Found by fuzzing `read -e' with AFL: debian@debian-fuzz:/mnt$ cat -A dispose_word "^[^EM-b^_M-u$$(M-J^^_^Q$ ^[^E
debian@debian-fuzz:/mnt$ base64 < dispose_word IhsF4h/1JCQoyl4fEQobBQ== debian@debian-fuzz:/mnt$ LC_ALL=zh_CN.gbk ~/build-gdb/bash --noprofile --norc -c 'PATH= read -e < dispose_word' hi "��$$( TRACE: pid 15530: xparse_dolparen:0: base[5] != RPAREN (40), base = `"��$$( ' TRACE: pid 15530: xparse_dolparen:0: *indp (5) < orig_ind (6), orig_string = ` ' malloc: ../bash-5.0-rc1/dispose_cmd.c:249: assertion botched malloc: 0x55d956dc4de8: allocated: last allocated from ../bash-5.0-rc1/subst.c:866 free: start and end chunk sizes differ Aborting...Aborted (...) Aborting... Program received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007ffff7df4535 in __GI_abort () at abort.c:79 #2 0x00005555555b39b5 in programming_error (format=0x555555686bd8 "free: start and end chunk sizes differ") at ../bash-5.0-rc1/error.c:175 #3 0x000055555566523d in xbotch (mem=0x555555765da8, e=8, s=0x555555686bd8 "free: start and end chunk sizes differ", file=0x55555566c268 "../bash-5.0-rc1/dispose_cmd.c", line=249) at ../../../bash-5.0-rc1/lib/malloc/malloc.c:354 #4 0x000055555566648e in internal_free (mem=0x555555765da8, file=0x55555566c268 "../bash-5.0-rc1/dispose_cmd.c", line=249, flags=1) at ../../../bash-5.0-rc1/lib/malloc/malloc.c:960 #5 0x0000555555667006 in sh_free (mem=0x555555765da8, file=0x55555566c268 "../bash-5.0-rc1/dispose_cmd.c", line=249) at ../../../bash-5.0-rc1/lib/malloc/malloc.c:1321 #6 0x00005555556001f4 in sh_xfree (string=0x555555765da8, file=0x55555566c268 "../bash-5.0-rc1/dispose_cmd.c", line=249) at ../bash-5.0-rc1/xmalloc.c:223 #7 0x000055555559d860 in dispose_word (w=0x555555761da8) at ../bash-5.0-rc1/dispose_cmd.c:249 #8 0x00005555555d6ef5 in expand_word_internal (word=0x555555761e08, quoted=0, isexp=0, contains_dollar_at=0x0, expanded_something=0x0) at ../bash-5.0-rc1/subst.c:10189 #9 0x00005555555c84dd in call_expand_word_internal (w=0x555555761e08, q=0, i=0, c=0x0, e=0x0) at ../bash-5.0-rc1/subst.c:3684 #10 0x00005555555c8b94 in expand_word (word=0x555555761e08, quoted=0) at ../bash-5.0-rc1/subst.c:3978 #11 0x00005555555f35b6 in shell_expand_line (count=1, ignore=5) at ../bash-5.0-rc1/bashline.c:2755 #12 0x0000555555639ed4 in _rl_dispatch_subseq (key=5, map=0x5555556ac220 <emacs_meta_keymap>, got_subseq=0) at ../../../bash-5.0-rc1/lib/readline/readline.c:852 #13 0x000055555563a399 in _rl_dispatch_subseq (key=27, map=0x5555556ab200 <emacs_standard_keymap>, got_subseq=0) at ../../../bash-5.0-rc1/lib/readline/readline.c:986 #14 0x0000555555639c4b in _rl_dispatch (key=-136275877, map=0x5555556ab200 <emacs_standard_keymap>) at ../../../bash-5.0-rc1/lib/readline/readline.c:798 #15 0x00005555556398ce in readline_internal_char () at ../../../bash-5.0-rc1/lib/readline/readline.c:632 #16 0x0000555555639929 in readline_internal_charloop () at ../../../bash-5.0-rc1/lib/readline/readline.c:659 #17 0x0000555555639949 in readline_internal () at ../../../bash-5.0-rc1/lib/readline/readline.c:671 #18 0x0000555555639367 in readline (prompt=0x555555680f84 "") at ../../../bash-5.0-rc1/lib/readline/readline.c:377 #19 0x0000555555611bcf in edit_line (p=0x555555680f84 "", itext=0x0) at ../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:1107 #20 0x00005555556108f8 in read_builtin (list=0x0) at ../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:566 #21 0x00005555555a5afa in execute_builtin (builtin=0x55555560fa73 <read_builtin>, words=0x555555761e68, flags=0, subshell=0) at ../bash-5.0-rc1/execute_cmd.c:4706 #22 0x00005555555a6aa2 in execute_builtin_or_function (words=0x555555761e68, builtin=0x55555560fa73 <read_builtin>, var=0x0, redirects=0x555555761bc8, fds_to_close=0x555555761ba8, flags=0) at ../bash-5.0-rc1/execute_cmd.c:5214 #23 0x00005555555a5365 in execute_simple_command (simple_command=0x555555761a88, pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x555555761ba8) at ../bash-5.0-rc1/execute_cmd.c:4476 #24 0x000055555559e9f4 in execute_command_internal (command=0x555555761a48, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x555555761ba8) at ../bash-5.0-rc1/execute_cmd.c:842 #25 0x000055555560858a in parse_and_execute (string=0x555555761688 "PATH= read -e < dispose_word", from_file=0x5555556690f0 "-c", flags=4) at ../../bash-5.0-rc1/builtins/evalstring.c:436 #26 0x000055555558564a in run_one_command (command=0x7fffffffe28c "PATH= read -e < dispose_word") at ../bash-5.0-rc1/shell.c:1426 #27 0x0000555555584789 in main (argc=5, argv=0x7fffffffdfe8, env=0x7fffffffe018) at ../bash-5.0-rc1/shell.c:741 (gdb) frame 7 #7 0x000055555559d860 in dispose_word (w=0x555555761da8) at ../bash-5.0-rc1/dispose_cmd.c:249 249 FREE (w->word); (gdb) l 244 /* How to free a WORD_DESC. */ 245 void 246 dispose_word (w) 247 WORD_DESC *w; 248 { 249 FREE (w->word); 250 ocache_free (wdcache, WORD_DESC, w); 251 } 252 253 /* Free a WORD_DESC, but not the word contained within. */ (gdb) p w $1 = (WORD_DESC *) 0x555555761da8 (gdb) p *w $2 = {word = 0x555555765da8 "��$$((\n", flags = 0} Running it on an ASAN enabled bash: debian@debian-fuzz:/mnt$ LC_ALL=zh_CN.gbk ~/build-asan/bash --noprofile --norc -c 'PATH= read -e < dispose_word' hi "��$$( TRACE: pid 29276: xparse_dolparen:0: base[5] != RPAREN (40), base = `"��$$( ' TRACE: pid 29276: xparse_dolparen:0: *indp (5) < orig_ind (6), orig_string = ` ' ================================================================= ==29276==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000055b7 at pc 0x00000061f92f bp 0x7ffcd0b6c5f0 sp 0x7ffcd0b6c5e8 WRITE of size 1 at 0x6020000055b7 thread T0 #0 0x61f92e in string_extract_double_quoted /home/debian/build-asan/../bash-5.0-rc1/subst.c:995:11 #1 0x603b8e in expand_word_internal /home/debian/build-asan/../bash-5.0-rc1/subst.c:10149:11 #2 0x5fb4a0 in call_expand_word_internal /home/debian/build-asan/../bash-5.0-rc1/subst.c:3684:12 #3 0x608478 in expand_word /home/debian/build-asan/../bash-5.0-rc1/subst.c:3978:13 #4 0x68b396 in shell_expand_line /home/debian/build-asan/../bash-5.0-rc1/bashline.c:2755:25 #5 0x769abd in _rl_dispatch_subseq /home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:852:8 #6 0x76a76e in _rl_dispatch_subseq /home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:986:8 #7 0x76899a in _rl_dispatch /home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:798:10 #8 0x76882f in readline_internal_char /home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:632:11 #9 0x76ce7f in readline_internal_charloop /home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:659:11 #10 0x76789d in readline_internal /home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:671:19 #11 0x7676ba in readline /home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:377:11 #12 0x6fe637 in edit_line /home/debian/build-asan/builtins/../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:1107:9 #13 0x6fa7d5 in read_builtin /home/debian/build-asan/builtins/../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:566:16 #14 0x592620 in execute_builtin /home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:4706:13 #15 0x5910a7 in execute_builtin_or_function /home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:5214:14 #16 0x579877 in execute_simple_command /home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:4476:13 #17 0x5701d2 in execute_command_internal /home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:842:4 #18 0x6dd393 in parse_and_execute /home/debian/build-asan/builtins/../../bash-5.0-rc1/builtins/evalstring.c:436:17 #19 0x51d4f4 in run_one_command /home/debian/build-asan/../bash-5.0-rc1/shell.c:1426:12 #20 0x518ec9 in main /home/debian/build-asan/../bash-5.0-rc1/shell.c:741:7 #21 0x7f697e24009a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) #22 0x43fa39 in _start (/home/debian/build-asan/bash+0x43fa39) 0x6020000055b7 is located 0 bytes to the right of 7-byte region [0x6020000055b0,0x6020000055b7) allocated by thread T0 here: #0 0x4e7883 in malloc (/home/debian/build-asan/bash+0x4e7883) #1 0x6c2aa0 in xmalloc /home/debian/build-asan/../bash-5.0-rc1/xmalloc.c:114:10 #2 0x61e905 in string_extract_double_quoted /home/debian/build-asan/../bash-5.0-rc1/subst.c:866:18 #3 0x603b8e in expand_word_internal /home/debian/build-asan/../bash-5.0-rc1/subst.c:10149:11 #4 0x5fb4a0 in call_expand_word_internal /home/debian/build-asan/../bash-5.0-rc1/subst.c:3684:12 #5 0x608478 in expand_word /home/debian/build-asan/../bash-5.0-rc1/subst.c:3978:13 #6 0x68b396 in shell_expand_line /home/debian/build-asan/../bash-5.0-rc1/bashline.c:2755:25 #7 0x769abd in _rl_dispatch_subseq /home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:852:8 #8 0x76a76e in _rl_dispatch_subseq /home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:986:8 #9 0x76899a in _rl_dispatch /home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:798:10 #10 0x76882f in readline_internal_char /home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:632:11 #11 0x76ce7f in readline_internal_charloop /home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:659:11 #12 0x76789d in readline_internal /home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:671:19 #13 0x7676ba in readline /home/debian/build-asan/lib/readline/../../../bash-5.0-rc1/lib/readline/readline.c:377:11 #14 0x6fe637 in edit_line /home/debian/build-asan/builtins/../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:1107:9 #15 0x6fa7d5 in read_builtin /home/debian/build-asan/builtins/../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:566:16 #16 0x592620 in execute_builtin /home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:4706:13 #17 0x5910a7 in execute_builtin_or_function /home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:5214:14 #18 0x579877 in execute_simple_command /home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:4476:13 #19 0x5701d2 in execute_command_internal /home/debian/build-asan/../bash-5.0-rc1/execute_cmd.c:842:4 #20 0x6dd393 in parse_and_execute /home/debian/build-asan/builtins/../../bash-5.0-rc1/builtins/evalstring.c:436:17 #21 0x51d4f4 in run_one_command /home/debian/build-asan/../bash-5.0-rc1/shell.c:1426:12 #22 0x518ec9 in main /home/debian/build-asan/../bash-5.0-rc1/shell.c:741:7 #23 0x7f697e24009a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/debian/build-asan/../bash-5.0-rc1/subst.c:995:11 in string_extract_double_quoted Shadow bytes around the buggy address: 0x0c047fff8a60: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8a70: fa fa 00 07 fa fa 01 fa fa fa fd fa fa fa fd fa 0x0c047fff8a80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8a90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8aa0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa =>0x0c047fff8ab0: fa fa 00 fa fa fa[07]fa fa fa fd fd fa fa 03 fa 0x0c047fff8ac0: fa fa fd fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==29276==ABORTING Ooops: debian@debian-fuzz:/mnt$ cat -n /home/debian/build-asan/../bash-5.0-rc1/subst.c | sed -n '990,997p' 990 continue; 991 } 992 993 break; 994 } 995 temp[j] = '\0'; 996 997 /* Point to after the closing quote. */