[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: use-after-free in rl_display_match_list
From: |
Grisha Levit |
Subject: |
Re: use-after-free in rl_display_match_list |
Date: |
Wed, 22 Mar 2023 15:24:51 -0400 |
On Wed, Mar 22, 2023 at 3:11 PM Chet Ramey <chet.ramey@case.edu> wrote:
>
> I can't reproduce it with bash and command completion (that's the easiest
> way to get more possible completions than the completion-query-items
> limit) or filename completion on /usr/bin. This is on RHEL 9 without any
> completions installed. It jumps back to PS1.
On a terminal that's not too tall:
cat >/tmp/irc <<EOF
set completion-display-width 0
set completion-query-items 1
set prefer-visible-bell on
EOF
INPUTRC=/tmp/irc timeout -s INT 0.1 bash-debug --norc -in <<<$'$\e?y_'
ERROR: AddressSanitizer: heap-use-after-free on address 0xffffa9801198
at pc 0xaaaadfc46f70 bp 0xffffdf0cac90 sp 0xffffdf0cac88
READ of size 8 at 0xffffa9801198 thread T0
#0 0xaaaadfc46f6c in rl_display_match_list lib/readline/complete.c:1604:23
#1 0xaaaadfc4f40c in display_matches lib/readline/complete.c:1748:3
#2 0xaaaadfc44160 in rl_complete_internal lib/readline/complete.c:2163:7
#3 0xaaaadfc44578 in rl_possible_completions lib/readline/complete.c:459:11
#4 0xaaaadfc08278 in _rl_dispatch_subseq lib/readline/readline.c:922:8
#5 0xaaaadfc0a4a0 in _rl_dispatch_subseq lib/readline/readline.c:1068:8
#6 0xaaaadfc05edc in _rl_dispatch lib/readline/readline.c:866:10
#7 0xaaaadfc0574c in readline_internal_char lib/readline/readline.c:680:11
#8 0xaaaadfc0fd44 in readline_internal_charloop
lib/readline/readline.c:727:11
#9 0xaaaadfc04754 in readline_internal lib/readline/readline.c:739:18
#10 0xaaaadfc045b0 in readline lib/readline/readline.c:387:11
#11 0xaaaadf730618 in yy_readline_get parse.y:1564:31
#12 0xaaaadf749fe4 in yy_getc parse.y:1501:10
#13 0xaaaadf74c298 in shell_getc parse.y:2396:8
#14 0xaaaadf7474f8 in read_token parse.y:3425:23
#15 0xaaaadf72dfcc in yylex parse.y:2915:19
#16 0xaaaadf709780 in yyparse /home/parallels/bld/bash-debug/y.tab.c:1869:16
#17 0xaaaadf7078c0 in parse_command eval.c:345:7
#18 0xaaaadf706b34 in read_command eval.c:389:12
#19 0xaaaadf705dd8 in reader_loop eval.c:139:11
#20 0xaaaadf6f9b5c in main shell.c:821:3
#21 0xffffae7473f8 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#22 0xffffae7474c8 in __libc_start_main csu/../csu/libc-start.c:392:3
#23 0xaaaadf648a2c in _start
(/home/parallels/bld/bash-debug/bash+0x2c8a2c) (BuildId:
7a7e7161ae1d372574b0356a380f758f66d5f3c4)
0xffffa9801198 is located 536 bytes inside of 584-byte region
[0xffffa9800f80,0xffffa98011c8)
freed by thread T0 here:
#0 0xaaaadf6bf94c in free
(/home/parallels/bld/bash-debug/bash+0x33f94c) (BuildId:
7a7e7161ae1d372574b0356a380f758f66d5f3c4)
#1 0xaaaadfa9f258 in xfree xmalloc.c:144:5
#2 0xaaaadfc4acc0 in _rl_free_match_list lib/readline/complete.c:1973:3
#3 0xaaaadfc51600 in _rl_complete_sigcleanup lib/readline/complete.c:506:7
#4 0xaaaadfcd9370 in _rl_handle_signal lib/readline/signals.c:196:7
#5 0xaaaadfcd9198 in _rl_signal_handler lib/readline/signals.c:149:5
#6 0xaaaadfcee9b4 in rl_getc lib/readline/input.c:832:7
#7 0xaaaadfcf3e24 in rl_read_key lib/readline/input.c:806:10
