heap-use-after-free buffered_getchar() input.c:611:11

[anushakov--- via Bug reports for the GNU Bourne Again SHell]

   Dear Bash Maintainers,

   I encountered an issue in Bash and would like to report it. crash4.txt
   is attached to the email.
   Steps to reproduce
   $ CC=clang-19 CFLAGS=" -g -fsanitize=address -Wno-everything
   -std=gnu99 " ./configure --enable-largefile --without-bash-malloc
   $ make
   $ ./bash < crash4.txt

   Expected Behaviour
   Any messages without asan ERROR.

   Actual Behaviour
   ==915881==ERROR: AddressSanitizer: heap-use-after-free on address
   0x5030000018da at pc 0x5d74d9fb455d bp 0x7ffc4083bdc0 sp 0x7ffc4083bdb8
   READ of size 1 at 0x5030000018da thread T0
       #0 0x5d74d9fb455c in buffered_getchar /upstream/bash/input.c:611:11
       #1 0x5d74d9ec62a9 in yy_getc /upstream/bash/./parse.y:1609:10
       #2 0x5d74d9ec45d5 in shell_getc /upstream/bash/./parse.y:2558:8
       #3 0x5d74d9ec2c30 in read_token /upstream/bash/./parse.y:3639:23
       #4 0x5d74d9eb7390 in yylex /upstream/bash/./parse.y:3103:19
       #5 0x5d74d9ead8a7 in yyparse /upstream/bash/y.tab.c:1912:16
       #6 0x5d74d9eacd39 in parse_command /upstream/bash/eval.c:369:7
       #7 0x5d74d9eac54e in read_command /upstream/bash/eval.c:414:12
       #8 0x5d74d9eab9fc in reader_loop /upstream/bash/eval.c:147:11
       #9 0x5d74d9ea63de in main /upstream/bash/shell.c:834:3
       #10 0x7077f8810249 in __libc_start_call_main
   csu/../sysdeps/nptl/libc_start_call_main.h:58:16
       #11 0x7077f8810304 in __libc_start_main
   csu/../csu/libc-start.c:360:3
       #12 0x5d74d9dc5a70 in _start (/upstream/bash/bash+0xb2a70)
   (BuildId: 9bbb9cc0873a3a45e89e89db7e6aadfa736ce043)

   0x5030000018da is located 10 bytes inside of 26-byte region
   [0x5030000018d0,0x5030000018ea)
   freed by thread T0 here:
       #0 0x5d74d9e64a76 in free (/upstream/bash/bash+0x151a76) (BuildId:
   9bbb9cc0873a3a45e89e89db7e6aadfa736ce043)
       #1 0x5d74d9fb2c76 in free_buffered_stream
   /upstream/bash/input.c:437:5
       #2 0x5d74d9fb3561 in duplicate_buffered_stream
   /upstream/bash/input.c:369:2
       #3 0x5d74da00ca3e in do_redirection_internal
   /upstream/bash/redir.c:1164:6
       #4 0x5d74da00a142 in do_redirections /upstream/bash/redir.c:257:15
       #5 0x5d74d9eeb759 in cleanup_redirects
   /upstream/bash/execute_cmd.c:528:3
       #6 0x5d74d9eeb729 in undo_partial_redirects
   /upstream/bash/execute_cmd.c:549:7
       #7 0x5d74d9f0561b in execute_builtin_or_function
   /upstream/bash/execute_cmd.c:5667:7
       #8 0x5d74d9ef0b63 in execute_simple_command
   /upstream/bash/execute_cmd.c:4894:13
       #9 0x5d74d9eea10a in execute_command_internal
   /upstream/bash/execute_cmd.c:967:4
       #10 0x5d74d9ee7db6 in execute_command
   /upstream/bash/execute_cmd.c:474:12
       #11 0x5d74d9eabe9d in reader_loop /upstream/bash/eval.c:183:8
       #12 0x5d74d9ea63de in main /upstream/bash/shell.c:834:3
       #13 0x7077f8810249 in __libc_start_call_main
   csu/../sysdeps/nptl/libc_start_call_main.h:58:16

   previously allocated by thread T0 here:
       #0 0x5d74d9e64d0f in malloc (/upstream/bash/bash+0x151d0f)
   (BuildId: 9bbb9cc0873a3a45e89e89db7e6aadfa736ce043)
       #1 0x5d74da01a8d9 in xmalloc /upstream/bash/xmalloc.c:104:10
       #2 0x5d74d9fb2e90 in fd_to_buffered_stream
   /upstream/bash/input.c:410:20
       #3 0x5d74d9fb51cc in with_input_from_buffered_stream
   /upstream/bash/input.c:636:8
       #4 0x5d74d9eaa907 in set_bash_input /upstream/bash/shell.c:1743:7
       #5 0x5d74d9ea62d1 in main /upstream/bash/shell.c:792:3
       #6 0x7077f8810249 in __libc_start_call_main
   csu/../sysdeps/nptl/libc_start_call_main.h:58:16

   SUMMARY: AddressSanitizer: heap-use-after-free
   /upstream/bash/input.c:611:11 in buffered_getchar


   Additional info

   The content of file:
   exec 5<&0
   exec<&4
   exec<&5
   Bash Version
   commit
   2cdb2f9b314525a118eff5237839ccc272c2e32b
   [1]root@fc5d05699037:/upstream/bash# ./bash --version
   [2]GNU bash, version 5.3.0(2)-maint (x86_64-pc-linux-gnu)
   [3]Copyright (C) 2025 Free Software Foundation, Inc.
   [4]License GPLv3+: GNU GPL version 3 or later
   <http://gnu.org/licenses/gpl.html>

   [5]This is free software; you are free to change and redistribute it.
   [6]There is NO WARRANTY, to the extent permitted by law.
   Also, the behaviour is repeating on release bash 5.2 version.

   System Info
   Linux astra 6.1.90-1-generic #astra2+ci15 SMP PREEMPT_DYNAMIC Tue Jul
   23 09:49:19 MSK 2024 x86_64 GNU/Linux
   Debian clang version 19.1.4 (1~deb12u1)
   Target: x86_64-pc-linux-gnu
   Thread model: posix
   InstalledDir: /usr/lib/llvm-19/bin

References

   1. mailto:root@fb1d7dcac77a
   2. mailto:root@fb1d7dcac77a
   3. mailto:root@fb1d7dcac77a
   4. mailto:root@fb1d7dcac77a
   5. mailto:root@fb1d7dcac77a
   6. mailto:root@fb1d7dcac77a

exec 5<&0
exec<&4
exec<&5