[bug #67756] UndefinedBehavior in brace_expand

[Leonid Reviakin]

URL:
  <https://savannah.gnu.org/bugs/?67756>

                 Summary: UndefinedBehavior in brace_expand
                   Group: The GNU Bourne-Again SHell
               Submitter: lenix
               Submitted: Tue 02 Dec 2025 06:33:28 AM UTC
                Category: None
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: None
                  Status: None
                 Privacy: Private
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Unlocked


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Tue 02 Dec 2025 06:33:28 AM UTC By: Leonid Reviakin <lenix>
Hello, we were fuzzing bash-5.2.15 and we have found several crashes with
UndefinedBehavior sanitizer in braces.c module. We think that these crashes
might have security implications, that's why we create this issue as a
private.
To reproduce crashes you need to do:
1) apply our patch for fuzzing (fuzz.patch in attachments). In this patch we
added our target brace_expand in Makefile for building with asan and ubsan.
Also we set the maz range for brace_expand (no more then 100), this is needed
to ensure high speed of fuzzing and avoid false timeouts. Also we disabled
extract_command_subst call, because we are not interested in that module for
now. And finally we disabled main in shell.c and rewrote main in brace.c to
read from stdin and call brace_expand function. We hope that our changes
didn't break any logic and also will not confuse you.
2) Then you need to compile bash brace_expand with ubsan. Thanks to our patch
you can just do following (we used clang-15 for compilation):
``` #bash
./configure CC="clang" CXX="clang++" --without-bash-malloc
make ubsan
```
3) after that you can execute binary brace_expand with our crashes
(crashes.tar in attachments):
``` #bash
./brace_expand < crash_<id>
```
I will also provide Dockerfile in which we were perform our testing, you can
use it to quickly reproduce the environment. Hope it will help you.

This was found by Leonid Reviakin

P.S. also I just created another issue 67755, but I wasn't logged in, so can
you add me to that issue, please.






    _______________________________________________________
File Attachments:

Name: crashes.tar                    Size: 10KiB
Name: Dockerfile                     Size: 789B
Name: fuzz.patch                     Size: 4.8KiB

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?67756>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

signature.asc
Description: PGP signature