[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
AddressSanitizer: heap-use-after-free on (...) in rl_do_undo ../../../ba
|
From: |
Eduardo A . Bustamante López |
|
Subject: |
AddressSanitizer: heap-use-after-free on (...) in rl_do_undo ../../../bash-devel/lib/readline/undo.c:188 |
|
Date: |
Wed, 6 Feb 2019 09:14:01 -0800 |
|
User-agent: |
Mutt/1.10.1 (2018-07-13) |
I found another issue in rl_do_undo, but I haven't been successful in figuring
out how it happens.
I've been working with the `devel' branch, commit
`8a9718cfc93958b34e205d0507c3bbf64cba6db5'
Here's how I built the binaries I use below:
debian@debian-fuzz:~/tmp$ cat ~/build.sh
#!/bin/bash
mkdir build-devel{,-asan,-gdb}
(cd build-devel && CFLAGS='' CC='afl-clang-fast'
../bash-devel/configure --silent --without-bash-malloc && make
-sj$(nproc))
(cd build-devel-asan && CFLAGS='-O0 -ggdb -fno-omit-frame-pointer
-fsanitize=address ' ../bash-devel/configure --silent --without-bash-malloc &&
make -sj$(nproc))
(cd build-devel-gdb && CFLAGS='-O0 -ggdb -fno-omit-frame-pointer '
../bash-devel/configure --silent --without-bash-malloc && make
-sj$(nproc))
This is the input to `read -e':
debian@debian-fuzz:~/tmp$ base64 < o
MBgFEBAQDhUwEBgoHx8wEDAYRRQbEDAYBTAYRQ4=
debian@debian-fuzz:~/tmp$ cat -A o
0^X^E^P^P^P^N^U0^P^X(^_^_0^P0^XE^T^[^P0^X^E0^XE^N
My poor attempt of a trace under GDB:
debian@debian-fuzz:~/tmp$ gdb --batch --command=trace_rl_undo.gdb --args
~/build-devel-gdb/bash --noprofile --norc -c 'EDITOR=: PATH= read -e < o' >
out.txt 2>&1
(no output)
-------------------------------------------------------------------------------
dualbus@system76-pc:~/src/dualbus/bash-fuzzing/tmp/tmp$ cat out.txt
0
0
/tmp/bash-fc.9lfkNE: line 1: 0: No such file or directory
000
000
/tmp/bash-fc.HkVuNJ: line 1: 000: No such file or directory
0000readline: maximum macro execution nesting level exceeded
munmap_chunk(): invalid pointer
-------------------------------------------------------------------------------
dualbus@system76-pc:~/src/dualbus/bash-fuzzing/tmp/tmp$ cat gdb.txt
Temporary breakpoint 1 at 0x2eea9: file ../bash-devel/shell.c, line 392.
Temporary breakpoint 1, main (argc=5, argv=0x7fffffffdfd8, env=0x7fffffffe008)
at ../bash-devel/shell.c:392
392 code = setjmp_nosigs (top_level);
Breakpoint 2 at 0x55555565004c: file ../../../bash-devel/lib/readline/undo.c,
line 177.
[Detaching after fork from child process 588]
Breakpoint 2, rl_do_undo () at ../../../bash-devel/lib/readline/undo.c:177
(... snip ...)
