[bug #68159] Out of memmory crashes

[p.loschenok]

URL:
  <https://savannah.gnu.org/bugs/?68159>

                 Summary: Out of memmory crashes
                   Group: The GNU Bourne-Again SHell
               Submitter: paulloschenok
               Submitted: Tue 17 Mar 2026 03:33:44 PM UTC
                Category: None
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: None
                  Status: None
                 Privacy: Private
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Unlocked


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Tue 17 Mar 2026 03:33:44 PM UTC By: p.loschenok <paulloschenok>
Hello, we were fuzzing bash-5.3 and we have found several out of memory
crashes in braces.c module. We think that these crashes might have security
implications, that's why we create this issue as a private.
To reproduce crashes you need to do:
1) apply our patch for fuzzing (fuzz.patch in attachments). In this patch we
added our target brace_expand in Makefile for building with asan and ubsan.
Also we set the maz range for brace_expand (no more then 100), this is needed
to ensure high speed of fuzzing and avoid false timeouts. Also we disabled
extract_command_subst call, because we are not interested in that module for
now. And finally we disabled main in shell.c and rewrote main in brace.c to
read from stdin and call brace_expand function. We hope that our changes
didn't break any logic and also will not confuse you.
2) Then you need to compile bash brace_expand with ubsan. Thanks to our patch
you can just do following (we used clang-15 for compilation):
 #bash
./configure CC="afl-clang-lto" CFLAGS=" -DAFL_BUILD " --without-bash-malloc
make  -j$(nproc) brace_expand
3) after that you can  set ulimit -v 10485760 and execute binary brace_expand
with our crashes (crashes.tar in attachments):
 #bash
./brace_expand < /crash_<id>
I will also provide Dockerfile in which we were perform our testing, you can
use it to quickly reproduce the environment. Hope it will help you.






    _______________________________________________________
File Attachments:

Name: fuzz.patch                     Size: 5.6KiB
Name: crashes.tar                    Size: 2.8KiB
Name: Dockerfile                     Size: 1.7KiB

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?68159>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

signature.asc
Description: PGP signature