Re: Remaining memory corruption bugs in readline
On Fri, Jun 9, 2017 at 4:59 PM, Chet Rameywrote: [...] > It's an off-by-one error. Thank you! Do you have a patch? I want to run the patched version against the corpus of crashing inputs that I have to see if there are any remaining.
Re: Remaining memory corruption bugs in readline
On 6/8/17 11:34 AM, Chet Ramey wrote: > On 6/8/17 11:09 AM, dualbus wrote: >> On Fri, Jun 02, 2017 at 12:07:34AM -0500, dualbus wrote: >> [...] >>> #1 _rl_get_char_len / update_line >> [...] >>> ==5781==ERROR: AddressSanitizer: heap-buffer-overflow on address >>> 0x6190cc80 at pc 0x7f400d00b063 bp 0x7ffcbce72250 sp 0x7ffcbce71a00 >>> READ of size 851 at 0x6190cc80 thread T0 >>> #0 0x7f400d00b062 (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062) >>> #1 0x559b50a04821 in _rl_get_char_len >>> ../../../bash/lib/readline/mbutil.c:223 >>> #2 0x559b50a048e0 in _rl_compare_chars >>> ../../../bash/lib/readline/mbutil.c:252 >>> #3 0x559b509db526 in update_line >>> ../../../bash/lib/readline/display.c:1664 >> [...] >> >> I have been looking at this specific example for some time now. >> >> The problem is that _rl_get_char_len assumes it's being called with a >> \0-terminated string, but under some cases (that I haven't been able to >> figure out), there's no \0 at the end, so the strlen reads more than it >> should. > > I've been traveling and have not looked at this. It's an off-by-one error. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/
Re: Remaining memory corruption bugs in readline
On 6/8/17 11:09 AM, dualbus wrote: > On Fri, Jun 02, 2017 at 12:07:34AM -0500, dualbus wrote: > [...] >> #1 _rl_get_char_len / update_line > [...] >> ==5781==ERROR: AddressSanitizer: heap-buffer-overflow on address >> 0x6190cc80 at pc 0x7f400d00b063 bp 0x7ffcbce72250 sp 0x7ffcbce71a00 >> READ of size 851 at 0x6190cc80 thread T0 >> #0 0x7f400d00b062 (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062) >> #1 0x559b50a04821 in _rl_get_char_len >> ../../../bash/lib/readline/mbutil.c:223 >> #2 0x559b50a048e0 in _rl_compare_chars >> ../../../bash/lib/readline/mbutil.c:252 >> #3 0x559b509db526 in update_line >> ../../../bash/lib/readline/display.c:1664 > [...] > > I have been looking at this specific example for some time now. > > The problem is that _rl_get_char_len assumes it's being called with a > \0-terminated string, but under some cases (that I haven't been able to > figure out), there's no \0 at the end, so the strlen reads more than it > should. I've been traveling and have not looked at this. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/
Re: Remaining memory corruption bugs in readline
On Fri, Jun 02, 2017 at 12:07:34AM -0500, dualbus wrote: [...] > #1 _rl_get_char_len / update_line [...] > ==5781==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x6190cc80 at pc 0x7f400d00b063 bp 0x7ffcbce72250 sp 0x7ffcbce71a00 > READ of size 851 at 0x6190cc80 thread T0 > #0 0x7f400d00b062 (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062) > #1 0x559b50a04821 in _rl_get_char_len > ../../../bash/lib/readline/mbutil.c:223 > #2 0x559b50a048e0 in _rl_compare_chars > ../../../bash/lib/readline/mbutil.c:252 > #3 0x559b509db526 in update_line > ../../../bash/lib/readline/display.c:1664 [...] I have been looking at this specific example for some time now. The problem is that _rl_get_char_len assumes it's being called with a \0-terminated string, but under some cases (that I haven't been able to figure out), there's no \0 at the end, so the strlen reads more than it should. -- Eduardo Bustamante https://dualbus.me/