[bug #67755] heap-buffer-overflow (write 1 byte) in brace_expand function

[anonymous]

URL:
  <https://savannah.gnu.org/bugs/?67755>

                 Summary: heap-buffer-overflow (write 1 byte) in brace_expand
function
                   Group: The GNU Bourne-Again SHell
               Submitter: None
               Submitted: Tue 02 Dec 2025 06:08:34 AM UTC
                Category: None
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: None
                  Status: None
                 Privacy: Private
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Unlocked


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Tue 02 Dec 2025 06:08:34 AM UTC By: Anonymous
Hello, we were fuzzing bash-5.2.15 and we have found several crashes in
braces.c module.
To reproduce heap-buffer-overflow you need to do:
1) apply our patch for fuzzing (fuzz.patch in attachments). In this patch we
added our target brace_expand in Makefile for building with asan and ubsan.
Also we set the maz range for brace_expand (no more then 100), this is needed
to ensure high speed of fuzzing and avoid false timeouts. Also we disabled
extract_command_subst call, because we are not interested in that module for
now. And finally we disabled main in shell.c and rewrote main in brace.c to
read from stdin and call brace_expand function. We hope that our changes
didn't break any logic and also will not confuse you.
2) Then you need to compile bash brace_expand with asan. Thanks to our patch
you can just do following (we used clang-15 for compilation):
``` #bash
./configure CC="clang" CXX="clang++" --without-bash-malloc
make asan
```
3) after that you can execute binary brace_expand with our crash (crash in
attachments) and see AddressSanitizer error:
``` #bash
./brace_expand < crash
```

I will also provide Dockerfile in which we were perform our testing, you can
use it to quickly reproduce the environment. Hope it will help you.

This was found by Leonid Reviakin






    _______________________________________________________
File Attachments:

Name: fuzz.patch                     Size: 4.8KiB
Name: Dockerfile                     Size: 789B
Name: crash                          Size: 243B

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?67755>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

signature.asc
Description: PGP signature