AddressSanitizer: global-buffer-overflow in rl_filename_completion_function

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

AddressSanitizer: global-buffer-overflow in rl_filename_completion_function

Eduardo A. Bustamante López
Found by fuzzing `read -e' with AFL. The stacktrace reported by Address
Sanitizer is followed by the base64 encoded crashing input.


==1098==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55e61a6b4c5c at pc 0x55e61a3426ca bp 0x7fff1820a300 sp 0x7fff1820a2f8
READ of size 4 at 0x55e61a6b4c5c thread T0
    #0 0x55e61a3426c9 in bash_dequote_filename (/home/dualbus/src/gnu/bash-build/bash+0x17a6c9)
    #1 0x55e61a3e0a08 in rl_filename_completion_function (/home/dualbus/src/gnu/bash-build/bash+0x218a08)
    #2 0x55e61a3df702 in rl_completion_matches (/home/dualbus/src/gnu/bash-build/bash+0x217702)
    #3 0x55e61a3daaab in gen_completion_matches (/home/dualbus/src/gnu/bash-build/bash+0x212aab)
    #4 0x55e61a3dea63 in rl_complete_internal (/home/dualbus/src/gnu/bash-build/bash+0x216a63)
    #5 0x55e61a3d81e0 in rl_complete (/home/dualbus/src/gnu/bash-build/bash+0x2101e0)
    #6 0x55e61a3c430d in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
    #7 0x55e61a3c3ee8 in _rl_dispatch (/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
    #8 0x55e61a3c3727 in readline_internal_char (/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
    #9 0x55e61a3c37b9 in readline_internal_charloop (/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
    #10 0x55e61a3c37dd in readline_internal (/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
    #11 0x55e61a3c2e93 in readline (/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
    #12 0x55e61a37e136 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
    #13 0x55e61a37baa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
    #14 0x55e61a291c89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
    #15 0x55e61a29389f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
    #16 0x55e61a29111f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f)
    #17 0x55e61a27ef42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
    #18 0x55e61a28782e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
    #19 0x55e61a27fd17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
    #20 0x55e61a3690f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
    #21 0x55e61a24a401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401)
    #22 0x55e61a2488da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
    #23 0x7fdab89d22b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #24 0x55e61a247749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x55e61a6b4c5c is located 56 bytes to the right of global variable 'sh_syntabsiz' defined in 'syntax.c:11:5' (0x55e61a6b4c20) of size 4
0x55e61a6b4c5c is located 4 bytes to the left of global variable 'sh_syntaxtab' defined in 'syntax.c:12:5' (0x55e61a6b4c60) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/dualbus/src/gnu/bash-build/bash+0x17a6c9) in bash_dequote_filename
Shadow bytes around the buggy address:
  0x0abd434ce930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abd434ce940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abd434ce950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abd434ce960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abd434ce970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0abd434ce980: 00 00 00 00 04 f9 f9 f9 f9 f9 f9[f9]00 00 00 00
  0x0abd434ce990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abd434ce9a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abd434ce9b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abd434ce9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abd434ce9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1098==ABORTING

INPUT
ACEAJDRXGgGm9ltZJwkAGhQBXID////nPlaAPz4/Kj8/Pz8AgAPoKg4YKgUECaEJAAAAZAkJCQkJ
CfoACQk2CQlfAAAACQACAK9cCQlj/wEbSYChFJQbUyQoeRsKU1O/GxtTJDX//97gLxSWZAAAACoA
/xQiBRsbIBsKG2QfEAAAlf3/4xsZVAQg6of9AABTJCf//xYnAPoZFb0AAID//xmA6xgAGQgICAgJ
GRkZGL09f/8AGf//vb29CAwH+wgIGxAIjwkIKoAMvb2Hvb0ICBoIDBn7CAgICIC9vb0ICJj0CB8A
AgAI/w8fCAj+yUB/kA==



