Bash IFS bug 2025-08-14
From: the.true.nathan.mi...@gmail.com
To: bug-bash@gnu.org
Subject: Bash 5.3 crashes on a syntactically invalid IFS array
Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -g -O2
uname output: Linux nixos 6.6.87.2-microsoft-standard-WSL2 #1 SMP
PREEMPT_DYNAMIC Thu Jun 5 18:30:46 UTC 2025 x86_64 GN
U/Linux
Machine Type: x86_64-pc-linux-gnu
Bash Version: 5.2
Patch Level: 37
Release Status: release
Description:
[Detailed description of the problem, suggestion, or complaint.]
Bash 5.3 crashes on a syntactically invalid IFS array.
Setting the IFS variable to a syntactically invalid array
causes Bash to free the old value of IFS (in convert_var_to_array),
leaving `ifs_value` as a dangling pointer. When Bash later tries to
use ifs_value in expand_word_internal, AddressSanitizer immediately
complains about a use-after-free.
Found with AFL++ running in a Docker Desktop container on
NixOS-WSL2. This is crash id #355 in output_devel-gffcfb14_try5. There
are also two other crashes #456 and #458 with a different backtrace
than 355, but #456 and #458 backtraces are nearly the same, so I only
included one of them. With all three crashing inputs, the address that
AddressSanitizer complains about is that of ifs_value.
I would have minimized #456 and #458 as well, but afl-tmin
does not seem to work very well on those test cases.
Repeat-By:
Sequence of events:
1. initialize_shell_variables binds IFS to a new temporary variable
with the value of "\t\n"
2. do_compound_assignment indirectly calls convert_var_to_array
3. convert_var_to_array frees the value underlying IFS, now ifs_value
points to freed memory.
4. expand_word_internal tries to use ifs_value
5. AddressSanitizer complains of use-after-free.
Reproducible: every time with development bash, never with NixOS's system bash.
Base64'd:
PiQnJ2hpbHN0b3J5LXMgSUZTPShyRV9Fak9DU7VlJEAkYWxsISkgdT1olnJFX0VNQUNTtW1hcmst
bW9kaWZpZWQtbGluZXNlJEAkYWxstbW0tbW1mbVvdXS1/RAAcf////9BUw==
Minimal:
bash -c 'IFS=($@!)'
Fix:
[Description of how to fix the problem. If you don't know a
fix for the problem, don't include this section.]
The fix is to treat IFS as a special variable in
do_compound_assignment by clearing IFS value if we are about to
convert it into an array. The patch provided stops Bash from crashing
and seems to pass all the tests except for the ones complaining about
/bin/echo missing, but that's normal on NixOS.
diff --git a/subst.c b/subst.c
index c98330a5..cd98a863 100644
--- a/subst.c
+++ b/subst.c
@@ -3500,6 +3500,8 @@ do_compound_assignment (const char *name, char
*value, int flags)
}
else
{
+ if (STREQ(name, "IFS") && ifs_var && !array_p(ifs_var))
+ ifs_value = NULL;
v = assign_array_from_string (name, value, flags);
if (v && ASSIGN_DISALLOWED (v, flags))
{
Bash version: ff6cfb14 (heads/devel, Aug 8, 2025)
Development bash: GNU bash, version 5.3.0(5)-maint (x86_64-pc-linux-gnu)
System bash: GNU bash, version 5.3.0(1)-release (x86_64-pc-linux-gnu)
Bash compile flags: CC=clang CXX=clang++
CFLAGS='-fsanitize=address,undefined' bash -c './configure
--without-bash-malloc && make -j6'
AFL++ 4.32c
Docker version: 4.44.1 (201842) Engine: 28.3.2
NixOS version: 25.05.808080.ddae11e58c0c (Warbler)
Clang version (Docker, but clang on NixOS is the same version):
```
Ubuntu clang version 19.1.7
(++20250114103253+cd708029e0b2-1~exp1~20250114103309.40)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/lib/llvm-19/bin
```
wsl.exe --version:
```
WSL version: 2.5.10.0
Kernel version: 6.6.87.2-1
WSLg version: 1.0.66
MSRDC version: 1.2.6074
Direct3D version: 1.611.1-81528511
DXCore version: 10.0.26100.1-240331-1435.ge-release
Windows version: 10.0.19045.6216
```
Computer: MSi GS63 Stealth 8RE running Windows 10 x64 upgraded with
32-gigs memory and 2TB hard drive
=================================================================
==8431==ERROR: AddressSanitizer: heap-use-after-free on address
0x5020000035d0 at pc 0x555555983305 bp 0x7fffffff9790 sp
0x7fffffff9788
READ of size 1 at 0x5020000035d0 thread T0
#0 0x555555983304 (/home/nixos/src/bash/nonAFL/bash+0x42f304)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#1 0x55555599463f (/home/nixos/src/bash/nonAFL/bash+0x44063f)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#2 0x5555559f9699 (/home/nixos/src/bash/nonAFL/bash+0x4a5699)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#3 0x5555559f7bb4 (/home/nixos/src/bash/nonAFL/bash+0x4a3bb4)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#4 0x555555971315 (/home/nixos/src/bash/nonAFL/bash+0x41d315)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#5 0x555555991829 (/home/nixos/src/bash/nonAFL/bash+0x43d829)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#6 0x5555558e376e (/home/nixos/src/bash/nonAFL/bash+0x38f76e)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#7 0x5555558da39e (/home/nixos/src/bash/nonAFL/bash+0x38639e)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#8 0x555555a690fa (/home/nixos/src/bash/nonAFL/bash+0x5150fa)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#9 0x555555888cb8 (/home/nixos/src/bash/nonAFL/bash+0x334cb8)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#10 0x55555588600a (/home/nixos/src/bash/nonAFL/bash+0x33200a)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#11 0x7ffff7a2a47d
(/nix/store/g8zyryr9cr6540xsyg4avqkwgxpnwj2a-glibc-2.40-66/lib/libc.so.6+0x2a47d)
(BuildId: 076d831f9114b2d83bda538386af4e9665308c38)
#12 0x7ffff7a2a538
(/nix/store/g8zyryr9cr6540xsyg4avqkwgxpnwj2a-glibc-2.40-66/lib/libc.so.6+0x2a538)
(BuildId: 076d831f9114b2d83bda538386af4e9665308c38)
#13 0x555555743b04 (/home/nixos/src/bash/nonAFL/bash+0x1efb04)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
0x5020000035d0 is located 0 bytes inside of 4-byte region
[0x5020000035d0,0x5020000035d4)
freed by thread T0 here:
#0 0x555555835838 (/home/nixos/src/bash/nonAFL/bash+0x2e1838)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#1 0x5555559f3850 (/home/nixos/src/bash/nonAFL/bash+0x49f850)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#2 0x5555559f7260 (/home/nixos/src/bash/nonAFL/bash+0x4a3260)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#3 0x5555559f7ae6 (/home/nixos/src/bash/nonAFL/bash+0x4a3ae6)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#4 0x555555971315 (/home/nixos/src/bash/nonAFL/bash+0x41d315)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#5 0x555555991829 (/home/nixos/src/bash/nonAFL/bash+0x43d829)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#6 0x5555558e376e (/home/nixos/src/bash/nonAFL/bash+0x38f76e)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#7 0x5555558da39e (/home/nixos/src/bash/nonAFL/bash+0x38639e)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#8 0x555555a690fa (/home/nixos/src/bash/nonAFL/bash+0x5150fa)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#9 0x555555888cb8 (/home/nixos/src/bash/nonAFL/bash+0x334cb8)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#10 0x55555588600a (/home/nixos/src/bash/nonAFL/bash+0x33200a)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#11 0x7ffff7a2a47d
