Hello, When trying to compile latest bash (4.3 + all patches up to 039) with address sanitizer I discovered a potential out of bounds read. It seems to be related to tab completion and readline
To reproduce:
1. compile bash with asan:
./configure --without-bash-malloc CFLAGS="-fsanitize=address -g -ggdb"
LDFLAGS="-fsanitize=address"
(-g -ggdb not neccessary but they improve the debugging output of asan)
2. run it:
./bash
3. type in something like
a=
and press "tab" multiple times.
For me bash crashes then and shows the error below. I tried to track down the
reason, but
I didn't easily find that out. The line it happens is in subst.c:
slen = strlen (string + start) + start;
Part of the function skip_to_delim, which gets called from this code in
bashline.c:
for (s = start; whitespace (rl_line_buffer[s]); s++)
;
/* skip until a shell break character */
e = skip_to_delim (rl_line_buffer, s, "()<>;&| \t\n", SD_NOJMP);
I don't really understand the meaning of all the code, so it may be better
someone
familiar with the code has a look. I have attached the address sanitizer stack
trace below.
==5029==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009600
at pc 0x7f4ec7e17e00 bp 0x7ffc93ed5f80 sp 0x7ffc93ed5f50
READ of size 258 at 0x611000009600 thread T0
#0 0x7f4ec7e17dff in strlen
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x32dff)
#1 0x4a11e6 in skip_to_delim /mnt/ram/bash-4.3/subst.c:1722
#2 0x500def in find_cmd_name /mnt/ram/bash-4.3/bashline.c:1342
#3 0x501996 in attempt_shell_completion /mnt/ram/bash-4.3/bashline.c:1480
#4 0x59d422 in gen_completion_matches
/mnt/ram/bash-4.3/lib/readline/complete.c:1162
#5 0x5a15ec in rl_complete_internal
/mnt/ram/bash-4.3/lib/readline/complete.c:1955
#6 0x59a72b in rl_complete /mnt/ram/bash-4.3/lib/readline/complete.c:431
#7 0x5888c2 in _rl_dispatch_subseq
/mnt/ram/bash-4.3/lib/readline/readline.c:832
#8 0x58849f in _rl_dispatch /mnt/ram/bash-4.3/lib/readline/readline.c:775
#9 0x587caa in readline_internal_char
/mnt/ram/bash-4.3/lib/readline/readline.c:602
#10 0x587d3a in readline_internal_charloop
/mnt/ram/bash-4.3/lib/readline/readline.c:629
#11 0x587d63 in readline_internal
/mnt/ram/bash-4.3/lib/readline/readline.c:643
#12 0x587458 in readline /mnt/ram/bash-4.3/lib/readline/readline.c:369
#13 0x42cb48 in yy_readline_get
/usr/src/local/bash/bash-4.3-patched/parse.y:1448
#14 0x42c9f4 in yy_getc /usr/src/local/bash/bash-4.3-patched/parse.y:1382
#15 0x42ed1f in shell_getc /usr/src/local/bash/bash-4.3-patched/parse.y:2283
#16 0x431397 in read_token /usr/src/local/bash/bash-4.3-patched/parse.y:3050
#17 0x430128 in yylex /usr/src/local/bash/bash-4.3-patched/parse.y:2637
#18 0x425783 in yyparse /mnt/ram/bash-4.3/y.tab.c:2020
#19 0x424e49 in parse_command /mnt/ram/bash-4.3/eval.c:238
#20 0x42508a in read_command /mnt/ram/bash-4.3/eval.c:282
#21 0x424653 in reader_loop /mnt/ram/bash-4.3/eval.c:145
#22 0x41fb48 in main /mnt/ram/bash-4.3/shell.c:756
#23 0x7f4ec760cf9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
#24 0x41e918 (/mnt/ram/bash-4.3/bash+0x41e918)
0x611000009600 is located 0 bytes to the right of 256-byte region
[0x611000009500,0x611000009600)
allocated by thread T0 here:
#0 0x7f4ec7e3c787 in malloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x57787)
#1 0x5227fd in xmalloc /mnt/ram/bash-4.3/xmalloc.c:112
#2 0x589685 in readline_initialize_everything
/mnt/ram/bash-4.3/lib/readline/readline.c:1149
#3 0x58953f in rl_initialize /mnt/ram/bash-4.3/lib/readline/readline.c:1056
#4 0x4fc32e in initialize_readline /mnt/ram/bash-4.3/bashline.c:476
#5 0x42ca71 in yy_readline_get
/usr/src/local/bash/bash-4.3-patched/parse.y:1434
#6 0x42c9f4 in yy_getc /usr/src/local/bash/bash-4.3-patched/parse.y:1382
#7 0x42ed1f in shell_getc /usr/src/local/bash/bash-4.3-patched/parse.y:2283
#8 0x431397 in read_token /usr/src/local/bash/bash-4.3-patched/parse.y:3050
#9 0x430128 in yylex /usr/src/local/bash/bash-4.3-patched/parse.y:2637
#10 0x425783 in yyparse /mnt/ram/bash-4.3/y.tab.c:2020
#11 0x424e49 in parse_command /mnt/ram/bash-4.3/eval.c:238
#12 0x42508a in read_command /mnt/ram/bash-4.3/eval.c:282
#13 0x424653 in reader_loop /mnt/ram/bash-4.3/eval.c:145
#14 0x41fb48 in main /mnt/ram/bash-4.3/shell.c:756
#15 0x7f4ec760cf9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 strlen
Shadow bytes around the buggy address:
0x0c227fff9270: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c227fff9280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff9290: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff92a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff92b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff92c0:[fa]fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c227fff92d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff92e0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c227fff92f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff9300: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c227fff9310: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==5029==ABORTING
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgprH1MHtfcWk.pgp
Description: OpenPGP digital signature
