On 8/30/22 1:02 PM, Иван Капранов wrote:
Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O2 -flto=auto -ffat-lto-objects -fexceptions -g
-grecord-gcc-switches -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D>
uname output: Linux fedora 5.18.13-200.fc36.x86_64 #1 SMP
PREEMPT_DYNAMIC Fri Jul 22 14:03:36 UTC 2022 x86_64 x86_64 x86_64
GNU/Linux
Machine Type: x86_64-redhat-linux-gnu
Bash Version: 5.1
Patch Level: 16
Release Status: release
Hi! I was fuzzing bash with AFL++ and found heap-buffer-overflow in
valid_parameter_transform function.
Description:
ASAN report:
==3430898==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000018
b1 at pc 0x563102ad26cf bp 0x7ffc38fef8d0 sp 0x7ffc38fef8c8
READ of size 1 at 0x6020000018b1 thread T0
#0 0x563102ad26ce in valid_parameter_transform
/root/rpmbuild/BUILD/bash-5.1
/subst.c:7919:7
#1 0x563102ad26ce in parameter_brace_transform
/root/rpmbuild/BUILD/bash-5.1
/subst.c:7965:7
#2 0x563102ab1bfc in parameter_brace_expand
/root/rpmbuild/BUILD/bash-5.1/su
bst.c:9306:15
#3 0x563102ab1bfc in param_expand
/root/rpmbuild/BUILD/bash-5.1/subst.c:9765
:15
#4 0x563102a95295 in expand_word_internal
/root/rpmbuild/BUILD/bash-5.1/subs
t.c:10334:12
#5 0x563102a93c3a in expand_word_internal
/root/rpmbuild/BUILD/bash-5.1/subs
t.c:10518:15
#6 0x563102af2ffb in shell_expand_word_list
/root/rpmbuild/BUILD/bash-5.1/su
bst.c:11895:18
#7 0x563102af2ffb in expand_word_list_internal
/root/rpmbuild/BUILD/bash-5.1
/subst.c:12019:14
#8 0x5631029c357a in expand_words
/root/rpmbuild/BUILD/bash-5.1/subst.c:1136
2:11
#9 0x5631029c357a in execute_simple_command
/root/rpmbuild/BUILD/bash-5.1/ex
ecute_cmd.c:4393:15
#10 0x5631029b3972 in execute_command_internal
/root/rpmbuild/BUILD/bash-5.1
/execute_cmd.c:858:4
#11 0x5631029adf52 in execute_command
/root/rpmbuild/BUILD/bash-5.1/execute_
cmd.c:399:12
#12 0x56310293ec72 in reader_loop
/root/rpmbuild/BUILD/bash-5.1/eval.c:171:8
#13 0x563102937925 in main /root/rpmbuild/BUILD/bash-5.1/shell.c:821:3
#14 0x7ff11dbeed8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId:
6938
9d485a9793dbe873f0ea2c93e02efaa9aa3d)
#15 0x7ff11dbeee3f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2
9e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#16 0x56310286e6c4 in _start (/root/rpmbuild/BUILD/bash-5.1/bash+0x14d6c4)
(
BuildId: 3f6aa27b1f7ac560)
0x6020000018b1 is located 0 bytes to the right of 1-byte region [0x6020000018b0,
0x6020000018b1)
allocated by thread T0 here:
#0 0x5631028f150e in malloc (/root/rpmbuild/BUILD/bash-5.1/bash+0x1d050e)
(B
uildId: 3f6aa27b1f7ac560)
#1 0x563102b8eaee in xmalloc /root/rpmbuild/BUILD/bash-5.1/xmalloc.c:114:10
#2 0x563102b8eaee in substring
/root/rpmbuild/BUILD/bash-5.1/stringlib.c:135
:20
Repeat-By:
1. Build bash with asan 2. Run with AFL++ crafted input (in attachment)
After receiving the attachment, this is the same issue as the previous
message: specifying a parameter transformation that causes recursive
expansion on a variable whose value contains the same parameter
transformation.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU c...@case.edu http://tiswww.cwru.edu/~chet/