(/nix/store/g8zyryr9cr6540xsyg4avqkwgxpnwj2a-glibc-2.40-66/lib/libc.so.6+0x2a47d)
(BuildId: 076d831f9114b2d83bda538386af4e9665308c38)
previously allocated by thread T0 here:
#0 0x555555836807 (/home/nixos/src/bash/nonAFL/bash+0x2e2807)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#1 0x555555a4bb6c (/home/nixos/src/bash/nonAFL/bash+0x4f7b6c)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#2 0x55555590f81c (/home/nixos/src/bash/nonAFL/bash+0x3bb81c)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#3 0x555555909e9d (/home/nixos/src/bash/nonAFL/bash+0x3b5e9d)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#4 0x5555558ff5d3 (/home/nixos/src/bash/nonAFL/bash+0x3ab5d3)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#5 0x55555588578d (/home/nixos/src/bash/nonAFL/bash+0x33178d)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#6 0x7ffff7a2a47d
(/nix/store/g8zyryr9cr6540xsyg4avqkwgxpnwj2a-glibc-2.40-66/lib/libc.so.6+0x2a47d)
(BuildId: 076d831f9114b2d83bda538386af4e9665308c38)
SUMMARY: AddressSanitizer: heap-use-after-free
(/home/nixos/src/bash/nonAFL/bash+0x42f304) (BuildId:
85b60cf7d2517cddacac3d0293335e47c5169482)
Shadow bytes around the buggy address:
0x502000003300: fa fa 07 fa fa fa 07 fa fa fa 00 06 fa fa 07 fa
0x502000003380: fa fa 07 fa fa fa 00 04 fa fa 00 04 fa fa 01 fa
0x502000003400: fa fa 05 fa fa fa 05 fa fa fa 06 fa fa fa 00 03
0x502000003480: fa fa 01 fa fa fa 02 fa fa fa 02 fa fa fa 07 fa
0x502000003500: fa fa 00 01 fa fa 04 fa fa fa 04 fa fa fa 03 fa
=>0x502000003580: fa fa 04 fa fa fa 04 fa fa fa[fd]fa fa fa 07 fa
0x502000003600: fa fa 07 fa fa fa 00 02 fa fa 00 01 fa fa 00 01
0x502000003680: fa fa 00 01 fa fa 00 01 fa fa 06 fa fa fa 02 fa
0x502000003700: fa fa 05 fa fa fa 05 fa fa fa 06 fa fa fa 07 fa
0x502000003780: fa fa 07 fa fa fa 02 fa fa fa 07 fa fa fa 07 fa
0x502000003800: fa fa 02 fa fa fa 05 fa fa fa 05 fa fa fa 00 05
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8431==ABORTING
Program received signal SIGABRT, Aborted.
0x0000701a970e7f1c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x0000701a970e7f1c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x0000701a9708919e in raise () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x0000701a9706c902 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x0000598d93fd9fbb in __sanitizer::Abort() ()
#4 0x0000598d93fd78c8 in __sanitizer::Die() ()
#5 0x0000598d93fb6743 in __asan::ScopedInErrorReport::~ScopedInErrorReport() ()
#6 0x0000598d93fb5d3a in __asan::ReportGenericError(unsigned long,
unsigned long, unsigned long, unsigned long, bool, unsigned long,
unsigned int, bool) [clone .part.0] ()
#7 0x0000598d93fb7086 in __asan_report_load1 ()
#8 0x0000598d940f9345 in expand_word_internal (word=0x502000001bd0,
quoted=<optimized out>, isexp=<optimized out>,
contains_dollar_at=<optimized out>, expanded_something=<optimized
out>) at subst.c:12178
#9 0x0000598d9410a680 in shell_expand_word_list
(tlist=0x502000001bf0, eflags=30) at subst.c:13113
#10 expand_word_list_internal (list=<optimized out>, eflags=<optimized
out>) at subst.c:13280
#11 0x0000598d9416f6da in expand_compound_array_assignment (var=<optimized out>,
value=0x5030000019f0 "rE_EjOCS\265e$@$all!", flags=<optimized
out>) at arrayfunc.c:610
