I just did a fresh compile from the github repo with debug and ran it under valgrind:
$ echo $KSH_VERSION @(#)MIRBSD KSH R57 2019/12/11 ubuntu@bashfz:~/newmksh/mksh$ valgrind ./mksh ~/test/out2/ crashes/0 ==4765== Memcheck, a memory error detector ==4765== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==4765== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==4765== Command: ./mksh /home/ubuntu/test/out2/crashes/0 ==4765== ==4765== Invalid read of size 1 ==4765== at 0x142D96: isglobal (var.c:283) ==4765== by 0x12527A: test_eval.part.5 (funcs.c:2827) ==4765== by 0x12708D: test_primary (funcs.c:3134) ==4765== by 0x12708D: test_nexpr (funcs.c:3098) ==4765== by 0x12716E: test_aexpr (funcs.c:3086) ==4765== by 0x1271DE: test_oexpr (funcs.c:3074) ==4765== by 0x12724D: test_parse (funcs.c:3061) ==4765== by 0x11D527: execute (exec.c:313) ==4765== by 0x1335E1: shell (main.c:908) ==4765== by 0x10B118: main (main.c:704) ==4765== Address 0x4a3ab55 is 0 bytes after a block of size 5 alloc'd ==4765== at 0x4836C17: realloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4765== by 0x10B68C: aresize (lalloc.c:154) ==4765== by 0x1176DB: expand (eval.c:1003) ==4765== by 0x11ABDD: evalstr (eval.c:169) ==4765== by 0x11AE09: dbteste_getopnd (exec.c:1869) ==4765== by 0x12707A: test_primary (funcs.c:3128) ==4765== by 0x12707A: test_nexpr (funcs.c:3098) ==4765== by 0x12716E: test_aexpr (funcs.c:3086) ==4765== by 0x1271DE: test_oexpr (funcs.c:3074) ==4765== by 0x12724D: test_parse (funcs.c:3061) ==4765== by 0x11D527: execute (exec.c:313) ==4765== by 0x1335E1: shell (main.c:908) ==4765== by 0x10B118: main (main.c:704) ==4765== ==4765== ==4765== HEAP SUMMARY: ==4765== in use at exit: 0 bytes in 0 blocks ==4765== total heap usage: 435 allocs, 435 frees, 46,706 bytes allocated ==4765== ==4765== All heap blocks were freed -- no leaks are possible ==4765== ==4765== For counts of detected and suppressed errors, rerun with: -v ==4765== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) -- You received this bug notification because you are a member of mksh Mailing List, which is subscribed to mksh. Matching subscriptions: mkshlist-to-mksh-bugmail https://bugs.launchpad.net/bugs/1857826 Title: mksh ASAN heap-buffer-overflow Status in mksh: New Bug description: When compiling mksh with ASAN and running [[ -v $XX ]] ($XX being an undefined environment variable) mksh will crash. $ echo $KSH_VERSION @(#)MIRBSD KSH R57 2019/03/01 $ set | grep XX= $ [[ -v $XX ]] ================================================================= ==362==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d024d5 at pc 0x56763b99 bp 0xff8cc988 sp 0xff8cc978 READ of size 1 at 0xf4d024d5 thread T0 #0 0x56763b98 (/usr/bin/mksh+0x193b98) 0xf4d024d5 is located 0 bytes to the right of 5-byte region [0xf4d024d0,0xf4d024d5) allocated by thread T0 here: #0 0xf7a285bd in __interceptor_realloc (/lib/i386-linux-gnu/libasan.so.5+0x1125bd) #1 0x565e115d (/usr/bin/mksh+0x1115d) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x193b98) Shadow bytes around the buggy address: 0x3e9a0440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x3e9a0490: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa 0x3e9a04a0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 01 0x3e9a04b0: fa fa 00 04 fa fa 00 01 fa fa fd fd fa fa fd fa 0x3e9a04c0: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fd 0x3e9a04d0: fa fa 00 fa fa fa fd fa fa fa fa fa fa fa fa fa 0x3e9a04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==362==ABORTING To manage notifications about this bug go to: https://bugs.launchpad.net/mksh/+bug/1857826/+subscriptions