Breakpoint 2, rl_do_undo () at ../../../bash-devel/lib/readline/undo.c:177
177 start = end = waiting_for_begin = 0;
$625 = "~~~ print_rl_undo_list>"
$626 = 0
$627 = (UNDO_LIST *) 0x5555556f9e50
$628 = (struct undo_list *) 0x5555556fa6f0
$629 = 0x0
$630 = 1
$631 = (struct undo_list *) 0x5555556fa6f0
$632 = (struct undo_list *) 0x0
$633 = 0x0
$634 = "~~~ print_the_history>"
$635 = 0
$636 = (HIST_ENTRY *) 0x5555556fa720
$637 = 0x5555556debd0 "000"
$638 = 0
$639 = (UNDO_LIST *) 0x5555556fa6f0
$640 = (struct undo_list *) 0x0
$641 = 0x0
$642 = 1
$643 = (HIST_ENTRY *) 0x5555556fa7b0
$644 = 0x5555556f89a0 "0"
$645 = 0
$646 = (UNDO_LIST *) 0x5555556fa330
$647 = (struct undo_list *) 0x5555556fa3d0
$648 = 0x0
$649 = 1
$650 = (struct undo_list *) 0x5555556fa3d0
$651 = (struct undo_list *) 0x5555556f9f00
$652 = 0x5555556de940 "\360\237oUUU"
$653 = 2
$654 = (struct undo_list *) 0x5555556f9f00
$655 = (struct undo_list *) 0x0
$656 = 0x5555556fa750 " "
$657 = 2
$658 = (HIST_ENTRY *) 0x5555556fa2c0
$659 = 0x5555556f85f0 "0000"
$660 = 0
$661 = (UNDO_LIST *) 0x5555556f90e0
$662 = (struct undo_list *) 0x0
$663 = 0x0
$664 = 3
$665 = (HIST_ENTRY *) 0x5555556f9130
$666 = 0x5555556fa6d0 "0000"
$667 = 0
$668 = (UNDO_LIST *) 0x5555556f90b0
$669 = (struct undo_list *) 0x0
$670 = 0x0
#0 rl_do_undo () at ../../../bash-devel/lib/readline/undo.c:177
#1 0x00005555556504fd in rl_undo_command (count=1, key=31) at
../../../bash-devel/lib/readline/undo.c:358
#2 0x0000555555633b75 in _rl_dispatch_subseq (key=31, map=0x55555569f200
<emacs_standard_keymap>, got_subseq=0) at
../../../bash-devel/lib/readline/readline.c:852
#3 0x00005555556338ec in _rl_dispatch (key=1433265360, map=0x55555569f200
<emacs_standard_keymap>) at ../../../bash-devel/lib/readline/readline.c:798
#4 0x000055555563356f in readline_internal_char () at
../../../bash-devel/lib/readline/readline.c:632
#5 0x00005555556335ca in readline_internal_charloop () at
../../../bash-devel/lib/readline/readline.c:659
#6 0x00005555556335ea in readline_internal () at
../../../bash-devel/lib/readline/readline.c:671
#7 0x0000555555633008 in readline (prompt=0x5555556767bc "") at
../../../bash-devel/lib/readline/readline.c:377
#8 0x000055555560c4cc in edit_line (p=0x5555556767bc "", itext=0x0) at
../../bash-devel/builtins/../../bash-devel/builtins/read.def:1107
#9 0x000055555560b2b2 in read_builtin (list=0x0) at
../../bash-devel/builtins/../../bash-devel/builtins/read.def:566
#10 0x00005555555a3bc5 in execute_builtin (builtin=0x55555560a45d
<read_builtin>, words=0x5555556c1030, flags=0, subshell=0) at
../bash-devel/execute_cmd.c:4709
#11 0x00005555555a4ae9 in execute_builtin_or_function (words=0x5555556c1030,
builtin=0x55555560a45d <read_builtin>, var=0x0, redirects=0x5555556bf720,
fds_to_close=0x5555556c0cb0, flags=0) at ../bash-devel/execute_cmd.c:5217
#12 0x00005555555a3454 in execute_simple_command
(simple_command=0x5555556c0b10, pipe_in=-1, pipe_out=-1, async=0,
fds_to_close=0x5555556c0cb0) at ../bash-devel/execute_cmd.c:4478
#13 0x000055555559cd7b in execute_command_internal (command=0x5555556c0ae0,
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x5555556c0cb0) at
../bash-devel/execute_cmd.c:842
#14 0x000055555560324a in parse_and_execute (string=0x5555556c03b0 "EDITOR=:
PATH= read -e < o", from_file=0x55555565f0f0 "-c", flags=4) at
../../bash-devel/builtins/evalstring.c:456
#15 0x00005555555845af in run_one_command (command=0x7fffffffe27b "EDITOR=:
PATH= read -e < o") at ../bash-devel/shell.c:1423
#16 0x0000555555583763 in main (argc=5, argv=0x7fffffffdfd8,
env=0x7fffffffe008) at ../bash-devel/shell.c:739
Breakpoint 2, rl_do_undo () at ../../../bash-devel/lib/readline/undo.c:177
(... snip ...)