#8 0xaaaadfc5af28 in get_y_or_n lib/readline/complete.c:547:11
#9 0xaaaadfc4a940 in _rl_internal_pager lib/readline/complete.c:571:7
#10 0xaaaadfc47598 in rl_display_match_list lib/readline/complete.c:1632:16
#11 0xaaaadfc4f40c in display_matches lib/readline/complete.c:1748:3
#12 0xaaaadfc44160 in rl_complete_internal lib/readline/complete.c:2163:7
#13 0xaaaadfc44578 in rl_possible_completions lib/readline/complete.c:459:11
#14 0xaaaadfc08278 in _rl_dispatch_subseq lib/readline/readline.c:922:8
#15 0xaaaadfc0a4a0 in _rl_dispatch_subseq lib/readline/readline.c:1068:8
#16 0xaaaadfc05edc in _rl_dispatch lib/readline/readline.c:866:10
#17 0xaaaadfc0574c in readline_internal_char lib/readline/readline.c:680:11
#18 0xaaaadfc0fd44 in readline_internal_charloop
lib/readline/readline.c:727:11
#19 0xaaaadfc04754 in readline_internal lib/readline/readline.c:739:18
#20 0xaaaadfc045b0 in readline lib/readline/readline.c:387:11
#21 0xaaaadf730618 in yy_readline_get parse.y:1564:31
#22 0xaaaadf749fe4 in yy_getc parse.y:1501:10
#23 0xaaaadf74c298 in shell_getc parse.y:2396:8
#24 0xaaaadf7474f8 in read_token parse.y:3425:23
#25 0xaaaadf72dfcc in yylex parse.y:2915:19
#26 0xaaaadf709780 in yyparse /home/parallels/bld/bash-debug/y.tab.c:1869:16
#27 0xaaaadf7078c0 in parse_command eval.c:345:7
#28 0xaaaadf706b34 in read_command eval.c:389:12
#29 0xaaaadf705dd8 in reader_loop eval.c:139:11
previously allocated by thread T0 here:
#0 0xaaaadf6bfbe0 in __interceptor_malloc
(/home/parallels/bld/bash-debug/bash+0x33fbe0) (BuildId:
7a7e7161ae1d372574b0356a380f758f66d5f3c4)
#1 0xaaaadfa9f130 in xmalloc xmalloc.c:111:10
#2 0xaaaadfc5be34 in remove_duplicate_matches
lib/readline/complete.c:1288:25
#3 0xaaaadfc4d090 in postprocess_matches lib/readline/complete.c:1471:22
#4 0xaaaadfc42074 in rl_complete_internal lib/readline/complete.c:2079:7
#5 0xaaaadfc44578 in rl_possible_completions lib/readline/complete.c:459:11
#6 0xaaaadfc08278 in _rl_dispatch_subseq lib/readline/readline.c:922:8
#7 0xaaaadfc0a4a0 in _rl_dispatch_subseq lib/readline/readline.c:1068:8
#8 0xaaaadfc05edc in _rl_dispatch lib/readline/readline.c:866:10
#9 0xaaaadfc0574c in readline_internal_char lib/readline/readline.c:680:11
#10 0xaaaadfc0fd44 in readline_internal_charloop
lib/readline/readline.c:727:11
#11 0xaaaadfc04754 in readline_internal lib/readline/readline.c:739:18
#12 0xaaaadfc045b0 in readline lib/readline/readline.c:387:11
#13 0xaaaadf730618 in yy_readline_get parse.y:1564:31
#14 0xaaaadf749fe4 in yy_getc parse.y:1501:10
#15 0xaaaadf74c298 in shell_getc parse.y:2396:8
#16 0xaaaadf7474f8 in read_token parse.y:3425:23
#17 0xaaaadf72dfcc in yylex parse.y:2915:19
#18 0xaaaadf709780 in yyparse /home/parallels/bld/bash-debug/y.tab.c:1869:16
#19 0xaaaadf7078c0 in parse_command eval.c:345:7
#20 0xaaaadf706b34 in read_command eval.c:389:12
#21 0xaaaadf705dd8 in reader_loop eval.c:139:11
#22 0xaaaadf6f9b5c in main shell.c:821:3
#23 0xffffae7473f8 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#24 0xffffae7474c8 in __libc_start_main csu/../csu/libc-start.c:392:3
#25 0xaaaadf648a2c in _start
(/home/parallels/bld/bash-debug/bash+0x2c8a2c) (BuildId:
7a7e7161ae1d372574b0356a380f758f66d5f3c4)