Dear Bash Maintainers,
I encountered an issue in Bash and would like to report it. crash2.txt
is attached to the email.
Steps to reproduce
$ CC=clang-19 CFLAGS=" -g -fsanitize=address -Wno-everything
-std=gnu99 " ./configure --enable-largefile --without-bash-malloc
$ make
$ cat crash2.txt | xarg -0 ./bash
Expected Behaviour
Any messages without asan ERROR.
Actual Behaviour
=================================================================
==876462==ERROR: AddressSanitizer: heap-use-after-free on address
0x503000001b10 at pc 0x5aa69f8ebae8 bp 0x7ffc839ea130 sp 0x7ffc839ea128
READ of size 4 at 0x503000001b10 thread T0
#0 0x5aa69f8ebae7 in executing_line_number
/upstream/bash/execute_cmd.c:437:40
#1 0x5aa69f92b334 in error_prolog /upstream/bash/error.c:80:53
#2 0x5aa69f92b90b in internal_warning /upstream/bash/error.c:226:3
#3 0x5aa69f8e04f0 in make_here_document
/upstream/bash/make_cmd.c:627:5
#4 0x5aa69f8bba40 in gather_here_documents
/upstream/bash/./parse.y:3155:7
#5 0x5aa69f8c6f47 in read_token /upstream/bash/./parse.y:3678:2
#6 0x5aa69f8bb390 in yylex /upstream/bash/./parse.y:3103:19
#7 0x5aa69f8b18a7 in yyparse /upstream/bash/y.tab.c:1912:16
#8 0x5aa69f8b0d39 in parse_command /upstream/bash/eval.c:369:7
#9 0x5aa69fa35273 in parse_and_execute
/upstream/bash/builtins/evalstring.c:451:11
#10 0x5aa69f8adc23 in run_one_command
/upstream/bash/shell.c:1483:12
#11 0x5aa69f8aa1f5 in main /upstream/bash/shell.c:768:7
#12 0x7eb3b8fe6249 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#13 0x7eb3b8fe6304 in __libc_start_main
csu/../csu/libc-start.c:360:3
#14 0x5aa69f7c9a70 in _start (/upstream/bash/bash+0xb2a70)
(BuildId: 6e4eb3f6b91d25547d3c3b8f712ef67edf6e8d44)
0x503000001b10 is located 0 bytes inside of 32-byte region
[0x503000001b10,0x503000001b30)
freed by thread T0 here:
#0 0x5aa69f868a76 in free (/upstream/bash/bash+0x151a76) (BuildId:
6e4eb3f6b91d25547d3c3b8f712ef67edf6e8d44)
#1 0x5aa69f8ea376 in dispose_command
/upstream/bash/dispose_cmd.c:204:3
#2 0x5aa69f8ea1c8 in dispose_command
/upstream/bash/dispose_cmd.c:162:2
#3 0x5aa69f8eb0c4 in uw_dispose_command
/upstream/bash/dispose_cmd.c:210:3
#4 0x5aa69f9ba081 in unwind_frame_run_internal
/upstream/bash/unwind_prot.c:286:6
#5 0x5aa69f9b9b3e in run_unwind_frame
/upstream/bash/unwind_prot.c:122:5
#6 0x5aa69fa35171 in parse_and_execute
/upstream/bash/builtins/evalstring.c:425:3
#7 0x5aa69f8adc23 in run_one_command /upstream/bash/shell.c:1483:12
#8 0x5aa69f8aa1f5 in main /upstream/bash/shell.c:768:7
#9 0x7eb3b8fe6249 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
previously allocated by thread T0 here:
#0 0x5aa69f868d0f in malloc (/upstream/bash/bash+0x151d0f)
(BuildId: 6e4eb3f6b91d25547d3c3b8f712ef67edf6e8d44)
#1 0x5aa69fa1e8d9 in xmalloc /upstream/bash/xmalloc.c:104:10
#2 0x5aa69f8df577 in make_bare_simple_command
/upstream/bash/make_cmd.c:457:24
#3 0x5aa69f8df798 in make_simple_command
/upstream/bash/make_cmd.c:482:17
#4 0x5aa69f8b41a7 in yyparse /upstream/bash/./parse.y:832:45
#5 0x5aa69f8b0d39 in parse_command /upstream/bash/eval.c:369:7
#6 0x5aa69fa35273 in parse_and_execute
/upstream/bash/builtins/evalstring.c:451:11
#7 0x5aa69f8adc23 in run_one_command /upstream/bash/shell.c:1483:12
#8 0x5aa69f8aa1f5 in main /upstream/bash/shell.c:768:7
#9 0x7eb3b8fe6249 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-use-after-free
/upstream/bash/execute_cmd.c:437:40 in executing_line_number
Additional info
Steps to generate crash2.txt:
copy the text into file bs64.txt (between 1. = and 2.=)
1.=====================================================================
=======================
LWMAJHtQQRs9PT1//28gZnV732VjaG8gZnVuY3R7bmN0ey11b247IH07/x51dGUKCvstQDw
8cnUA
bltbW1tbW1tbW1tbW1tbW1tbW1s9W1tlc10ASEheAA==
2.=====================================================================
=======================
Then do the action:
base64 -d bs64.txt > crash2.txt
Bash Version
commit
2cdb2f9b314525a118eff5237839ccc272c2e32b
[1]root@fc5d05699037:/upstream/bash# ./bash --version
[2]GNU bash, version 5.3.0(2)-maint (x86_64-pc-linux-gnu)
[3]Copyright (C) 2025 Free Software Foundation, Inc.
[4]License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
[5]This is free software; you are free to change and redistribute it.
[6]There is NO WARRANTY, to the extent permitted by law.
Also, the behaviour is repeating on release bash 5.2 version.
System Info
Linux astra 6.1.90-1-generic #astra2+ci15 SMP PREEMPT_DYNAMIC Tue Jul
23 09:49:19 MSK 2024 x86_64 GNU/Linux
Debian clang version 19.1.4 (1~deb12u1)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/lib/llvm-19/bin
References
1. mailto:root@fb1d7dcac77a
2. mailto:root@fb1d7dcac77a
3. mailto:root@fb1d7dcac77a
4. mailto:root@fb1d7dcac77a
5. mailto:root@fb1d7dcac77a
6. mailto:root@fb1d7dcac77a
-c ${PA�===ÿo fu{ßecho funct{nct{-uon; };ÿ�ute
û-@<<ru n[[[[[[[[[[[[[[[[[[[=[[es] HH^
