Re: Remaining memory corruption bugs in readline

2017-06-09 Thread Eduardo Bustamante 
On Fri, Jun 9, 2017 at 4:59 PM, Chet Ramey  wrote:
[...]
> It's an off-by-one error.

Thank you! Do you have a patch? I want to run the patched version
against the corpus of crashing inputs that I have to see if there are
any remaining.

Re: Remaining memory corruption bugs in readline

2017-06-09 Thread Chet Ramey 
On 6/8/17 11:34 AM, Chet Ramey wrote:
> On 6/8/17 11:09 AM, dualbus wrote:
>> On Fri, Jun 02, 2017 at 12:07:34AM -0500, dualbus wrote:
>> [...]
>>> #1 _rl_get_char_len / update_line
>> [...]
>>>   ==5781==ERROR: AddressSanitizer: heap-buffer-overflow on address 
>>> 0x6190cc80 at pc 0x7f400d00b063 bp 0x7ffcbce72250 sp 0x7ffcbce71a00
>>>   READ of size 851 at 0x6190cc80 thread T0
>>>   #0 0x7f400d00b062  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062)
>>>   #1 0x559b50a04821 in _rl_get_char_len 
>>> ../../../bash/lib/readline/mbutil.c:223
>>>   #2 0x559b50a048e0 in _rl_compare_chars 
>>> ../../../bash/lib/readline/mbutil.c:252
>>>   #3 0x559b509db526 in update_line 
>>> ../../../bash/lib/readline/display.c:1664
>> [...]
>>
>> I have been looking at this specific example for some time now.
>>
>> The problem is that _rl_get_char_len assumes it's being called with a
>> \0-terminated string, but under some cases (that I haven't been able to
>> figure out), there's no \0 at the end, so the strlen reads more than it
>> should.
> 
> I've been traveling and have not looked at this.

It's an off-by-one error.

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/

Re: Remaining memory corruption bugs in readline

2017-06-08 Thread Chet Ramey 
On 6/8/17 11:09 AM, dualbus wrote:
> On Fri, Jun 02, 2017 at 12:07:34AM -0500, dualbus wrote:
> [...]
>> #1 _rl_get_char_len / update_line
> [...]
>>   ==5781==ERROR: AddressSanitizer: heap-buffer-overflow on address 
>> 0x6190cc80 at pc 0x7f400d00b063 bp 0x7ffcbce72250 sp 0x7ffcbce71a00
>>   READ of size 851 at 0x6190cc80 thread T0
>>   #0 0x7f400d00b062  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062)
>>   #1 0x559b50a04821 in _rl_get_char_len 
>> ../../../bash/lib/readline/mbutil.c:223
>>   #2 0x559b50a048e0 in _rl_compare_chars 
>> ../../../bash/lib/readline/mbutil.c:252
>>   #3 0x559b509db526 in update_line 
>> ../../../bash/lib/readline/display.c:1664
> [...]
> 
> I have been looking at this specific example for some time now.
> 
> The problem is that _rl_get_char_len assumes it's being called with a
> \0-terminated string, but under some cases (that I haven't been able to
> figure out), there's no \0 at the end, so the strlen reads more than it
> should.

I've been traveling and have not looked at this.

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/

Re: Remaining memory corruption bugs in readline

2017-06-08 Thread dualbus 
On Fri, Jun 02, 2017 at 12:07:34AM -0500, dualbus wrote:
[...]
> #1 _rl_get_char_len / update_line
[...]
>   ==5781==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x6190cc80 at pc 0x7f400d00b063 bp 0x7ffcbce72250 sp 0x7ffcbce71a00
>   READ of size 851 at 0x6190cc80 thread T0
>   #0 0x7f400d00b062  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062)
>   #1 0x559b50a04821 in _rl_get_char_len 
> ../../../bash/lib/readline/mbutil.c:223
>   #2 0x559b50a048e0 in _rl_compare_chars 
> ../../../bash/lib/readline/mbutil.c:252
>   #3 0x559b509db526 in update_line 
> ../../../bash/lib/readline/display.c:1664
[...]

I have been looking at this specific example for some time now.

The problem is that _rl_get_char_len assumes it's being called with a
\0-terminated string, but under some cases (that I haven't been able to
figure out), there's no \0 at the end, so the strlen reads more than it
should.

-- 
Eduardo Bustamante
https://dualbus.me/