Public bug reported: ubuntu@bashfz:~/newmksh/mksh$ mksh -c 'echo ${0@#$0}' ================================================================= ==4807==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d01559 at pc 0x56649efd bp 0xffe0e668 sp 0xffe0e658 READ of size 1 at 0xf4d01559 thread T0 #0 0x56649efc (/usr/bin/mksh+0x7befc)
0xf4d01559 is located 0 bytes to the right of 9-byte region [0xf4d01550,0xf4d01559) allocated by thread T0 here: #0 0xf7aae5bd in __interceptor_realloc (/lib/i386-linux-gnu/libasan.so.5+0x1125bd) #1 0x565df15d (/usr/bin/mksh+0x1115d) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x7befc) Shadow bytes around the buggy address: 0x3e9a0250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x3e9a02a0: fa fa fa fa fa fa fa fa fa fa 00[01]fa fa 00 01 0x3e9a02b0: fa fa 00 01 fa fa 00 01 fa fa 00 fa fa fa 00 00 0x3e9a02c0: fa fa 00 05 fa fa 00 04 fa fa fd fd fa fa fd fd 0x3e9a02d0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x3e9a02e0: fa fa fd fd fa fa fd fd fa fa fa fa fa fa fa fa 0x3e9a02f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==4807==ABORTING ubuntu@bashfz:~/newmksh/mksh$ valgrind ./mksh -c 'echo ${0@#$0}' ==4808== Memcheck, a memory error detector ==4808== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==4808== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==4808== Command: ./mksh -c echo\ ${0@#$0} ==4808== ==4808== Invalid read of size 1 ==4808== at 0x118527: expand (eval.c:821) ==4808== by 0x11AABD: eval (eval.c:154) ==4808== by 0x11C630: execute (exec.c:124) ==4808== by 0x1335E1: shell (main.c:908) ==4808== by 0x10B118: main (main.c:704) ==4808== Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd ==4808== at 0x483453B: malloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808== by 0x4836C88: realloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808== by 0x10B68C: aresize (lalloc.c:154) ==4808== by 0x1420F0: setstr (var.c:491) ==4808== by 0x14300F: isglobal (var.c:272) ==4808== by 0x14305D: global (var.c:238) ==4808== by 0x11A9E5: varsub (eval.c:1378) ==4808== by 0x11A9E5: expand (eval.c:390) ==4808== by 0x11AABD: eval (eval.c:154) ==4808== by 0x11C630: execute (exec.c:124) ==4808== by 0x1335E1: shell (main.c:908) ==4808== by 0x10B118: main (main.c:704) ==4808== ==4808== Invalid read of size 1 ==4808== at 0x1173CF: expand (eval.c:869) ==4808== by 0x11AABD: eval (eval.c:154) ==4808== by 0x11C630: execute (exec.c:124) ==4808== by 0x1335E1: shell (main.c:908) ==4808== by 0x10B118: main (main.c:704) ==4808== Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd ==4808== at 0x483453B: malloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808== by 0x4836C88: realloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808== by 0x10B68C: aresize (lalloc.c:154) ==4808== by 0x1420F0: setstr (var.c:491) ==4808== by 0x14300F: isglobal (var.c:272) ==4808== by 0x14305D: global (var.c:238) ==4808== by 0x11A9E5: varsub (eval.c:1378) ==4808== by 0x11A9E5: expand (eval.c:390) ==4808== by 0x11AABD: eval (eval.c:154) ==4808== by 0x11C630: execute (exec.c:124) ==4808== by 0x1335E1: shell (main.c:908) ==4808== by 0x10B118: main (main.c:704) ==4808== ==4808== ==4808== HEAP SUMMARY: ==4808== in use at exit: 0 bytes in 0 blocks ==4808== total heap usage: 438 allocs, 438 frees, 30,013 bytes allocated ==4808== ==4808== All heap blocks were freed -- no leaks are possible ==4808== ==4808== For counts of detected and suppressed errors, rerun with: -v ==4808== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) ** Affects: mksh Importance: Undecided Status: New -- You received this bug notification because you are a member of mksh Mailing List, which is subscribed to mksh. Matching subscriptions: mkshlist-to-mksh-bugmail