#12 0x0000598d9416dbf5 in assign_array_var_from_string (var=0x504000000810,
value=0xb7d3 <error: Cannot access memory at address 0xb7d3>,
flags=6) at arrayfunc.c:918
#13 0x0000598d940e7356 in do_compound_assignment (name=0x5030000019c0 "IFS",
value=0x5030000019f0 "rE_EjOCS\265e$@$all!", flags=<optimized
out>) at subst.c:3503
#14 do_assignment_internal (word=<optimized out>, expand=<optimized
out>) at subst.c:3619
#15 0x0000598d9410786a in do_word_assignment (word=0xb7d3, flags=0) at
subst.c:3663
#16 do_assignment_statements (varlist=<optimized out>, command=0x0,
is_nullcmd=1) at subst.c:13192
#17 expand_word_list_internal (list=<optimized out>, eflags=<optimized
out>) at subst.c:13258
#18 0x0000598d940597af in execute_simple_command
(simple_command=<optimized out>, pipe_in=-1, pipe_out=-1,
async=<optimized out>, fds_to_close=<optimized out>) at execute_cmd.c:4617
#19 0x0000598d940503df in execute_command_internal (command=<optimized
out>, asynchronous=<optimized out>,
pipe_in=<optimized out>, pipe_out=<optimized out>,
fds_to_close=<optimized out>) at execute_cmd.c:938
#20 0x0000598d9404e405 in execute_command (command=0x5030000017b0) at
execute_cmd.c:456
#21 0x0000598d940013d4 in reader_loop () at eval.c:183
#22 0x0000598d93ffc18f in main (argc=2, argv=0x7ffc3cc57548,
env=<optimized out>) at shell.c:834
(gdb) frame 8
#8 0x0000598d940f9345 in expand_word_internal (word=0x502000001bd0,
quoted=<optimized out>, isexp=<optimized out>,
contains_dollar_at=<optimized out>, expanded_something=<optimized
out>) at subst.c:12178
Freed at:
0x000064afacb9c81f in __asan::asan_free(void*,
__sanitizer::BufferedStackTrace*, __asan::AllocType) ()
(rr) bt
#0 0x000064afacb9c81f in __asan::asan_free(void*,
__sanitizer::BufferedStackTrace*, __asan::AllocType) ()
#1 0x000064afacc877ff in ___interceptor_free.part.0 ()
#2 0x000064aface45891 in convert_var_to_array (var=<optimized out>)
at arrayfunc.c:84
#3 0x000064aface492a1 in find_or_make_array_variable
(name=name@entry=0x50300000db40 "IFS", flags=<optimized out>)
at arrayfunc.c:499
#4 0x000064aface49b27 in assign_array_from_string (name=0x0,
name@entry=0x50300000db40 "IFS",
value=0x50300000db70 "rE_EjOCS\265e$@$all!", flags=3,
flags@entry=0) at arrayfunc.c:517
#5 0x000064afacdc3356 in do_compound_assignment (name=0x50300000db40 "IFS",
value=0x50300000db70 "rE_EjOCS\265e$@$all!", flags=<optimized
out>) at subst.c:3503
#6 do_assignment_internal (word=<optimized out>, expand=<optimized
out>) at subst.c:3619
#7 0x000064afacde386a in do_word_assignment (word=0x0, flags=0) at subst.c:3663
#8 do_assignment_statements (varlist=<optimized out>, command=0x0,
is_nullcmd=1) at subst.c:13192
#9 expand_word_list_internal (list=<optimized out>, eflags=<optimized
out>) at subst.c:13258
#10 0x000064afacd357af in execute_simple_command
(simple_command=<optimized out>, pipe_in=-1, pipe_out=-1,
async=<optimized out>, fds_to_close=<optimized out>) at execute_cmd.c:4617
#11 0x000064afacd2c3df in execute_command_internal (command=<optimized
out>, asynchronous=<optimized out>,
pipe_in=<optimized out>, pipe_out=<optimized out>,
fds_to_close=<optimized out>) at execute_cmd.c:938
#12 0x000064afacd2a405 in execute_command (command=0x50300000d930) at
execute_cmd.c:456
#13 0x000064afaccdd3d4 in reader_loop () at eval.c:183
#14 0x000064afaccd818f in main (argc=2, argv=0x7ffe8f0f3ef8,
env=<optimized out>) at shell.c:834
********Crash #456*******
ZUFtPSBleHBvcnQgymFjIHpSPSg9XCAgICAEISkgPcJKdCBkYWhpbnN0b3J5LXMgSUZTPSg9PSAg