Breakpoint 2, rl_do_undo () at ../../../bash-devel/lib/readline/undo.c:177
177 start = end = waiting_for_begin = 0;
$1559 = "~~~ print_rl_undo_list>"
$1560 = 0
$1561 = (UNDO_LIST *) 0x5555556fa3d0
$1562 = (struct undo_list *) 0x5555556f9f00
$1563 = 0x5555556de940 "\340\221oUUU"
$1564 = 1
$1565 = (struct undo_list *) 0x5555556f9f00
$1566 = (struct undo_list *) 0x0
$1567 = 0x5555556fa750 " "
$1568 = "~~~ print_the_history>"
$1569 = 0
$1570 = (HIST_ENTRY *) 0x5555556becd0
$1571 = 0x5555556bed70 "0000"
$1572 = 0
$1573 = (UNDO_LIST *) 0x5555556f9e50
$1574 = (struct undo_list *) 0x5555556fa6f0
$1575 = 0x0
$1576 = 1
$1577 = (struct undo_list *) 0x5555556fa6f0
$1578 = (struct undo_list *) 0x0
$1579 = 0x0
$1580 = 1
$1581 = (HIST_ENTRY *) 0x5555556f96c0
$1582 = 0x5555556f96a0 ""
$1583 = 0
$1584 = (UNDO_LIST *) 0x5555556fa3d0
$1585 = (struct undo_list *) 0x5555556f9f00
$1586 = 0x5555556de940 "\340\221oUUU"
$1587 = 1
$1588 = (struct undo_list *) 0x5555556f9f00
$1589 = (struct undo_list *) 0x0
$1590 = 0x5555556fa750 " "
$1591 = 2
$1592 = (HIST_ENTRY *) 0x5555556fa2c0
$1593 = 0x5555556f85f0 "0000"
$1594 = 0
$1595 = (UNDO_LIST *) 0x5555556f90e0
$1596 = (struct undo_list *) 0x0
$1597 = 0x0
$1598 = 3
$1599 = (HIST_ENTRY *) 0x5555556f9130
$1600 = 0x5555556fa6d0 "0000"
$1601 = 0
$1602 = (UNDO_LIST *) 0x5555556f90b0
$1603 = (struct undo_list *) 0x0
$1604 = 0x0
#0 rl_do_undo () at ../../../bash-devel/lib/readline/undo.c:177
#1 0x00005555556504aa in rl_revert_line (count=1, key=0) at
../../../bash-devel/lib/readline/undo.c:339
#2 0x000055555563320c in readline_internal_teardown (eof=0) at
../../../bash-devel/lib/readline/readline.c:471
#3 0x00005555556335fd in readline_internal () at
../../../bash-devel/lib/readline/readline.c:672
#4 0x0000555555633008 in readline (prompt=0x5555556767bc "") at
../../../bash-devel/lib/readline/readline.c:377
#5 0x000055555560c4cc in edit_line (p=0x5555556767bc "", itext=0x0) at
../../bash-devel/builtins/../../bash-devel/builtins/read.def:1107
#6 0x000055555560b2b2 in read_builtin (list=0x0) at
../../bash-devel/builtins/../../bash-devel/builtins/read.def:566
#7 0x00005555555a3bc5 in execute_builtin (builtin=0x55555560a45d
<read_builtin>, words=0x5555556c1030, flags=0, subshell=0) at
../bash-devel/execute_cmd.c:4709
#8 0x00005555555a4ae9 in execute_builtin_or_function (words=0x5555556c1030,
builtin=0x55555560a45d <read_builtin>, var=0x0, redirects=0x5555556bf720,
fds_to_close=0x5555556c0cb0, flags=0) at ../bash-devel/execute_cmd.c:5217
#9 0x00005555555a3454 in execute_simple_command
(simple_command=0x5555556c0b10, pipe_in=-1, pipe_out=-1, async=0,
fds_to_close=0x5555556c0cb0) at ../bash-devel/execute_cmd.c:4478
#10 0x000055555559cd7b in execute_command_internal (command=0x5555556c0ae0,
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x5555556c0cb0) at
../bash-devel/execute_cmd.c:842
#11 0x000055555560324a in parse_and_execute (string=0x5555556c03b0 "EDITOR=:
PATH= read -e < o", from_file=0x55555565f0f0 "-c", flags=4) at
../../bash-devel/builtins/evalstring.c:456
#12 0x00005555555845af in run_one_command (command=0x7fffffffe27b "EDITOR=:
PATH= read -e < o") at ../bash-devel/shell.c:1423
#13 0x0000555555583763 in main (argc=5, argv=0x7fffffffdfd8,
env=0x7fffffffe008) at ../bash-devel/shell.c:739