https://bugs.launchpad.net/bugs/1857828 Title: mksh expand ASAN heap-buffer-overflow Status in mksh: New Bug description: ubuntu@bashfz:~/newmksh/mksh$ mksh -c 'echo ${0@#$0}' ================================================================= ==4807==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d01559 at pc 0x56649efd bp 0xffe0e668 sp 0xffe0e658 READ of size 1 at 0xf4d01559 thread T0 #0 0x56649efc (/usr/bin/mksh+0x7befc) 0xf4d01559 is located 0 bytes to the right of 9-byte region [0xf4d01550,0xf4d01559) allocated by thread T0 here: #0 0xf7aae5bd in __interceptor_realloc (/lib/i386-linux-gnu/libasan.so.5+0x1125bd) #1 0x565df15d (/usr/bin/mksh+0x1115d) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x7befc) Shadow bytes around the buggy address: 0x3e9a0250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x3e9a02a0: fa fa fa fa fa fa fa fa fa fa 00[01]fa fa 00 01 0x3e9a02b0: fa fa 00 01 fa fa 00 01 fa fa 00 fa fa fa 00 00 0x3e9a02c0: fa fa 00 05 fa fa 00 04 fa fa fd fd fa fa fd fd 0x3e9a02d0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x3e9a02e0: fa fa fd fd fa fa fd fd fa fa fa fa fa fa fa fa 0x3e9a02f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==4807==ABORTING ubuntu@bashfz:~/newmksh/mksh$ valgrind ./mksh -c 'echo ${0@#$0}' ==4808== Memcheck, a memory error detector ==4808== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==4808== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==4808== Command: ./mksh -c echo\ ${0@#$0} ==4808== ==4808== Invalid read of size 1 ==4808== at 0x118527: expand (eval.c:821) ==4808== by 0x11AABD: eval (eval.c:154) ==4808== by 0x11C630: execute (exec.c:124) ==4808== by 0x1335E1: shell (main.c:908) ==4808== by 0x10B118: main (main.c:704) ==4808== Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd ==4808== at 0x483453B: malloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808== by 0x4836C88: realloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808== by 0x10B68C: aresize (lalloc.c:154) ==4808== by 0x1420F0: setstr (var.c:491) ==4808== by 0x14300F: isglobal (var.c:272) ==4808== by 0x14305D: global (var.c:238) ==4808== by 0x11A9E5: varsub (eval.c:1378) ==4808== by 0x11A9E5: expand (eval.c:390) ==4808== by 0x11AABD: eval (eval.c:154) ==4808== by 0x11C630: execute (exec.c:124) ==4808== by 0x1335E1: shell (main.c:908) ==4808== by 0x10B118: main (main.c:704) ==4808== ==4808== Invalid read of size 1 ==4808== at 0x1173CF: expand (eval.c:869) ==4808== by 0x11AABD: eval (eval.c:154) ==4808== by 0x11C630: execute (exec.c:124) ==4808== by 0x1335E1: shell (main.c:908) ==4808== by 0x10B118: main (main.c:704) ==4808== Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd ==4808== at 0x483453B: malloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808== by 0x4836C88: realloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808== by 0x10B68C: aresize (lalloc.c:154) ==4808== by 0x1420F0: setstr (var.c:491) ==4808== by 0x14300F: isglobal (var.c:272) ==4808== by 0x14305D: global (var.c:238) ==4808== by 0x11A9E5: varsub (eval.c:1378) ==4808== by 0x11A9E5: expand (eval.c:390) ==4808== by 0x11AABD: eval (eval.c:154) ==4808== by 0x11C630: execute (exec.c:124) ==4808== by 0x1335E1: shell (main.c:908) ==4808== by 0x10B118: main (main.c:704) ==4808== ==4808== ==4808== HEAP SUMMARY: ==4808== in use at exit: 0 bytes in 0 blocks ==4808== total heap usage: 438 allocs, 438 frees, 30,013 bytes allocated ==4808== ==4808== All heap blocks were freed -- no leaks are possible ==4808== ==4808== For counts of detected and suppressed errors, rerun with: -v ==4808== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) To manage notifications about this bug go to: https://bugs.launchpad.net/mksh/+bug/1857828/+subscriptions