Out of bounds heap read in function rl_tilde

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Out of bounds heap read in function rl_tilde_expand

From:	Hanno Böck
Subject:	Out of bounds heap read in function rl_tilde_expand
Date:	Fri, 6 Nov 2015 15:46:02 +0100

Hi,

While testing bash with address sanitizer I discovered a heap out of
bounds read. This affects bash 4.3 with the latest patchlevel 42.

Triggering this bug only seems to work with a US keyboard layout. It
gets triggered by pressing shift+alt+7.
I don't know why this is happening, this keycode combination doesn't
have any function on an us keyboard.

This can be seen with either bash or valgrind.

Here's the address sanitizer stack trace:

==28349==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x6110000094ff at pc 0x5c605b bp 0x7fffdab6df00 sp 0x7fffdab6def0
READ of size 1 at 0x6110000094ff thread T0
    #0 0x5c605a in rl_tilde_expand /mnt/ram/bash-4.3/lib/readline/util.c:201
    #1 0x5889ad in _rl_dispatch_subseq 
/mnt/ram/bash-4.3/lib/readline/readline.c:832
    #2 0x588fe0 in _rl_dispatch_subseq 
/mnt/ram/bash-4.3/lib/readline/readline.c:945
    #3 0x58858a in _rl_dispatch /mnt/ram/bash-4.3/lib/readline/readline.c:775
    #4 0x587d95 in readline_internal_char 
/mnt/ram/bash-4.3/lib/readline/readline.c:602
    #5 0x587e25 in readline_internal_charloop 
/mnt/ram/bash-4.3/lib/readline/readline.c:629
    #6 0x587e4e in readline_internal 
/mnt/ram/bash-4.3/lib/readline/readline.c:643
    #7 0x587543 in readline /mnt/ram/bash-4.3/lib/readline/readline.c:369
    #8 0x42cb48 in yy_readline_get 
/usr/src/local/bash/bash-4.3-patched/parse.y:1448
    #9 0x42c9f4 in yy_getc /usr/src/local/bash/bash-4.3-patched/parse.y:1382
    #10 0x42ed1f in shell_getc /usr/src/local/bash/bash-4.3-patched/parse.y:2283
    #11 0x431397 in read_token /usr/src/local/bash/bash-4.3-patched/parse.y:3050
    #12 0x430128 in yylex /usr/src/local/bash/bash-4.3-patched/parse.y:2637
    #13 0x425783 in yyparse /mnt/ram/bash-4.3/y.tab.c:2020
    #14 0x424e49 in parse_command /mnt/ram/bash-4.3/eval.c:238
    #15 0x42508a in read_command /mnt/ram/bash-4.3/eval.c:282
    #16 0x424653 in reader_loop /mnt/ram/bash-4.3/eval.c:145
    #17 0x41fb48 in main /mnt/ram/bash-4.3/shell.c:756
    #18 0x7faaf0dd662f in __libc_start_main (/lib64/libc.so.6+0x2062f)
    #19 0x41e918 in _start (/mnt/ram/bash-4.3/bash+0x41e918)

0x6110000094ff is located 1 bytes to the left of 256-byte region 
[0x611000009500,0x611000009600)
allocated by thread T0 here:
    #0 0x7faaf160c797 in malloc 
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x57797)
    #1 0x5228e8 in xmalloc /mnt/ram/bash-4.3/xmalloc.c:112
    #2 0x589770 in readline_initialize_everything 
/mnt/ram/bash-4.3/lib/readline/readline.c:1149
    #3 0x58962a in rl_initialize /mnt/ram/bash-4.3/lib/readline/readline.c:1056
    #4 0x4fc345 in initialize_readline /mnt/ram/bash-4.3/bashline.c:476
    #5 0x42ca71 in yy_readline_get 
/usr/src/local/bash/bash-4.3-patched/parse.y:1434
    #6 0x42c9f4 in yy_getc /usr/src/local/bash/bash-4.3-patched/parse.y:1382
    #7 0x42ed1f in shell_getc /usr/src/local/bash/bash-4.3-patched/parse.y:2283
    #8 0x431397 in read_token /usr/src/local/bash/bash-4.3-patched/parse.y:3050
    #9 0x430128 in yylex /usr/src/local/bash/bash-4.3-patched/parse.y:2637
    #10 0x425783 in yyparse /mnt/ram/bash-4.3/y.tab.c:2020
    #11 0x424e49 in parse_command /mnt/ram/bash-4.3/eval.c:238
    #12 0x42508a in read_command /mnt/ram/bash-4.3/eval.c:282
    #13 0x424653 in reader_loop /mnt/ram/bash-4.3/eval.c:145
    #14 0x41fb48 in main /mnt/ram/bash-4.3/shell.c:756
    #15 0x7faaf0dd662f in __libc_start_main (/lib64/libc.so.6+0x2062f)

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/mnt/ram/bash-4.3/lib/readline/util.c:201 rl_tilde_expand
Shadow bytes around the buggy address:
  0x0c227fff9240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff9260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c227fff9270: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff9280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff9290: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c227fff92a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff92b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff92c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c227fff92d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff92e0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==28349==ABORTING


-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42

pgp4PmsN8YoIX.pgp
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

Out of bounds heap read in function rl_tilde_expand, Hanno Böck <=
- Re: Out of bounds heap read in function rl_tilde_expand, Andreas Schwab, 2015/11/06
- Re: Out of bounds heap read in function rl_tilde_expand, Chet Ramey, 2015/11/09

Prev by Date: Re: shell-expand-line drops quotation marks
Next by Date: Re: Out of bounds heap read in function rl_tilde_expand
Previous by thread: Re: ${var@P} expansion includes 0x01 and 0x02
Next by thread: Re: Out of bounds heap read in function rl_tilde_expand
Index(es):
- Date
- Thread