[bug #68164] Access violation crashes

[p.loschenok]

URL:
  <https://savannah.gnu.org/bugs/?68164>

                 Summary: Access violation crashes
                   Group: The GNU Bourne-Again SHell
               Submitter: paulloschenok
               Submitted: Wed 18 Mar 2026 02:51:26 PM UTC
                Category: None
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: None
                  Status: None
                 Privacy: Private
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Unlocked


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Wed 18 Mar 2026 02:51:26 PM UTC By: p.loschenok <paulloschenok>
Hello, we were fuzzing bash-5.3 and we have found several crashes with
AddressSanitizer in braces.c module. We think that these crashes might have
security implications, that's why we create this issue as a private.
To reproduce crashes you need to do:
1) apply our patch for fuzzing (fuzz.patch in attachments). In this patch we
added our target brace_expand in Makefile for building with asan and ubsan.
Also we set the maz range for brace_expand (no more then 100), this is needed
to ensure high speed of fuzzing and avoid false timeouts. Also we disabled
extract_command_subst call, because we are not interested in that module for
now. And finally we disabled main in shell.c and rewrote main in brace.c to
read from stdin and call brace_expand function. We hope that our changes
didn't break any logic and also will not confuse you.
2) Then you need to compile bash brace_expand with ubsan. Thanks to our patch
you can just do following (we used clang-15 for compilation):
 #bash
./configure CC="afl-clang-lto" CFLAGS=" -DAFL_BUILD " --without-bash-malloc
make -j$(nproc) asan
3) after that you can execute binary brace_expand with our crashes
(crashes.tar in attachments):
 #bash
./brace_expand < crash_<id>
I will also provide Dockerfile in which we were perform our testing, you can
use it to quickly reproduce the environment. Hope it will help you.






    _______________________________________________________
File Attachments:

Name: Dockerfile                     Size: 1.7KiB
Name: fuzz.patch                     Size: 5.6KiB
Name: crashes.tar                    Size: 6.3KiB

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?68164>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

signature.asc
Description: PGP signature