The following keypresses seem to crash readline:
0 Escape 0 Backspace Ctrl-W
Typing those keystrokes into just about any program that uses readline
(e.g. bash, gdb, python) causes a segfault. I've tested this on Ubuntu
14.04, 16.04 and 17.04. Also, I was able to reproduce a crash on OS X when
I downloaded and built libreadline.
Steps to reproduce:
git clone https://git.savannah.gnu.org/git/readline.git
cd readline
./configure
make
cd examples
make
python3 -c 'print("\x30\x1b\x30\x7f\x17")' | ./rlbasic
Output:
0Segmentation fault: 11
Debug:
$ lldb ./rlbasic
(lldb) target create "./rlbasic"
Current executable set to './rlbasic' (x86_64).
(lldb) run
Process 92794 launched: './rlbasic' (x86_64)
0Process 92794 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS
(code=1, address=0x0)
frame #0: 0x00007fffe566eb52 libsystem_c.dylib`strlen + 18
libsystem_c.dylib`strlen:
-> 0x7fffe566eb52 <+18>: pcmpeqb (%rdi), %xmm0
0x7fffe566eb56 <+22>: pmovmskb %xmm0, %esi
0x7fffe566eb5a <+26>: andq $0xf, %rcx
0x7fffe566eb5e <+30>: orq $-0x1, %rax
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS
(code=1, address=0x0)
* frame #0: 0x00007fffe566eb52 libsystem_c.dylib`strlen + 18
frame #1: 0x0000000100019f02
rlbasic`_rl_copy_to_kill_ring(text=<unavailable>, append=<unavailable>) at
kill.c:137 [opt]
frame #2: 0x000000010001a347 rlbasic`rl_unix_word_rubout [inlined]
rl_kill_text(from=<unavailable>) at kill.c:183 [opt]
frame #3: 0x000000010001a318
rlbasic`rl_unix_word_rubout(count=<unavailable>, key=<unavailable>) at
kill.c:338 [opt]
frame #4: 0x0000000100002356 rlbasic`_rl_dispatch_subseq(key=23,
map=0x000000010002c5c0, got_subseq=0) at readline.c:859 [opt]
frame #5: 0x0000000100001d88 rlbasic`readline_internal_char [inlined]
_rl_dispatch(key=<unavailable>, map=<unavailable>) at readline.c:802 [opt]
frame #6: 0x0000000100001d77 rlbasic`readline_internal_char at
readline.c:629 [opt]
frame #7: 0x0000000100001645 rlbasic`readline [inlined]
readline_internal_charloop at readline.c:656 [opt]
frame #8: 0x000000010000162a rlbasic`readline [inlined]
readline_internal at readline.c:670 [opt]
frame #9: 0x0000000100001625 rlbasic`readline(prompt=<unavailable>) at
readline.c:376 [opt]
frame #10: 0x000000010000151e rlbasic`main(c=<unavailable>,
v=<unavailable>) at rlbasic.c:20 [opt]
frame #11: 0x00007fffe5638235 libdyld.dylib`start + 1
(lldb) frame select 1
rlbasic was compiled with optimization - stepping may behave oddly;
variables may not be available.
frame #1: 0x0000000100019f02
rlbasic`_rl_copy_to_kill_ring(text=<unavailable>, append=<unavailable>) at
kill.c:137 [opt]
134 if (_rl_last_command_was_kill && rl_editing_mode != vi_mode)
135 {
136 old = rl_kill_ring[slot];
-> 137 new = (char *)xmalloc (1 + strlen (old) + strlen (text));
138
139 if (append)
140 {
(lldb) print old
(char *) $0 = 0x0000000000000000
A HackerOne researcher (https://hackerone.com/ssarong) discovered this
crash while fuzzing mruby. I did some further investigation and traced the
problem to libreadline.
Regards,
Clayton Smith
Application Security Engineer, Shopify
_______________________________________________
Bug-readline mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/bug-readline