////gClBOWiWc3Qlau5A/4BwZUpBGupAPQpleHBvcnQgZGFoaWxzdG9yeS1zIElGUz0oPT0BICAg
ICEpIHU9LWFubm5ubg==
../output_devel-gff6cfb14_try5/default/crashes/id:000456,sig:06,src:011419,time:30395246,execs:8498269,op:havoc,rep:1:
line 1: export: `�ac': not a valid identifier
../output_devel-gff6cfb14_try5/default/crashes/id:000456,sig:06,src:011419,time:30395246,execs:8498269,op:havoc,rep:1:
line 1: export: `=�Jt': not a valid identifier
../output_devel-gff6cfb14_try5/default/crashes/id:000456,sig:06,src:011419,time:30395246,execs:8498269,op:havoc,rep:1:
line 1: export: `dahinstory-s': not a valid identifier
=================================================================
==7725==ERROR: AddressSanitizer: heap-use-after-free on address
0x503000011230 at pc 0x5555559850b5 bp 0x7fffffff9510 sp
0x7fffffff9508
READ of size 1 at 0x503000011230 thread T0
#0 0x5555559850b4 (/home/nixos/src/bash/nonAFL/bash+0x4310b4)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#1 0x55555597a8f2 (/home/nixos/src/bash/nonAFL/bash+0x4268f2)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#2 0x55555599463f (/home/nixos/src/bash/nonAFL/bash+0x44063f)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#3 0x5555559f9699 (/home/nixos/src/bash/nonAFL/bash+0x4a5699)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#4 0x5555559f7bb4 (/home/nixos/src/bash/nonAFL/bash+0x4a3bb4)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#5 0x555555971315 (/home/nixos/src/bash/nonAFL/bash+0x41d315)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#6 0x55555599433e (/home/nixos/src/bash/nonAFL/bash+0x44033e)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#7 0x5555558e376e (/home/nixos/src/bash/nonAFL/bash+0x38f76e)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#8 0x5555558da39e (/home/nixos/src/bash/nonAFL/bash+0x38639e)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#9 0x5555558d83c4 (/home/nixos/src/bash/nonAFL/bash+0x3843c4)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#10 0x55555588b393 (/home/nixos/src/bash/nonAFL/bash+0x337393)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#11 0x55555588614e (/home/nixos/src/bash/nonAFL/bash+0x33214e)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#12 0x7ffff7a2a47d
(/nix/store/g8zyryr9cr6540xsyg4avqkwgxpnwj2a-glibc-2.40-66/lib/libc.so.6+0x2a47d)
(BuildId: 076d831f9114b2d83bda538386af4e9665308c38)
#13 0x7ffff7a2a538
(/nix/store/g8zyryr9cr6540xsyg4avqkwgxpnwj2a-glibc-2.40-66/lib/libc.so.6+0x2a538)
(BuildId: 076d831f9114b2d83bda538386af4e9665308c38)
#14 0x555555743b04 (/home/nixos/src/bash/nonAFL/bash+0x1efb04)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
0x503000011230 is located 0 bytes inside of 30-byte region
[0x503000011230,0x50300001124e)
freed by thread T0 here:
#0 0x555555835838 (/home/nixos/src/bash/nonAFL/bash+0x2e1838)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#1 0x5555559f3850 (/home/nixos/src/bash/nonAFL/bash+0x49f850)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#2 0x5555559f7260 (/home/nixos/src/bash/nonAFL/bash+0x4a3260)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#3 0x5555559f7ae6 (/home/nixos/src/bash/nonAFL/bash+0x4a3ae6)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#4 0x555555971315 (/home/nixos/src/bash/nonAFL/bash+0x41d315)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#5 0x55555599433e (/home/nixos/src/bash/nonAFL/bash+0x44033e)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#6 