Breakpoint 2, rl_do_undo () at ../../../bash-devel/lib/readline/undo.c:177
177 start = end = waiting_for_begin = 0;
$1605 = "~~~ print_rl_undo_list>"
$1606 = 0
$1607 = (UNDO_LIST *) 0x5555556f9f00
$1608 = (struct undo_list *) 0x0
$1609 = 0x5555556fa750 " "
$1610 = "~~~ print_the_history>"
$1611 = 0
$1612 = (HIST_ENTRY *) 0x5555556becd0
$1613 = 0x5555556bed70 "0000"
$1614 = 0
$1615 = (UNDO_LIST *) 0x5555556f9e50
$1616 = (struct undo_list *) 0x5555556fa6f0
$1617 = 0x0
$1618 = 1
$1619 = (struct undo_list *) 0x5555556fa6f0
$1620 = (struct undo_list *) 0x0
$1621 = 0x0
$1622 = 1
$1623 = (HIST_ENTRY *) 0x5555556de940
$1624 = 0x5555556fa7b0 "\340\221oUUU"
$1625 = 0
$1626 = (UNDO_LIST *) 0x5555556f9f00
$1627 = (struct undo_list *) 0x0
$1628 = 0x5555556fa750 " "
$1629 = 2
$1630 = (HIST_ENTRY *) 0x5555556fa2c0
$1631 = 0x5555556f85f0 "0000"
$1632 = 0
$1633 = (UNDO_LIST *) 0x5555556f90e0
$1634 = (struct undo_list *) 0x0
$1635 = 0x0
$1636 = 3
$1637 = (HIST_ENTRY *) 0x5555556f9130
$1638 = 0x5555556fa6d0 "0000"
$1639 = 0
$1640 = (UNDO_LIST *) 0x5555556f90b0
$1641 = (struct undo_list *) 0x0
$1642 = 0x0
#0 rl_do_undo () at ../../../bash-devel/lib/readline/undo.c:177
#1 0x00005555556504aa in rl_revert_line (count=1, key=0) at
../../../bash-devel/lib/readline/undo.c:339
#2 0x000055555563320c in readline_internal_teardown (eof=0) at
../../../bash-devel/lib/readline/readline.c:471
#3 0x00005555556335fd in readline_internal () at
../../../bash-devel/lib/readline/readline.c:672
#4 0x0000555555633008 in readline (prompt=0x5555556767bc "") at
../../../bash-devel/lib/readline/readline.c:377
#5 0x000055555560c4cc in edit_line (p=0x5555556767bc "", itext=0x0) at
../../bash-devel/builtins/../../bash-devel/builtins/read.def:1107
#6 0x000055555560b2b2 in read_builtin (list=0x0) at
../../bash-devel/builtins/../../bash-devel/builtins/read.def:566
#7 0x00005555555a3bc5 in execute_builtin (builtin=0x55555560a45d
<read_builtin>, words=0x5555556c1030, flags=0, subshell=0) at
../bash-devel/execute_cmd.c:4709
#8 0x00005555555a4ae9 in execute_builtin_or_function (words=0x5555556c1030,
builtin=0x55555560a45d <read_builtin>, var=0x0, redirects=0x5555556bf720,
fds_to_close=0x5555556c0cb0, flags=0) at ../bash-devel/execute_cmd.c:5217
#9 0x00005555555a3454 in execute_simple_command
(simple_command=0x5555556c0b10, pipe_in=-1, pipe_out=-1, async=0,
fds_to_close=0x5555556c0cb0) at ../bash-devel/execute_cmd.c:4478
#10 0x000055555559cd7b in execute_command_internal (command=0x5555556c0ae0,
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x5555556c0cb0) at
../bash-devel/execute_cmd.c:842
#11 0x000055555560324a in parse_and_execute (string=0x5555556c03b0 "EDITOR=:
PATH= read -e < o", from_file=0x55555565f0f0 "-c", flags=4) at
../../bash-devel/builtins/evalstring.c:456
#12 0x00005555555845af in run_one_command (command=0x7fffffffe27b "EDITOR=:
PATH= read -e < o") at ../bash-devel/shell.c:1423
#13 0x0000555555583763 in main (argc=5, argv=0x7fffffffdfd8,
env=0x7fffffffe008) at ../bash-devel/shell.c:739
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7df4535 in __GI_abort () at abort.c:79
#2 0x00007ffff7e4b718 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7ffff7f5629a "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007ffff7e51e3a in malloc_printerr (str=str@entry=0x7ffff7f57c00
