bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Out of bounds heap read in completion code detected when compiling bash


From: Hanno Böck
Subject: Out of bounds heap read in completion code detected when compiling bash with address sanitizer
Date: Tue, 23 Jun 2015 13:11:06 +0200

Hello,

When trying to compile latest bash (4.3 + all patches up to 039) with address 
sanitizer
I discovered a potential out of bounds read.
It seems to be related to tab completion and readline

To reproduce:
1. compile bash with asan:
./configure --without-bash-malloc CFLAGS="-fsanitize=address -g -ggdb" 
LDFLAGS="-fsanitize=address"
(-g -ggdb not neccessary but they improve the debugging output of asan)
2. run it:
./bash
3. type in something like
a=
and press "tab" multiple times.

For me bash crashes then and shows the error below. I tried to track down the 
reason, but
I didn't easily find that out. The line it happens is in subst.c:
  slen = strlen (string + start) + start;
Part of the function skip_to_delim, which gets called from this code in 
bashline.c:
  for (s = start; whitespace (rl_line_buffer[s]); s++)
    ;

  /* skip until a shell break character */
  e = skip_to_delim (rl_line_buffer, s, "()<>;&| \t\n", SD_NOJMP);


I don't really understand the meaning of all the code, so it may be better 
someone
familiar with the code has a look. I have attached the address sanitizer stack
trace below.


==5029==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009600 
at pc 0x7f4ec7e17e00 bp 0x7ffc93ed5f80 sp 0x7ffc93ed5f50
READ of size 258 at 0x611000009600 thread T0
    #0 0x7f4ec7e17dff in strlen 
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x32dff)
    #1 0x4a11e6 in skip_to_delim /mnt/ram/bash-4.3/subst.c:1722
    #2 0x500def in find_cmd_name /mnt/ram/bash-4.3/bashline.c:1342
    #3 0x501996 in attempt_shell_completion /mnt/ram/bash-4.3/bashline.c:1480
    #4 0x59d422 in gen_completion_matches 
/mnt/ram/bash-4.3/lib/readline/complete.c:1162
    #5 0x5a15ec in rl_complete_internal 
/mnt/ram/bash-4.3/lib/readline/complete.c:1955
    #6 0x59a72b in rl_complete /mnt/ram/bash-4.3/lib/readline/complete.c:431
    #7 0x5888c2 in _rl_dispatch_subseq 
/mnt/ram/bash-4.3/lib/readline/readline.c:832
    #8 0x58849f in _rl_dispatch /mnt/ram/bash-4.3/lib/readline/readline.c:775
    #9 0x587caa in readline_internal_char 
/mnt/ram/bash-4.3/lib/readline/readline.c:602
    #10 0x587d3a in readline_internal_charloop 
/mnt/ram/bash-4.3/lib/readline/readline.c:629
    #11 0x587d63 in readline_internal 
/mnt/ram/bash-4.3/lib/readline/readline.c:643
    #12 0x587458 in readline /mnt/ram/bash-4.3/lib/readline/readline.c:369
    #13 0x42cb48 in yy_readline_get 
/usr/src/local/bash/bash-4.3-patched/parse.y:1448
    #14 0x42c9f4 in yy_getc /usr/src/local/bash/bash-4.3-patched/parse.y:1382
    #15 0x42ed1f in shell_getc /usr/src/local/bash/bash-4.3-patched/parse.y:2283
    #16 0x431397 in read_token /usr/src/local/bash/bash-4.3-patched/parse.y:3050
    #17 0x430128 in yylex /usr/src/local/bash/bash-4.3-patched/parse.y:2637
    #18 0x425783 in yyparse /mnt/ram/bash-4.3/y.tab.c:2020
    #19 0x424e49 in parse_command /mnt/ram/bash-4.3/eval.c:238
    #20 0x42508a in read_command /mnt/ram/bash-4.3/eval.c:282
    #21 0x424653 in reader_loop /mnt/ram/bash-4.3/eval.c:145
    #22 0x41fb48 in main /mnt/ram/bash-4.3/shell.c:756
    #23 0x7f4ec760cf9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #24 0x41e918 (/mnt/ram/bash-4.3/bash+0x41e918)

0x611000009600 is located 0 bytes to the right of 256-byte region 
[0x611000009500,0x611000009600)
allocated by thread T0 here:
    #0 0x7f4ec7e3c787 in malloc 
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x57787)
    #1 0x5227fd in xmalloc /mnt/ram/bash-4.3/xmalloc.c:112
    #2 0x589685 in readline_initialize_everything 
/mnt/ram/bash-4.3/lib/readline/readline.c:1149
    #3 0x58953f in rl_initialize /mnt/ram/bash-4.3/lib/readline/readline.c:1056
    #4 0x4fc32e in initialize_readline /mnt/ram/bash-4.3/bashline.c:476
    #5 0x42ca71 in yy_readline_get 
/usr/src/local/bash/bash-4.3-patched/parse.y:1434
    #6 0x42c9f4 in yy_getc /usr/src/local/bash/bash-4.3-patched/parse.y:1382
    #7 0x42ed1f in shell_getc /usr/src/local/bash/bash-4.3-patched/parse.y:2283
    #8 0x431397 in read_token /usr/src/local/bash/bash-4.3-patched/parse.y:3050
    #9 0x430128 in yylex /usr/src/local/bash/bash-4.3-patched/parse.y:2637
    #10 0x425783 in yyparse /mnt/ram/bash-4.3/y.tab.c:2020
    #11 0x424e49 in parse_command /mnt/ram/bash-4.3/eval.c:238
    #12 0x42508a in read_command /mnt/ram/bash-4.3/eval.c:282
    #13 0x424653 in reader_loop /mnt/ram/bash-4.3/eval.c:145
    #14 0x41fb48 in main /mnt/ram/bash-4.3/shell.c:756
    #15 0x7f4ec760cf9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 strlen
Shadow bytes around the buggy address:
  0x0c227fff9270: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff9280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff9290: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff92a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff92b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff92c0:[fa]fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c227fff92d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff92e0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c227fff92f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff9300: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c227fff9310: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==5029==ABORTING



-- 
Hanno Böck
http://hboeck.de/

mail/jabber: address@hidden
GPG: BBB51E42

Attachment: pgpGNWmcL4EMc.pgp
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]