[Bug 1857828] Re: mksh expand ASAN heap-buffer-overflow

Fri, 27 Mar 2020 05:10:01 -0700 

** Changed in: mksh
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of mksh
Mailing List, which is subscribed to mksh.
Matching subscriptions: mkshlist-to-mksh-bugmail
https://bugs.launchpad.net/bugs/1857828

Title:
  mksh expand ASAN heap-buffer-overflow

Status in mksh:
  Fix Released

Bug description:
  ubuntu@bashfz:~/newmksh/mksh$ mksh -c 'echo ${0@#$0}'
  =================================================================
  ==4807==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d01559 
at pc 0x56649efd bp 0xffe0e668 sp 0xffe0e658
  READ of size 1 at 0xf4d01559 thread T0
      #0 0x56649efc  (/usr/bin/mksh+0x7befc)

  0xf4d01559 is located 0 bytes to the right of 9-byte region 
[0xf4d01550,0xf4d01559)
  allocated by thread T0 here:
      #0 0xf7aae5bd in __interceptor_realloc 
(/lib/i386-linux-gnu/libasan.so.5+0x1125bd)
      #1 0x565df15d  (/usr/bin/mksh+0x1115d)

  SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x7befc) 
  Shadow bytes around the buggy address:
    0x3e9a0250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x3e9a0260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x3e9a0270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x3e9a0280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x3e9a0290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  =>0x3e9a02a0: fa fa fa fa fa fa fa fa fa fa 00[01]fa fa 00 01
    0x3e9a02b0: fa fa 00 01 fa fa 00 01 fa fa 00 fa fa fa 00 00
    0x3e9a02c0: fa fa 00 05 fa fa 00 04 fa fa fd fd fa fa fd fd
    0x3e9a02d0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
    0x3e9a02e0: fa fa fd fd fa fa fd fd fa fa fa fa fa fa fa fa
    0x3e9a02f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07 
    Heap left redzone:       fa
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb
    Shadow gap:              cc
  ==4807==ABORTING

  ubuntu@bashfz:~/newmksh/mksh$ valgrind ./mksh -c 'echo ${0@#$0}'
  ==4808== Memcheck, a memory error detector
  ==4808== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
  ==4808== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
  ==4808== Command: ./mksh -c echo\ ${0@#$0}
  ==4808== 
  ==4808== Invalid read of size 1
  ==4808==    at 0x118527: expand (eval.c:821)
  ==4808==    by 0x11AABD: eval (eval.c:154)
  ==4808==    by 0x11C630: execute (exec.c:124)
  ==4808==    by 0x1335E1: shell (main.c:908)
  ==4808==    by 0x10B118: main (main.c:704)
  ==4808==  Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd
  ==4808==    at 0x483453B: malloc (in 
/usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so)
  ==4808==    by 0x4836C88: realloc (in 
/usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so)
  ==4808==    by 0x10B68C: aresize (lalloc.c:154)
  ==4808==    by 0x1420F0: setstr (var.c:491)
  ==4808==    by 0x14300F: isglobal (var.c:272)
  ==4808==    by 0x14305D: global (var.c:238)
  ==4808==    by 0x11A9E5: varsub (eval.c:1378)
  ==4808==    by 0x11A9E5: expand (eval.c:390)
  ==4808==    by 0x11AABD: eval (eval.c:154)
  ==4808==    by 0x11C630: execute (exec.c:124)
  ==4808==    by 0x1335E1: shell (main.c:908)
  ==4808==    by 0x10B118: main (main.c:704)
  ==4808== 
  ==4808== Invalid read of size 1
  ==4808==    at 0x1173CF: expand (eval.c:869)
  ==4808==    by 0x11AABD: eval (eval.c:154)
  ==4808==    by 0x11C630: execute (exec.c:124)
  ==4808==    by 0x1335E1: shell (main.c:908)
  ==4808==    by 0x10B118: main (main.c:704)
  ==4808==  Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd
  ==4808==    at 0x483453B: malloc (in 
/usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so)
  ==4808==    by 0x4836C88: realloc (in 
/usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so)
  ==4808==    by 0x10B68C: aresize (lalloc.c:154)
  ==4808==    by 0x1420F0: setstr (var.c:491)
  ==4808==    by 0x14300F: isglobal (var.c:272)
  ==4808==    by 0x14305D: global (var.c:238)
  ==4808==    by 0x11A9E5: varsub (eval.c:1378)
  ==4808==    by 0x11A9E5: expand (eval.c:390)
  ==4808==    by 0x11AABD: eval (eval.c:154)
  ==4808==    by 0x11C630: execute (exec.c:124)
  ==4808==    by 0x1335E1: shell (main.c:908)
  ==4808==    by 0x10B118: main (main.c:704)
  ==4808== 

  ==4808== 
  ==4808== HEAP SUMMARY:
  ==4808==     in use at exit: 0 bytes in 0 blocks
  ==4808==   total heap usage: 438 allocs, 438 frees, 30,013 bytes allocated
  ==4808== 
  ==4808== All heap blocks were freed -- no leaks are possible
  ==4808== 
  ==4808== For counts of detected and suppressed errors, rerun with: -v
  ==4808== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)

To manage notifications about this bug go to:
https://bugs.launchpad.net/mksh/+bug/1857828/+subscriptions

Reply via email to