bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Segmentation fault in lib/readline/text.c rl_change_case


From: Eduardo A . Bustamante López
Subject: Segmentation fault in lib/readline/text.c rl_change_case
Date: Sun, 6 Jan 2019 18:25:00 -0800
User-agent: Mutt/1.10.1 (2018-07-13)

I found the issue with AFL (http://lcamtuf.coredump.cx/afl/).

The crash itself happens due to the following:

dualbus@system76-pc:~/src/gnu/bash$ cat -n lib/readline/text.c | sed -n 
'1455,1460p'
  1455                mlen = wcrtomb (mb, nwc, &mps);   // <- mlen is -1, due 
to `nwc' being an invalid character.
  1456                if (mlen > 0)
  1457                  mb[mlen] = '\0';
  1458                /* what to do if m != mlen? adjust below */
  1459                /* m == length of old char, mlen == length of new char */
  1460                s = rl_line_buffer + start;

dualbus@system76-pc:~/src/gnu/bash$ cat -n lib/readline/text.c | sed -n 
'1475,1480p'
  1475                    rl_extend_line_buffer (mlen - m + 1);
  1476                    memmove (s + mlen, s + m, (e - s) - m);
  1477                    memcpy (s, mb, mlen); // <- mlen is negative here, 
thus it's an invalid `memcpy'
  1478                    next += mlen - m;     /* next char changes */
  1479                    end += mlen - m;      /* end of word changes */
  1480                    rl_end += mlen - m;   /* end of line changes */

I'm not really sure how to fix this problem. I worked around it by changing the
condition in L1456 to just return early from the function.

The file I used as input:

debian@debian-fuzz:/mnt$ xxd rl_change_case
00000000: f2b1 a8b1 011b 55                        ......U

debian@debian-fuzz:/mnt$ base64 < rl_change_case
8rGosQEbVQ==

debian@debian-fuzz:/mnt$ cat -A rl_change_case
M-rM-1M-(M-1^A^[U

I patched bash to remove the isatty() check for `read -e', and ran (with: 
LC_ALL=zh_CN.gbk):

(...)
(gdb) r
Starting program: /home/debian/build-gdb/bash --noprofile --norc -c PATH=\ 
read\ -e\ \<\ rl_change_case
hi
򱨱
Program received signal SIGSEGV, Segmentation fault.
__memmove_avx_unaligned_erms () at 
../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:490
490     ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file 
or directory.

(gdb) bt
#0  __memmove_avx_unaligned_erms () at 
../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:490
#1  0x000055555565b668 in rl_change_case (count=1, op=1) at 
../../../bash-5.0-rc1/lib/readline/text.c:1477
#2  0x000055555565b201 in rl_upcase_word (count=1, key=117) at 
../../../bash-5.0-rc1/lib/readline/text.c:1358
#3  0x0000555555639e9a in _rl_dispatch_subseq (key=117, map=0x5555556ac220 
<emacs_meta_keymap>, got_subseq=0) at 
../../../bash-5.0-rc1/lib/readline/readline.c:852
#4  0x0000555555639c11 in _rl_dispatch (key=1433811945, map=0x5555556ac220 
<emacs_meta_keymap>) at ../../../bash-5.0-rc1/lib/readline/readline.c:798
#5  0x0000555555639dd7 in _rl_dispatch_subseq (key=85, map=0x5555556ac220 
<emacs_meta_keymap>, got_subseq=0) at 
../../../bash-5.0-rc1/lib/readline/readline.c:841
#6  0x000055555563a35f in _rl_dispatch_subseq (key=27, map=0x5555556ab200 
<emacs_standard_keymap>, got_subseq=0) at 
../../../bash-5.0-rc1/lib/readline/readline.c:986
#7  0x0000555555639c11 in _rl_dispatch (key=1433811945, map=0x5555556ab200 
<emacs_standard_keymap>) at ../../../bash-5.0-rc1/lib/readline/readline.c:798
#8  0x0000555555639894 in readline_internal_char () at 
../../../bash-5.0-rc1/lib/readline/readline.c:632
#9  0x00005555556398ef in readline_internal_charloop () at 
../../../bash-5.0-rc1/lib/readline/readline.c:659
#10 0x000055555563990f in readline_internal () at 
../../../bash-5.0-rc1/lib/readline/readline.c:671
#11 0x000055555563932d in readline (prompt=0x555555680f84 "") at 
../../../bash-5.0-rc1/lib/readline/readline.c:377
#12 0x0000555555611b95 in edit_line (p=0x555555680f84 "", itext=0x0) at 
../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:1107
#13 0x00005555556108be in read_builtin (list=0x0) at 
../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:566
#14 0x00005555555a5afa in execute_builtin (builtin=0x55555560fa39 
<read_builtin>, words=0x555555761ea8, flags=0, subshell=0) at 
../bash-5.0-rc1/execute_cmd.c:4706
#15 0x00005555555a6aa2 in execute_builtin_or_function (words=0x555555761ea8, 
builtin=0x55555560fa39 <read_builtin>, var=0x0, redirects=0x555555761c08, 
fds_to_close=0x555555761be8, flags=0)
    at ../bash-5.0-rc1/execute_cmd.c:5214
#16 0x00005555555a5365 in execute_simple_command 
(simple_command=0x555555761ac8, pipe_in=-1, pipe_out=-1, async=0, 
fds_to_close=0x555555761be8) at ../bash-5.0-rc1/execute_cmd.c:4476
#17 0x000055555559e9f4 in execute_command_internal (command=0x555555761a88, 
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x555555761be8) at 
../bash-5.0-rc1/execute_cmd.c:842
#18 0x0000555555608550 in parse_and_execute (string=0x5555557616c8 "PATH= read 
-e < rl_change_case", from_file=0x5555556690f0 "-c", flags=4) at 
../../bash-5.0-rc1/builtins/evalstring.c:436
#19 0x000055555558564a in run_one_command (command=0x7fffffffe280 "PATH= read 
-e < rl_change_case") at ../bash-5.0-rc1/shell.c:1426
#20 0x0000555555584789 in main (argc=5, argv=0x7fffffffdfd8, 
env=0x7fffffffe008) at ../bash-5.0-rc1/shell.c:741

(gdb) frame 1
#1  0x000055555565b668 in rl_change_case (count=1, op=1) at 
../../../bash-5.0-rc1/lib/readline/text.c:1477
1477                      memcpy (s, mb, mlen);
(gdb) p s
$1 = 0x555555763c0a "��"
(gdb) p mb
$2 = '\000' <repeats 16 times>
(gdb) p mlen
$3 = -1



reply via email to

[Prev in Thread] Current Thread [Next in Thread]