[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Segmentation fault in lib/readline/undo.c - rl_do_undo
|
From: |
Eduardo A . Bustamante López |
|
Subject: |
Re: Segmentation fault in lib/readline/undo.c - rl_do_undo |
|
Date: |
Mon, 7 Jan 2019 02:07:48 -0800 |
|
User-agent: |
Mutt/1.10.1 (2018-07-13) |
On Mon, Jan 07, 2019 at 01:16:05AM -0800, Eduardo A. Bustamante López wrote:
> I found this with AFL. I think it's related to the problem reported here:
> http://lists.nongnu.org/archive/html/bug-bash/2018-09/msg00045.html
>
> debian@debian-fuzz:/mnt$ cat -A rl_do_undo
> ^RM-CM-!M-CM-CM-!M-C^[.^[^[00000^P^@0000^P^Q0^[-^P^Q0^[^W0^@0&/^[^[^[--^W^_~0^@0^@-^L^D^@^@'/^[B^@0^B^@M-
>
> ^[^[M-^T^[M-mM-^?^[F-^W^_0^[M-^@0^P^@^@^@^@^D^I^@^[M-UM-UM-UM-NM-U^@M-^@^@M-=$^@01^@01^["0^?M-^?M-^?M-^?0M-r0^@'0M-^?^@^@^@M-CM-CM-!M-C^[.^[^[--^W00^P^@00(-^P^Q;^[-^P^Q0^[^W0^@n&/^[^[^[--^W^_~0^@0^@-^L^D^@^@'/^[B^@M-^T^B^@M-
>
> ^[^[M-^T^[M-mM-^?^[F-^W^_0^[M-^@0^P^@^@^@^@^D^I^@^[M-UM-UM-UM-NM-U^@M-^@^@M-=$^@01^@01^["0^?M-^?M-^?M-^?0M-r0^@'0M-^?^@^@^@@^N\0^[11#0-^P^@^@^@^@^D^I^@^[M-UM-=M-UM-NM-U^@M-^@^@M-=$^@J^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^PM-eM-KM-YM-@M-nM-n^ZM-{0M-xM-|^@}}^L0#^A^Cd^\#^@^X^E^X^E^@M-^?M-^?^[^I^I0000^@^@^@M-^?\^O^@000M-^R00M-,0^@^@M-^?\^O^@qq0M-^Dq^@0^P^I^[^I^I0000^E^@M-^?M-^?0M-v^P^P^P^P^P^P^PM-eM-KM-YM-@M-nM-n^ZM-{0M-xM-|^@}}^L0#^A^Cd^\#^@^X^E^X^E^@M-^?M-^?^[^I^@^@M-^@^@0^@^@^@M-^?\^O^@0^?0M-^R00M-,0^@^@M-^?\^O^@00000^@0^P^I^[^I^Iu000^E^@M-^?M-^?0M-vM-Q^A^@0^P^I^]0^I000000^@^@^@M-^?\^O^GM-^?\^Oq0q^[^I^I^I^@^@M-h^C@^N\0^[11#0-^P^@^@^@^@^D^I^@^[M-UM-UM-UM-NM-U^@M-^@^@M-=$^@0^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^PM-eM-KM-YM-@M-nM-n^ZM-{0M-xM-|^@00^L0#^A^Cd^\#^@^X^E^X^E^@M-^?M-^?^[^I^I0000^@^@^@M-^?\^O^@000M-^R00M-,0^@^@M-^?\^O^@qq0M-^Dq^@0^P^I^[^I^Iu000^E^@M-^?M-^?0M-v^P^P^P^P^P^P^PM-eM-KM-YM-@M-nM-n^ZM-{0M-xM-|^@}}^L0#^A^Cd^\#^@^X^E^X^E^@M-^?M-^?^[^I^I0000^@^@^@M-^?\^O^@00M-^?M-^R00M-,0^@^@M-^?\^O^@00000^@0^P^I^[^I^I0000^E^@M-^?M-^?0M-vM-Q^A^@0^P^I^]0^I000000^@^@^@M-^?\^O^GM-^?\^Oq0q^[^I^I^I^@^@M-h^C^E^@000M-v
>
Heh, I forgot to minimize the test case:
debian@debian-fuzz:/mnt$ cat -A rl_do_undo
0^X^E0^P^P^P^X^E\^O^P^P
debian@debian-fuzz:/mnt$ base64 < rl_do_undo
MBgFMBAQEBgFXA8QEA==
Also, running it with ASAN provides more information:
debian@debian-fuzz:/mnt$ ~/build-asan/bash --noprofile --norc -c 'PATH= read -e
< rl_do_undo'
hi
0
/home/debian/build-asan/bash: emacs: No such file or directory
0
/home/debian/build-asan/bash: emacs: No such file or directory
\
0
=================================================================
==29290==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000004018
at pc 0x0000007d7508 bp 0x7ffe9530f5c0 sp 0x7ffe9530f5b8
READ of size 4 at 0x603000004018 thread T0
#0 0x7d7507 in rl_do_undo
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/undo.c:188:25
#1 0x7d8682 in rl_revert_line
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/undo.c:341:2
#2 0x767dd3 in readline_internal_teardown
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:471:7
#3 0x7678b0 in readline_internal
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:672:11
#4 0x7676ba in readline
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:377:11
#5 0x6fe637 in edit_line
/home/debian/build-asan/builtins/../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:1107:9
#6 0x6fa7d5 in read_builtin
/home/debian/build-asan/builtins/../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:566:16
#7 0x592620 in execute_builtin
/home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:4706:13
#8 0x5910a7 in execute_builtin_or_function
/home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:5214:14
#9 0x579877 in execute_simple_command
/home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:4476:13
#10 0x5701d2 in execute_command_internal
/home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:842:4
#11 0x6dd393 in parse_and_execute
/home/debian/build-asan/builtins/../../bash-5.0-rc1/builtins/evalstring.c:436:17
#12 0x51d4f4 in run_one_command
/home/debian/build-asan/../bash-5.0-rc1/shell.c:1426:12
#13 0x518ec9 in main /home/debian/build-asan/../bash-5.0-rc1/shell.c:741:7
#14 0x7f194ff8c09a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#15 0x43fa39 in _start (/home/debian/build-asan/bash+0x43fa39)
0x603000004018 is located 24 bytes inside of 32-byte region
[0x603000004000,0x603000004020)
freed by thread T0 here:
#0 0x4e7502 in __interceptor_free (/home/debian/build-asan/bash+0x4e7502)
#1 0x6c2bbf in xfree /home/debian/build-asan/../bash-5.0-rc1/xmalloc.c:150:5
#2 0x7d7036 in _rl_free_undo_list
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/undo.c:113:7