0x5555558e376e (/home/nixos/src/bash/nonAFL/bash+0x38f76e)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#7 0x5555558da39e (/home/nixos/src/bash/nonAFL/bash+0x38639e)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#8 0x5555558d83c4 (/home/nixos/src/bash/nonAFL/bash+0x3843c4)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#9 0x55555588b393 (/home/nixos/src/bash/nonAFL/bash+0x337393)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#10 0x55555588614e (/home/nixos/src/bash/nonAFL/bash+0x33214e)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#11 0x7ffff7a2a47d
(/nix/store/g8zyryr9cr6540xsyg4avqkwgxpnwj2a-glibc-2.40-66/lib/libc.so.6+0x2a47d)
(BuildId: 076d831f9114b2d83bda538386af4e9665308c38)
previously allocated by thread T0 here:
#0 0x555555836807 (/home/nixos/src/bash/nonAFL/bash+0x2e2807)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#1 0x555555a4bb6c (/home/nixos/src/bash/nonAFL/bash+0x4f7b6c)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#2 0x55555590f81c (/home/nixos/src/bash/nonAFL/bash+0x3bb81c)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#3 0x55555590a73a (/home/nixos/src/bash/nonAFL/bash+0x3b673a)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#4 0x55555597108c (/home/nixos/src/bash/nonAFL/bash+0x41d08c)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#5 0x555555972789 (/home/nixos/src/bash/nonAFL/bash+0x41e789)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#6 0x555555a916a3 (/home/nixos/src/bash/nonAFL/bash+0x53d6a3)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#7 0x5555558fe31d (/home/nixos/src/bash/nonAFL/bash+0x3aa31d)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#8 0x5555558e5804 (/home/nixos/src/bash/nonAFL/bash+0x391804)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#9 0x5555558da39e (/home/nixos/src/bash/nonAFL/bash+0x38639e)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#10 0x5555558d83c4 (/home/nixos/src/bash/nonAFL/bash+0x3843c4)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#11 0x55555588b393 (/home/nixos/src/bash/nonAFL/bash+0x337393)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#12 0x55555588614e (/home/nixos/src/bash/nonAFL/bash+0x33214e)
(BuildId: 85b60cf7d2517cddacac3d0293335e47c5169482)
#13 0x7ffff7a2a47d
(/nix/store/g8zyryr9cr6540xsyg4avqkwgxpnwj2a-glibc-2.40-66/lib/libc.so.6+0x2a47d)
(BuildId: 076d831f9114b2d83bda538386af4e9665308c38)
SUMMARY: AddressSanitizer: heap-use-after-free
(/home/nixos/src/bash/nonAFL/bash+0x4310b4) (BuildId:
85b60cf7d2517cddacac3d0293335e47c5169482)
Shadow bytes around the buggy address:
0x503000010f80: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x503000011000: 00 00 fa fa fd fd fd fa fa fa 00 00 00 00 fa fa
0x503000011080: 00 00 00 00 fa fa fd fd fd fd fa fa fd fd fd fd
0x503000011100: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x503000011180: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
=>0x503000011200: fd fd fd fd fa fa[fd]fd fd fd fa fa 00 00 00 00
0x503000011280: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x503000011300: fd fd fa fa fd fd fd fa fa fa 00 00 00 00 fa fa
0x503000011380: 00 00 05 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
0x503000011400: fa fa 00 00 03 fa fa fa 00 00 00 fa fa fa 00 00
0x503000011480: 06 fa fa fa 00 00 03 fa fa fa 00 00 03 fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7725==ABORTING
Program received signal SIGKILL, Killed.