"munmap_chunk(): invalid pointer") at malloc.c:5382
#4 0x00007ffff7e523a4 in munmap_chunk (p=<optimized out>) at malloc.c:2830
#5 0x00005555555fb264 in xfree (string=0x5555556fa750) at
../bash-devel/xmalloc.c:150
#6 0x000055555565017e in rl_do_undo () at
../../../bash-devel/lib/readline/undo.c:201
#7 0x00005555556504aa in rl_revert_line (count=1, key=0) at
../../../bash-devel/lib/readline/undo.c:339
#8 0x000055555563320c in readline_internal_teardown (eof=0) at
../../../bash-devel/lib/readline/readline.c:471
#9 0x00005555556335fd in readline_internal () at
../../../bash-devel/lib/readline/readline.c:672
#10 0x0000555555633008 in readline (prompt=0x5555556767bc "") at
../../../bash-devel/lib/readline/readline.c:377
#11 0x000055555560c4cc in edit_line (p=0x5555556767bc "", itext=0x0) at
../../bash-devel/builtins/../../bash-devel/builtins/read.def:1107
#12 0x000055555560b2b2 in read_builtin (list=0x0) at
../../bash-devel/builtins/../../bash-devel/builtins/read.def:566
#13 0x00005555555a3bc5 in execute_builtin (builtin=0x55555560a45d
<read_builtin>, words=0x5555556c1030, flags=0, subshell=0) at
../bash-devel/execute_cmd.c:4709
#14 0x00005555555a4ae9 in execute_builtin_or_function (words=0x5555556c1030,
builtin=0x55555560a45d <read_builtin>, var=0x0, redirects=0x5555556bf720,
fds_to_close=0x5555556c0cb0, flags=0) at ../bash-devel/execute_cmd.c:5217
#15 0x00005555555a3454 in execute_simple_command
(simple_command=0x5555556c0b10, pipe_in=-1, pipe_out=-1, async=0,
fds_to_close=0x5555556c0cb0) at ../bash-devel/execute_cmd.c:4478
#16 0x000055555559cd7b in execute_command_internal (command=0x5555556c0ae0,
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x5555556c0cb0) at
../bash-devel/execute_cmd.c:842
#17 0x000055555560324a in parse_and_execute (string=0x5555556c03b0 "EDITOR=:
PATH= read -e < o", from_file=0x55555565f0f0 "-c", flags=4) at
../../bash-devel/builtins/evalstring.c:456
#18 0x00005555555845af in run_one_command (command=0x7fffffffe27b "EDITOR=:
PATH= read -e < o") at ../bash-devel/shell.c:1423
#19 0x0000555555583763 in main (argc=5, argv=0x7fffffffdfd8,
env=0x7fffffffe008) at ../bash-devel/shell.c:739
-------------------------------------------------------------------------------
dualbus@system76-pc:~/src/dualbus/bash-fuzzing/tmp/tmp$ cat trace_rl_undo.gdb
set pagination off
set logging redirect on
set logging file gdb.txt
set logging overwrite on
set logging on
start
define print_rl_undo_list
print "~~~ print_rl_undo_list>"
set $ptr = rl_undo_list
set $i = 0
while $ptr
print $i
print $ptr
print $ptr->next
print $ptr->text
set $ptr = $ptr->next
set $i = $i + 1
end
end
define print_the_history
print "~~~ print_the_history>"
set $i = 0
while the_history && the_history[$i]
print $i
print the_history[$i]
print the_history[$i]->line
set $ptr = (UNDO_LIST *)the_history[$i]->data
set $j = 0
while $ptr
print $j
print $ptr
print $ptr->next
print $ptr->text
set $ptr = $ptr->next
set $j = $j + 1
end
set $i = $i + 1
end
end
break rl_do_undo
command
print_rl_undo_list
print_the_history
backtrace
continue
end
run
backtrace
set logging off
-------------------------------------------------------------------------------