#3 0x7d7070 in rl_free_undo_list
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/undo.c:124:3
#4 0x767e6a in readline_internal_teardown
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:485:5
#5 0x7678b0 in readline_internal
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:672:11
#6 0x7676ba in readline
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:377:11
#7 0x6fe637 in edit_line
/home/debian/build-asan/builtins/../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:1107:9
#8 0x6fa7d5 in read_builtin
/home/debian/build-asan/builtins/../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:566:16
#9 0x592620 in execute_builtin
/home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:4706:13
#10 0x5910a7 in execute_builtin_or_function
/home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:5214:14
#11 0x579877 in execute_simple_command
/home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:4476:13
#12 0x5701d2 in execute_command_internal
/home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:842:4
#13 0x6dd393 in parse_and_execute
/home/debian/build-asan/builtins/../../bash-5.0-rc1/builtins/evalstring.c:436:17
#14 0x51d4f4 in run_one_command
/home/debian/build-asan/../bash-5.0-rc1/shell.c:1426:12
#15 0x518ec9 in main /home/debian/build-asan/../bash-5.0-rc1/shell.c:741:7
#16 0x7f194ff8c09a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
previously allocated by thread T0 here:
#0 0x4e7883 in malloc (/home/debian/build-asan/bash+0x4e7883)
#1 0x6c2aa0 in xmalloc
/home/debian/build-asan/../bash-5.0-rc1/xmalloc.c:114:10
#2 0x7d6dc4 in alloc_undo_entry
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/undo.c:77:23
#3 0x7d6d46 in rl_add_undo
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/undo.c:94:10
#4 0x7e23ce in rl_insert_text
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/text.c:112:2
#5 0x7e6f46 in _rl_insert_char
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/text.c:890:7
#6 0x7e78f4 in rl_insert
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/text.c:939:42
#7 0x769abd in _rl_dispatch_subseq
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:852:8
#8 0x76899a in _rl_dispatch
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:798:10
#9 0x76882f in readline_internal_char
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:632:11
#10 0x76ce7f in readline_internal_charloop
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:659:11
#11 0x76789d in readline_internal
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:671:19
#12 0x7676ba in readline
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:377:11
#13 0x6fe637 in edit_line
/home/debian/build-asan/builtins/../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:1107:9
#14 0x6fa7d5 in read_builtin
/home/debian/build-asan/builtins/../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:566:16
#15 0x592620 in execute_builtin
/home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:4706:13
#16 0x5910a7 in execute_builtin_or_function
/home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:5214:14
#17 0x579877 in execute_simple_command
/home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:4476:13
#18 0x5701d2 in execute_command_internal
/home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:842:4
#19 0x6dd393 in parse_and_execute
/home/debian/build-asan/builtins/../../bash-5.0-rc1/builtins/evalstring.c:436:17
#20 0x51d4f4 in run_one_command
/home/debian/build-asan/../bash-5.0-rc1/shell.c:1426:12
#21 0x518ec9 in main /home/debian/build-asan/../bash-5.0-rc1/shell.c:741:7
#22 0x7f194ff8c09a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
SUMMARY: AddressSanitizer: heap-use-after-free
/home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/undo.c:188:25
in rl_do_undo
Shadow bytes around the buggy address:
0x0c067fff87b0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
0x0c067fff87c0: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa
0x0c067fff87d0: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fd
0x0c067fff87e0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa 00 00
0x0c067fff87f0: 00 00 fa fa fd fd fd fd fa fa fd fd fd fd fa fa
=>0x0c067fff8800: fd fd fd[fd]fa fa fd fd fd fa fa fa fd fd fd fa
0x0c067fff8810: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd
0x0c067fff8820: fd fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff8830: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c067fff8840: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x0c067fff8850: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 03 fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==29290==ABORTING