.c:354
#4  0x000055555566648e in internal_free (mem=0x555555765da8, 
file=0x55555566c268 "../bash-5.0-rc1/dispose_cmd.c", line=249, flags=1) at 
../../../bash-5.0-rc1/lib/malloc/malloc.c:960
#5  0x0000555555667006 in sh_free (mem=0x555555765da8, file=0x55555566c268 
"../bash-5.0-rc1/dispose_cmd.c", line=249) at 
../../../bash-5.0-rc1/lib/malloc/malloc.c:1321
#6  0x00005555556001f4 in sh_xfree (string=0x555555765da8, file=0x55555566c268 
"../bash-5.0-rc1/dispose_cmd.c", line=249) at ../bash-5.0-rc1/xmalloc.c:223
#7  0x000055555559d860 in dispose_word (w=0x555555761da8) at 
../bash-5.0-rc1/dispose_cmd.c:249
#8  0x00005555555d6ef5 in expand_word_internal (word=0x555555761e08, quoted=0, 
isexp=0, contains_dollar_at=0x0, expanded_something=0x0) at 
../bash-5.0-rc1/subst.c:10189
#9  0x00005555555c84dd in call_expand_word_internal (w=0x555555761e08, q=0, 
i=0, c=0x0, e=0x0) at ../bash-5.0-rc1/subst.c:3684
#10 0x00005555555c8b94 in expand_word (word=0x555555761e08, quoted=0) at 
../bash-5.0-rc1/subst.c:3978
#11 0x00005555555f35b6 in shell_expand_line (count=1, ignore=5) at 
../bash-5.0-rc1/bashline.c:2755
#12 0x0000555555639ed4 in _rl_dispatch_subseq (key=5, map=0x5555556ac220 
<emacs_meta_keymap>, got_subseq=0) at 
../../../bash-5.0-rc1/lib/readline/readline.c:852
#13 0x000055555563a399 in _rl_dispatch_subseq (key=27, map=0x5555556ab200 
<emacs_standard_keymap>, got_subseq=0) at 
../../../bash-5.0-rc1/lib/readline/readline.c:986
#14 0x0000555555639c4b in _rl_dispatch (key=-136275877, map=0x5555556ab200 
<emacs_standard_keymap>) at ../../../bash-5.0-rc1/lib/readline/readline.c:798
#15 0x00005555556398ce in readline_internal_char () at 
../../../bash-5.0-rc1/lib/readline/readline.c:632
#16 0x0000555555639929 in readline_internal_charloop () at 
../../../bash-5.0-rc1/lib/readline/readline.c:659
#17 0x0000555555639949 in readline_internal () at 
../../../bash-5.0-rc1/lib/readline/readline.c:671
#18 0x0000555555639367 in readline (prompt=0x555555680f84 "") at 
../../../bash-5.0-rc1/lib/readline/readline.c:377
#19 0x0000555555611bcf in edit_line (p=0x555555680f84 "", itext=0x0) at 
../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:1107
#20 0x00005555556108f8 in read_builtin (list=0x0) at 
../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:566
#21 0x00005555555a5afa in execute_builtin (builtin=0x55555560fa73 
<read_builtin>, words=0x555555761e68, flags=0, subshell=0) at 
../bash-5.0-rc1/execute_cmd.c:4706
#22 0x00005555555a6aa2 in execute_builtin_or_function (words=0x555555761e68, 
builtin=0x55555560fa73 <read_builtin>, var=0x0, redirects=0x555555761bc8, 
fds_to_close=0x555555761ba8, flags=0)
    at ../bash-5.0-rc1/execute_cmd.c:5214
#23 0x00005555555a5365 in execute_simple_command 
(simple_command=0x555555761a88, pipe_in=-1, pipe_out=-1, async=0, 
fds_to_close=0x555555761ba8) at ../bash-5.0-rc1/execute_cmd.c:4476
#24 0x000055555559e9f4 in execute_command_internal (command=0x555555761a48, 
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x555555761ba8) at 
../bash-5.0-rc1/execute_cmd.c:842
#25 0x000055555560858a in parse_and_execute (string=0x555555761688 "PATH= read 
-e < dispose_word", from_file=0x5555556690f0 "-c", flags=4) at 
../../bash-5.0-rc1/builtins/evalstring.c:436
#26 0x000055555558564a in run_one_command (command=0x7fffffffe28c "PATH= read 
-e < dispose_word") at ../bash-5.0-rc1/shell.c:1426
#27 0x0000555555584789 in main (argc=5, argv=0x7fffffffdfe8, 
env=0x7fffffffe018) at ../bash-5.0-rc1/shell.c:741