Same, using ASAN:
debian@debian-fuzz:~/tmp$ ~/build-devel-asan/bash --noprofile --norc -c
'EDITOR=: PATH= read -e < o'
0
0
/tmp/bash-fc.DOMKK5: line 1: 0: No such file or directory
000
000
/tmp/bash-fc.cide1P: line 1: 000: No such file or directory
0000readline: maximum macro execution nesting level exceeded
=================================================================
==18166==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000004468
at pc 0x561dcf2e01c8 bp 0x7ffe4b6174e0 sp 0x7ffe4b6174d8
READ of size 4 at 0x603000004468 thread T0
#0 0x561dcf2e01c7 in rl_do_undo ../../../bash-devel/lib/readline/undo.c:188
#1 0x561dcf2e0c0a in rl_revert_line
../../../bash-devel/lib/readline/undo.c:339
#2 0x561dcf296132 in readline_internal_teardown
../../../bash-devel/lib/readline/readline.c:471
#3 0x561dcf296740 in readline_internal
../../../bash-devel/lib/readline/readline.c:672
#4 0x561dcf295de4 in readline
../../../bash-devel/lib/readline/readline.c:377
#5 0x561dcf24bc58 in edit_line
../../bash-devel/builtins/../../bash-devel/builtins/read.def:1107
#6 0x561dcf2480b6 in read_builtin
../../bash-devel/builtins/../../bash-devel/builtins/read.def:566
#7 0x561dcf147da4 in execute_builtin ../bash-devel/execute_cmd.c:4709
#8 0x561dcf149abd in execute_builtin_or_function
../bash-devel/execute_cmd.c:5217
#9 0x561dcf1471bd in execute_simple_command ../bash-devel/execute_cmd.c:4478
#10 0x561dcf1341df in execute_command_internal
../bash-devel/execute_cmd.c:842
#11 0x561dcf232971 in parse_and_execute
../../bash-devel/builtins/evalstring.c:456
#12 0x561dcf0faf33 in run_one_command ../bash-devel/shell.c:1423
#13 0x561dcf0f9490 in main ../bash-devel/shell.c:739
#14 0x7f9a5174909a in __libc_start_main ../csu/libc-start.c:308
#15 0x561dcf0f8039 in _start (/home/debian/build-devel-asan/bash+0x89039)
0x603000004468 is located 24 bytes inside of 32-byte region
[0x603000004450,0x603000004470)
freed by thread T0 here:
#0 0x7f9a51a01b50 in free (/lib/x86_64-linux-gnu/libasan.so.5+0xe8b50)
#1 0x561dcf21f9a1 in xfree ../bash-devel/xmalloc.c:150
#2 0x561dcf2e09b5 in rl_do_undo ../../../bash-devel/lib/readline/undo.c:267
#3 0x561dcf2e0d10 in rl_undo_command
../../../bash-devel/lib/readline/undo.c:358
#4 0x561dcf297263 in _rl_dispatch_subseq
../../../bash-devel/lib/readline/readline.c:852
#5 0x561dcf296e3e in _rl_dispatch
../../../bash-devel/lib/readline/readline.c:798
#6 0x561dcf296678 in readline_internal_char
../../../bash-devel/lib/readline/readline.c:632
#7 0x561dcf29670d in readline_internal_charloop
../../../bash-devel/lib/readline/readline.c:659
#8 0x561dcf29672d in readline_internal
../../../bash-devel/lib/readline/readline.c:671
#9 0x561dcf295de4 in readline
../../../bash-devel/lib/readline/readline.c:377
#10 0x561dcf24bc58 in edit_line
../../bash-devel/builtins/../../bash-devel/builtins/read.def:1107
#11 0x561dcf2480b6 in read_builtin
../../bash-devel/builtins/../../bash-devel/builtins/read.def:566
#12 0x561dcf147da4 in execute_builtin ../bash-devel/execute_cmd.c:4709
#13 0x561dcf149abd in execute_builtin_or_function
../bash-devel/execute_cmd.c:5217
#14 0x561dcf1471bd in execute_simple_command
../bash-devel/execute_cmd.c:4478
#15 0x561dcf1341df in execute_command_internal
../bash-devel/execute_cmd.c:842