0x0000555555854890 in __sanitizer::internal__exit(int) ()
(rr) bt
#0 0x0000555555854890 in __sanitizer::internal__exit(int) ()
#1 0x00005555558618d3 in __sanitizer::Die() ()
#2 0x0000555555840743 in __asan::ScopedInErrorReport::~ScopedInErrorReport() ()
#3 0x000055555583fd3a in __asan::ReportGenericError(unsigned long,
unsigned long, unsigned long, unsigned long, bool, unsigned long,
unsigned int, bool) [clone .part.0] ()
#4 0x0000555555841086 in __asan_report_load1 ()
#5 0x00005555559850b5 in dequote_escapes (string=0x502000006e70
"==\001\001") at subst.c:4731
#6 0x000055555597a8f3 in remove_quoted_escapes (string=0x502000006e70
"==\001\001") at subst.c:4927
#7 expand_word_internal (word=0x502000005250, quoted=<optimized out>,
isexp=<optimized out>,
contains_dollar_at=<optimized out>, expanded_something=<optimized
out>) at subst.c:11926
#8 0x0000555555994640 in shell_expand_word_list
(tlist=0x502000005270, eflags=30) at subst.c:13113
#9 expand_word_list_internal (list=<optimized out>, eflags=<optimized
out>) at subst.c:13280
#10 0x00005555559f969a in expand_compound_array_assignment (var=<optimized out>,
value=0x502000006d90 "'==\001\001' '!'", flags=<optimized out>) at
arrayfunc.c:610
#11 0x00005555559f7bb5 in assign_array_var_from_string
(var=0x504000010590, value=0x0, flags=0) at arrayfunc.c:918
#12 0x0000555555971316 in do_compound_assignment (name=0x503000012190
"IFS", value=0x502000006d90 "'==\001\001' '!'",
flags=<optimized out>) at subst.c:3503
#13 do_assignment_internal (word=<optimized out>, expand=<optimized
out>) at subst.c:3619
#14 0x000055555599433f in do_word_assignment (word=0x1, flags=0) at subst.c:3663
#15 expand_declaration_argument (tlist=0x502000004af0,
wcmd=0x502000004bb0) at subst.c:13066
#16 shell_expand_word_list (tlist=0x502000004af0, eflags=31) at subst.c:13109
#17 expand_word_list_internal (list=<optimized out>, eflags=<optimized
out>) at subst.c:13280
--Type <RET> for more, q to quit, c to continue without paging--c
#18 0x00005555558e376f in execute_simple_command
(simple_command=<optimized out>, pipe_in=-1, pipe_out=-1,
async=<optimized out>, fds_to_close=<optimized out>) at execute_cmd.c:4617
#19 0x00005555558da39f in execute_command_internal (command=<optimized
out>, asynchronous=<optimized out>,
pipe_in=<optimized out>, pipe_out=<optimized out>,
fds_to_close=<optimized out>) at execute_cmd.c:938
#20 0x00005555558d83c5 in execute_command (command=0x503000011f20) at
execute_cmd.c:456
#21 0x000055555588b394 in reader_loop () at eval.c:183
#22 0x000055555588614f in main (argc=2, argv=0x7fffffffa3d8,
env=<optimized out>) at shell.c:834
(rr) frame 5
#5 0x00005555559850b5 in dequote_escapes (string=0x502000006e70
"==\001\001") at subst.c:4731
4731 quote_spaces = (ifs_value && *ifs_value == 0);
(rr) p ifs_value
$1 = 0x503000011230 "\025\002"
(rr)
********Crash #458********
ZUFtPSBleHBvcnQgymFjIHpSPSg9XCAgICAEISkgPcJKdCBkYWhpbnN0b3J5LXMgSUZTPSg9PSAg
////gClBOWiWc3Qlau5A/4BwZUpBGupAPQpleHBvcnQgZGFoaWxzdG9yeS1zIElGUz0ooaGhoaGh
/jkyUTqxdOz/JCQkNwIkKgIiIjp/CmIBPT0gICAgICEpIHU9LWFubm5ubg==
