[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Heap-buffer-overflow in parse_matched_pair when push_delimiter (dstack,
|
From: |
Александр Ушаков |
|
Subject: |
Heap-buffer-overflow in parse_matched_pair when push_delimiter (dstack, ch) macros opens up |
|
Date: |
Sun, 20 Apr 2025 21:45:28 +0300 |
|
User-agent: |
SOGoMail 5.11.0-rp19 |
Dear Bash Maintainers,
I encountered an issue in Bash and would like to report it. buggyfile.txt is
attached to the email.
Steps to reproduce
$ CC=clang-19 CFLAGS="-fsanitize=address -g -O0" ./configure
--without-bash-malloc
$ make
$ cat buggyfile.txt | ./bash --norc
Expected Behaviour
Any error messages without asan ERROR.
Actual Behaviour
==139644==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x502000002c6f at pc 0x55555570f821 bp 0x7fffffff86b0 sp 0x7fffffff86a8
WRITE of size 1 at 0x502000002c6f thread T0
#0 0x55555570f820 in parse_matched_pair
/home/as/projects/bash/up/bash/./parse.y:4034:8
#1 0x555555709f22 in read_token_word
/home/as/projects/bash/up/bash/./parse.y:5623:11
#2 0x555555704a1d in read_token
/home/as/projects/bash/up/bash/./parse.y:3800:12
#3 0x5555556f8390 in yylex /home/as/projects/bash/up/bash/./parse.y:3067:19
#4 0x5555556ee897 in yyparse /home/as/projects/bash/up/bash/y.tab.c:1912:16
#5 0x555555710df1 in parse_comsub
/home/as/projects/bash/up/bash/./parse.y:4538:7
#6 0x5555557102d7 in parse_matched_pair
/home/as/projects/bash/up/bash/./parse.y:4162:16
#7 0x55555570f92a in parse_matched_pair
/home/as/projects/bash/up/bash/./parse.y:4038:13
#8 0x555555710a82 in parse_comsub
/home/as/projects/bash/up/bash/./parse.y:4459:10
#9 0x5555557102d7 in parse_matched_pair
/home/as/projects/bash/up/bash/./parse.y:4162:16
#10 0x55555570f92a in parse_matched_pair
/home/as/projects/bash/up/bash/./parse.y:4038:13
#11 0x555555709f22 in read_token_word
/home/as/projects/bash/up/bash/./parse.y:5623:11
#12 0x555555704a1d in read_token
/home/as/projects/bash/up/bash/./parse.y:3800:12
#13 0x5555556f8390 in yylex /home/as/projects/bash/up/bash/./parse.y:3067:19
#14 0x5555556ee897 in yyparse /home/as/projects/bash/up/bash/y.tab.c:1912:16
#15 0x5555556edd29 in parse_command
/home/as/projects/bash/up/bash/eval.c:369:7
#16 0x5555556ed53e in read_command
/home/as/projects/bash/up/bash/eval.c:414:12
#17 0x5555556ec9ec in reader_loop
/home/as/projects/bash/up/bash/eval.c:147:11
#18 0x5555556e743e in main /home/as/projects/bash/up/bash/shell.c:834:3
#19 0x7ffff7cac249 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#20 0x7ffff7cac304 in __libc_start_main csu/../csu/libc-start.c:360:3
#21 0x555555606aa0 in _start (/home/as/projects/bash/up/bash/bash+0xb2aa0)
(BuildId: 16b425f5efb062532db7a8ae08572047f3ce1b45)
0x502000002c6f is located 1 bytes before 10-byte region
[0x502000002c70,0x502000002c7a)
allocated by thread T0 here:
#0 0x5555556a5d3f in malloc (/home/as/projects/bash/up/bash/bash+0x151d3f)
(BuildId: 16b425f5efb062532db7a8ae08572047f3ce1b45)
#1 0x555555858fd7 in xrealloc /home/as/projects/bash/up/bash/xmalloc.c:123:47
#2 0x55555570f7c0 in parse_matched_pair
/home/as/projects/bash/up/bash/./parse.y:4034:8
#3 0x555555709f22 in read_token_word
/home/as/projects/bash/up/bash/./parse.y:5623:11
#4 0x555555704a1d in read_token
/home/as/projects/bash/up/bash/./parse.y:3800:12
#5 0x5555556f8390 in yylex /home/as/projects/bash/up/bash/./parse.y:3067:19
#6 0x5555556ee897 in yyparse /home/as/projects/bash/up/bash/y.tab.c:1912:16
#7 0x5555556edd29 in parse_command
/home/as/projects/bash/up/bash/eval.c:369:7
#8 0x5555556ed53e in read_command
/home/as/projects/bash/up/bash/eval.c:414:12
#9 0x5555556ec9ec in reader_loop /home/as/projects/bash/up/bash/eval.c:147:11
#10 0x5555556e743e in main /home/as/projects/bash/up/bash/shell.c:834:3
#11 0x7ffff7cac249 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/as/projects/bash/up/bash/./parse.y:4034:8 in parse_matched_pair
Shadow bytes around the buggy address:
0x502000002980: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
0x502000002a00: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
0x502000002a80: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
0x502000002b00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x502000002b80: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
=>0x502000002c00: fa fa fd fa fa fa 01 fa fa fa fd fa fa[fa]00 02
0x502000002c80: fa fa 00 00 fa fa fd fa fa fa 00 00 fa fa fd fd
0x502000002d00: fa fa 00 00 fa fa fd fa fa fa 00 00 fa fa 07 fa
0x502000002d80: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa fd fa
0x502000002e00: fa fa 07 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000002e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==139644==ABORTING
Additional Notes
The reason of the fault is push_delimiter (dstack, ch) incorrect macros:
do \
{ \
if (ds.delimiter_depth + 2 > ds.delimiter_space) \
ds.delimiters = (char *)xrealloc \
(ds.delimiters, (ds.delimiter_space += 10) * sizeof (char)); \
--> ds.delimiters[ds.delimiter_depth] = character; \ // place when write
element with -1 index of dstack array (ds.delimiter_space == -1)
ds.delimiter_depth++; \
} \
while (0)
Suggested Solution
Add extra check in conditional statement:
do \
{ \
if (ds.delimiter_depth + 2 > ds.delimiter_space) \
ds.delimiters = (char *)xrealloc \
(ds.delimiters, (ds.delimiter_space += 10) * sizeof (char)); \
if (ds.delimiter_space < 0) { continue; }\ //added extra check
ds.delimiters[ds.delimiter_depth] = character; \
ds.delimiter_depth++; \
} \
while (0)
Bash Version
as@astra:~/projects/bash/up/bash$ ./bashversion
5.3.0(1)-rc1
Also, the behaviour is repeating on release bash 5.2 version.
System Info
Linux astra 6.1.90-1-generic #astra2+ci15 SMP PREEMPT_DYNAMIC Tue Jul 23
09:49:19 MSK 2024 x86_64 GNU/Linux
Debian clang version 19.1.1
(++20241001124028+d401987fe349-1~exp1~20241001124040.50)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/lib/llvm-19/bin
Attached file you can download from https://dropmefiles.com/ktqdN. Or just see
attaches to the message.
buggyfile.txt
Description: Text document
- Heap-buffer-overflow in parse_matched_pair when push_delimiter (dstack, ch) macros opens up,
Александр Ушаков <=