Re: AddressSanitizer: heap-buffer-overflow in rl_delete
On 6/16/17 10:27 AM, Eduardo A. Bustamante López wrote: > On Thu, Jun 15, 2017 at 09:36:58AM -0500, Eduardo Bustamante wrote: >> Found by fuzzing `read -e' with AFL. The stacktrace reported by Address >> Sanitizer is followed by the base64 encoded crashing input. >> >> >> ==1736==ERROR: AddressSanitizer: heap-buffer-overflow on address >> 0x61109880 at pc 0x7f464da3a063 bp 0x7ffe86032fe0 sp 0x7ffe86032790 >> READ of size 115 at 0x61109880 thread T0 >> #0 0x7f464da3a062 (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062) >> #1 0x5634e38634c3 in _rl_find_next_mbchar_internal >> (/home/dualbus/src/gnu/bash-build/bash+0x25d4c3) >> #2 0x5634e3864375 in _rl_find_next_mbchar >> (/home/dualbus/src/gnu/bash-build/bash+0x25e375) >> #3 0x5634e3850c0e in rl_delete >> (/home/dualbus/src/gnu/bash-build/bash+0x24ac0e) > > OK. Here's an easy way to reproduce this. > > - Start on an empty rl_line_buffer > - Call `set-mark' with a numeric argument (a large number, e.g. 500, is > better). > - Call `exchange-point-and-mark' so that now rl_point = 500 > - Call `delete-char' > - Bash crashes I can't reproduce this using the current development version. Its failure depends on rl_end already being wrong. I've already fixed that particular problem; it was a problem with the isearch code that requires the obscure circumstances fuzzing brings to reproduce. Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/
Re: AddressSanitizer: heap-buffer-overflow in rl_delete
On Thu, Jun 15, 2017 at 09:36:58AM -0500, Eduardo Bustamante wrote: > Found by fuzzing `read -e' with AFL. The stacktrace reported by Address > Sanitizer is followed by the base64 encoded crashing input. > > > ==1736==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x61109880 at pc 0x7f464da3a063 bp 0x7ffe86032fe0 sp 0x7ffe86032790 > READ of size 115 at 0x61109880 thread T0 > #0 0x7f464da3a062 (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062) > #1 0x5634e38634c3 in _rl_find_next_mbchar_internal > (/home/dualbus/src/gnu/bash-build/bash+0x25d4c3) > #2 0x5634e3864375 in _rl_find_next_mbchar > (/home/dualbus/src/gnu/bash-build/bash+0x25e375) > #3 0x5634e3850c0e in rl_delete > (/home/dualbus/src/gnu/bash-build/bash+0x24ac0e) OK. Here's an easy way to reproduce this. - Start on an empty rl_line_buffer - Call `set-mark' with a numeric argument (a large number, e.g. 500, is better). - Call `exchange-point-and-mark' so that now rl_point = 500 - Call `delete-char' - Bash crashes The _rl_set_mark_at_pos function already checks for `position > rl_end', so I'm not sure how to fix this. -- Eduardo Bustamante https://dualbus.me/
AddressSanitizer: heap-buffer-overflow in rl_delete
Found by fuzzing `read -e' with AFL. The stacktrace reported by Address Sanitizer is followed by the base64 encoded crashing input. ==1736==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61109880 at pc 0x7f464da3a063 bp 0x7ffe86032fe0 sp 0x7ffe86032790 READ of size 115 at 0x61109880 thread T0 #0 0x7f464da3a062 (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062) #1 0x5634e38634c3 in _rl_find_next_mbchar_internal (/home/dualbus/src/gnu/bash-build/bash+0x25d4c3) #2 0x5634e3864375 in _rl_find_next_mbchar (/home/dualbus/src/gnu/bash-build/bash+0x25e375) #3 0x5634e3850c0e in rl_delete (/home/dualbus/src/gnu/bash-build/bash+0x24ac0e) #4 0x5634e380230d in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fc30d) #5 0x5634e3801ee8 in _rl_dispatch (/home/dualbus/src/gnu/bash-build/bash+0x1fbee8) #6 0x5634e3801727 in readline_internal_char (/home/dualbus/src/gnu/bash-build/bash+0x1fb727) #7 0x5634e38017b9 in readline_internal_charloop (/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9) #8 0x5634e38017dd in readline_internal (/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd) #9 0x5634e3800e93 in readline (/home/dualbus/src/gnu/bash-build/bash+0x1fae93) #10 0x5634e37bc136 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6136) #11 0x5634e37b9aa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4) #12 0x5634e36cfc89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89) #13 0x5634e36d189f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f) #14 0x5634e36cf11f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f) #15 0x5634e36bcf42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42) #16 0x5634e36c582e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e) #17 0x5634e36bdd17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17) #18 0x5634e37a70f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4) #19 0x5634e3688401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401) #20 0x5634e36868da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da) #21 0x7f464d2522b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #22 0x5634e3685749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749) 0x61109880 is located 0 bytes to the right of 256-byte region [0x61109780,0x61109880) allocated by thread T0 here: #0 0x7f464dabfd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28) #1 0x5634e3795d95 in xmalloc (/home/dualbus/src/gnu/bash-build/bash+0x18fd95) #2 0x5634e3803220 in readline_initialize_everything (/home/dualbus/src/gnu/bash-build/bash+0x1fd220) #3 0x5634e38030c6 in rl_initialize (/home/dualbus/src/gnu/bash-build/bash+0x1fd0c6) #4 0x5634e3770c28 in initialize_readline (/home/dualbus/src/gnu/bash-build/bash+0x16ac28) #5 0x5634e37bc096 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6096) #6 0x5634e37b9aa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4) #7 0x5634e36cfc89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89) #8 0x5634e36d189f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f) #9 0x5634e36cf11f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f) #10 0x5634e36bcf42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42) #11 0x5634e36c582e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e) #12 0x5634e36bdd17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17) #13 0x5634e37a70f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4) #14 0x5634e3688401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401) #15 0x5634e36868da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da) #16 0x7f464d2522b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062) Shadow bytes around the buggy address: 0x0c227fff92c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fff92d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff92e0: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff92f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff9300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c227fff9310:[fa]fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fff9320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff9330: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 0x0c227fff9340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff9350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff9360: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 Shadow byte