(gdb) frame 7
#7  0x000055555559d860 in dispose_word (w=0x555555761da8) at 
../bash-5.0-rc1/dispose_cmd.c:249
249       FREE (w->word);
(gdb) l
244     /* How to free a WORD_DESC. */
245     void
246     dispose_word (w)
247          WORD_DESC *w;
248     {
249       FREE (w->word);
250       ocache_free (wdcache, WORD_DESC, w);
251     }
252
253     /* Free a WORD_DESC, but not the word contained within. */
(gdb) p w
$1 = (WORD_DESC *) 0x555555761da8
(gdb) p *w
$2 = {word = 0x555555765da8 "��$$((\n", flags = 0}


Running it on an ASAN enabled bash:

debian@debian-fuzz:/mnt$ LC_ALL=zh_CN.gbk ~/build-asan/bash --noprofile --norc 
-c 'PATH= read -e < dispose_word'
hi
"��$$(
TRACE: pid 29276: xparse_dolparen:0: base[5] != RPAREN (40), base = `"��$$(
'
TRACE: pid 29276: xparse_dolparen:0: *indp (5) < orig_ind (6), orig_string = `
'
=================================================================
==29276==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x6020000055b7 at pc 0x00000061f92f bp 0x7ffcd0b6c5f0 sp 0x7ffcd0b6c5e8
WRITE of size 1 at 0x6020000055b7 thread T0
    #0 0x61f92e in string_extract_double_quoted 
/home/debian/build-asan/../bash-5.0-rc1/subst.c:995:11
    #1 0x603b8e in expand_word_internal 
/home/debian/build-asan/../bash-5.0-rc1/subst.c:10149:11
    #2 0x5fb4a0 in call_expand_word_internal 
/home/debian/build-asan/../bash-5.0-rc1/subst.c:3684:12
    #3 0x608478 in expand_word 
/home/debian/build-asan/../bash-5.0-rc1/subst.c:3978:13
    #4 0x68b396 in shell_expand_line 
/home/debian/build-asan/../bash-5.0-rc1/bashline.c:2755:25
    #5 0x769abd in _rl_dispatch_subseq 
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:852:8
    #6 0x76a76e in _rl_dispatch_subseq 
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:986:8
    #7 0x76899a in _rl_dispatch 
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:798:10
    #8 0x76882f in readline_internal_char 
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:632:11
    #9 0x76ce7f in readline_internal_charloop 
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:659:11
    #10 0x76789d in readline_internal 
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:671:19
    #11 0x7676ba in readline 
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:377:11
    #12 0x6fe637 in edit_line 
/home/debian/build-asan/builtins/../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:1107:9
    #13 0x6fa7d5 in read_builtin 
/home/debian/build-asan/builtins/../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:566:16
    #14 0x592620 in execute_builtin 
/home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:4706:13
    #15 0x5910a7 in execute_builtin_or_function 
/home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:5214:14
    #16 0x579877 in execute_simple_command 
/home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:4476:13
    #17 0x5701d2 in execute_command_internal 
/home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:842:4
    #18 0x6dd393 in parse_and_execute 
/home/debian/build-asan/builtins/../../bash-5.0-rc1/builtins/evalstring.c:436:17
    #19 0x51d4f4 in run_one_command 
/home/debian/build-asan/../bash-5.0-rc1/shell.c:1426:12
    #20 0x518ec9 in main /home/debian/build-asan/../bash-5.0-rc1/shell.c:741:7
    #21 0x7f697e24009a in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #22 0x43fa39 in _start (/home/debian/build-asan/bash+0x43fa39)

