bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

4.4: crash in redir10 test; use after free?


From: Christian Weisgerber
Subject: 4.4: crash in redir10 test; use after free?
Date: Tue, 1 Nov 2016 17:03:02 +0100
User-agent: Mutt/1.7.1 (2016-10-04)

Running the bash 4.4 regression test suite on OpenBSD/amd64, I noticed
a crash in the redir tests.  Specifically, running redir10.sub with
bash 4.4 causes it to die with a bus error most of the time.

Program terminated with signal 10, Bus error.

#0  0x00001c9ad0634009 in find_pipeline (pid=97028, alive_only=1,
    jobp=0x7f7ffffea514) at jobs.c:1481
1481              if (p->pid == pid && ((alive_only == 0 && PRECYCLED(p) == 0) 
|| PALIVE(p)))
(gdb) p last_procsub_child
$1 = (PROCESS *) 0x1c9d2b698ca0
(gdb) p *last_procsub_child
$2 = {next = 0xdfdfdfdfdfdfdfdf, pid = -538976289, status = -538976289,
  running = -538976289,
  command = 0xdfdfdfdfdfdfdfdf <Address 0xdfdfdfdfdfdfdfdf out of bounds>}
(gdb) p /x last_procsub_child->pid 
$3 = 0xdfdfdfdf

This looks like a use after free() since OpenBSD's malloc fills
some of the freed memory with 0xdf.

-- 
Christian "naddy" Weisgerber                          address@hidden



reply via email to

[Prev in Thread] Current Thread [Next in Thread]