#16 0x561dcf232971 in parse_and_execute
../../bash-devel/builtins/evalstring.c:456
#17 0x561dcf0faf33 in run_one_command ../bash-devel/shell.c:1423
#18 0x561dcf0f9490 in main ../bash-devel/shell.c:739
#19 0x7f9a5174909a in __libc_start_main ../csu/libc-start.c:308
previously allocated by thread T0 here:
#0 0x7f9a51a01ed0 in __interceptor_malloc
(/lib/x86_64-linux-gnu/libasan.so.5+0xe8ed0)
#1 0x561dcf21f8e0 in xmalloc ../bash-devel/xmalloc.c:114
#2 0x561dcf2dfbfe in alloc_undo_entry
../../../bash-devel/lib/readline/undo.c:77
#3 0x561dcf2dfd4d in rl_add_undo ../../../bash-devel/lib/readline/undo.c:94
#4 0x561dcf2e750b in rl_delete_text
../../../bash-devel/lib/readline/text.c:151
#5 0x561dcf2dd3ff in rl_kill_text
../../../bash-devel/lib/readline/kill.c:177
#6 0x561dcf2de699 in rl_unix_line_discard
../../../bash-devel/lib/readline/kill.c:388
#7 0x561dcf297263 in _rl_dispatch_subseq
../../../bash-devel/lib/readline/readline.c:852
#8 0x561dcf296e3e in _rl_dispatch
../../../bash-devel/lib/readline/readline.c:798
#9 0x561dcf296678 in readline_internal_char
../../../bash-devel/lib/readline/readline.c:632
#10 0x561dcf29670d in readline_internal_charloop
../../../bash-devel/lib/readline/readline.c:659
#11 0x561dcf29672d in readline_internal
../../../bash-devel/lib/readline/readline.c:671
#12 0x561dcf295de4 in readline
../../../bash-devel/lib/readline/readline.c:377
#13 0x561dcf24bc58 in edit_line
../../bash-devel/builtins/../../bash-devel/builtins/read.def:1107
#14 0x561dcf2480b6 in read_builtin
../../bash-devel/builtins/../../bash-devel/builtins/read.def:566
#15 0x561dcf147da4 in execute_builtin ../bash-devel/execute_cmd.c:4709
#16 0x561dcf149abd in execute_builtin_or_function
../bash-devel/execute_cmd.c:5217
#17 0x561dcf1471bd in execute_simple_command
../bash-devel/execute_cmd.c:4478
#18 0x561dcf1341df in execute_command_internal
../bash-devel/execute_cmd.c:842
#19 0x561dcf232971 in parse_and_execute
../../bash-devel/builtins/evalstring.c:456
#20 0x561dcf0faf33 in run_one_command ../bash-devel/shell.c:1423
#21 0x561dcf0f9490 in main ../bash-devel/shell.c:739
#22 0x7f9a5174909a in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-use-after-free
../../../bash-devel/lib/readline/undo.c:188 in rl_do_undo
Shadow bytes around the buggy address:
0x0c067fff8830: 00 00 05 fa fa fa 00 00 02 fa fa fa 00 00 01 fa
0x0c067fff8840: fa fa 00 00 07 fa fa fa 00 00 00 03 fa fa 00 00
0x0c067fff8850: 01 fa fa fa 00 00 00 07 fa fa 00 00 00 05 fa fa
0x0c067fff8860: 00 00 00 04 fa fa 00 00 06 fa fa fa 00 00 03 fa
0x0c067fff8870: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
=>0x0c067fff8880: fd fa fa fa fd fd fd fa fa fa fd fd fd[fd]fa fa
0x0c067fff8890: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fa
0x0c067fff88a0: fa fa 00 00 00 01 fa fa fd fd fd fa fa fa fd fd
0x0c067fff88b0: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa
0x0c067fff88c0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
0x0c067fff88d0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18166==ABORTING
-------------------------------------------------------------------------------
- AddressSanitizer: heap-use-after-free on (...) in rl_do_undo ../../../bash-devel/lib/readline/undo.c:188,
Eduardo A . Bustamante López <=