0x6020000055b7 is located 0 bytes to the right of 7-byte region 
[0x6020000055b0,0x6020000055b7)
allocated by thread T0 here:
    #0 0x4e7883 in malloc (/home/debian/build-asan/bash+0x4e7883)
    #1 0x6c2aa0 in xmalloc 
/home/debian/build-asan/../bash-5.0-rc1/xmalloc.c:114:10
    #2 0x61e905 in string_extract_double_quoted 
/home/debian/build-asan/../bash-5.0-rc1/subst.c:866:18
    #3 0x603b8e in expand_word_internal 
/home/debian/build-asan/../bash-5.0-rc1/subst.c:10149:11
    #4 0x5fb4a0 in call_expand_word_internal 
/home/debian/build-asan/../bash-5.0-rc1/subst.c:3684:12
    #5 0x608478 in expand_word 
/home/debian/build-asan/../bash-5.0-rc1/subst.c:3978:13
    #6 0x68b396 in shell_expand_line 
/home/debian/build-asan/../bash-5.0-rc1/bashline.c:2755:25
    #7 0x769abd in _rl_dispatch_subseq 
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:852:8
    #8 0x76a76e in _rl_dispatch_subseq 
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:986:8
    #9 0x76899a in _rl_dispatch 
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:798:10
    #10 0x76882f in readline_internal_char 
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:632:11
    #11 0x76ce7f in readline_internal_charloop 
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:659:11
    #12 0x76789d in readline_internal 
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:671:19
    #13 0x7676ba in readline 
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:377:11
    #14 0x6fe637 in edit_line 
/home/debian/build-asan/builtins/../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:1107:9
    #15 0x6fa7d5 in read_builtin 
/home/debian/build-asan/builtins/../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:566:16
    #16 0x592620 in execute_builtin 
/home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:4706:13
    #17 0x5910a7 in execute_builtin_or_function 
/home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:5214:14
    #18 0x579877 in execute_simple_command 
/home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:4476:13
    #19 0x5701d2 in execute_command_internal 
/home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:842:4
    #20 0x6dd393 in parse_and_execute 
/home/debian/build-asan/builtins/../../bash-5.0-rc1/builtins/evalstring.c:436:17
    #21 0x51d4f4 in run_one_command 
/home/debian/build-asan/../bash-5.0-rc1/shell.c:1426:12
    #22 0x518ec9 in main /home/debian/build-asan/../bash-5.0-rc1/shell.c:741:7
    #23 0x7f697e24009a in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/home/debian/build-asan/../bash-5.0-rc1/subst.c:995:11 in 
string_extract_double_quoted
Shadow bytes around the buggy address:
  0x0c047fff8a60: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8a70: fa fa 00 07 fa fa 01 fa fa fa fd fa fa fa fd fa
  0x0c047fff8a80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8a90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8aa0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff8ab0: fa fa 00 fa fa fa[07]fa fa fa fd fd fa fa 03 fa
  0x0c047fff8ac0: fa fa fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==29276==ABORTING

Ooops:

debian@debian-fuzz:/mnt$ cat -n /home/debian/build-asan/../bash-5.0-rc1/subst.c 
| sed -n '990,997p'
   990            continue;
   991          }
   992  
   993        break;
   994      }
   995    temp[j] = '\0';
   996  
   997    /* Point to after the closing quote. */
[Prev in Thread]
Current Thread
[Next in Thread]
Buffer overflow in string_extract_double_quoted - subst.c, Eduardo A . Bustamante López <=
Prev by Date: Re: realloc: start and end chunk sizes differ - rl_extend_line_buffer in lib/readline/util.c
Next by Date: Re: Segmentation fault in lib/readline/undo.c - rl_do_undo
Previous by thread: Segmentation fault in lib/readline/undo.c - rl_do_undo
Next by thread: Bash-5.0 release available
Index(es):
- Date
- Thread