==15163==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5651610c8c5c at pc 0x565160d566ca bp 0x7ffd2a68cf50 sp 0x7ffd2a68cf48
READ of size 4 at 0x5651610c8c5c thread T0
    #0 0x565160d566c9 in bash_dequote_filename (/home/dualbus/src/gnu/bash-build/bash+0x17a6c9)
    #1 0x565160df4c30 in rl_filename_completion_function (/home/dualbus/src/gnu/bash-build/bash+0x218c30)
    #2 0x565160df3702 in rl_completion_matches (/home/dualbus/src/gnu/bash-build/bash+0x217702)
    #3 0x565160deeaab in gen_completion_matches (/home/dualbus/src/gnu/bash-build/bash+0x212aab)
    #4 0x565160df2a63 in rl_complete_internal (/home/dualbus/src/gnu/bash-build/bash+0x216a63)
    #5 0x565160dec1e0 in rl_complete (/home/dualbus/src/gnu/bash-build/bash+0x2101e0)
    #6 0x565160dd830d in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
    #7 0x565160dd8f47 in _rl_subseq_result (/home/dualbus/src/gnu/bash-build/bash+0x1fcf47)
    #8 0x565160dd8b07 in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fcb07)
    #9 0x565160dd8aef in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fcaef)
    #10 0x565160dd7ee8 in _rl_dispatch (/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
    #11 0x565160dd7727 in readline_internal_char (/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
    #12 0x565160dd77b9 in readline_internal_charloop (/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
    #13 0x565160dd77dd in readline_internal (/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
    #14 0x565160dd6e93 in readline (/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
    #15 0x565160d92136 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
    #16 0x565160d8faa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
    #17 0x565160ca5c89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
    #18 0x565160ca789f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
    #19 0x565160ca511f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f)
    #20 0x565160c92f42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
    #21 0x565160c9b82e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
    #22 0x565160c93d17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
    #23 0x565160d7d0f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
    #24 0x565160c5e401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401)
    #25 0x565160c5c8da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
    #26 0x7f4308d562b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #27 0x565160c5b749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x5651610c8c5c is located 56 bytes to the right of global variable 'sh_syntabsiz' defined in 'syntax.c:11:5' (0x5651610c8c20) of size 4
0x5651610c8c5c is located 4 bytes to the left of global variable 'sh_syntaxtab' defined in 'syntax.c:12:5' (0x5651610c8c60) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/dualbus/src/gnu/bash-build/bash+0x17a6c9) in bash_dequote_filename
Shadow bytes around the buggy address:
  0x0acaac211130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0acaac211140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0acaac211150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0acaac211160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0acaac211170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0acaac211180: 00 00 00 00 04 f9 f9 f9 f9 f9 f9[f9]00 00 00 00
  0x0acaac211190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0acaac2111a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0acaac2111b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0acaac2111c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0acaac2111d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15163==ABORTING

INPUT
//0bLbUAAlsQGDIYFRwYGBkYGJgYGPDwXFxcXCQkKCT/fyIbG2FcAP+AC/Hw8FxcXFwkJCgk/38i
GxthXJhcXFxcXMzMderMkQAAACIAXFxcXFwkJCYk/38iGxthXJhcXFxc3wDsFxQVFBQAj6sAXFxc
XHwkJCgkIhsbgDUZGRkBGRmOjo6OGxsbGxsbGxsbIBkZGQEZGY6Pjo5/IhsbYVwA/4AL8fDwGxsb
GxsbGxsbIBsbGxsbABsbGxQbGxsbGwAbGxsUBBsFGxsbFAQUEg==



==22733==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55ae41d95c5c at pc 0x55ae41a236ca bp 0x7ffc393df460 sp 0x7ffc393df458
READ of size 4 at 0x55ae41d95c5c thread T0
    #0 0x55ae41a236c9 in bash_dequote_filename (/home/dualbus/src/gnu/bash-build/bash+0x17a6c9)
    #1 0x55ae41ac1c30 in rl_filename_completion_function (/home/dualbus/src/gnu/bash-build/bash+0x218c30)
    #2 0x55ae41ac0702 in rl_completion_matches (/home/dualbus/src/gnu/bash-build/bash+0x217702)
    #3 0x55ae41abbaab in gen_completion_matches (/home/dualbus/src/gnu/bash-build/bash+0x212aab)
    #4 0x55ae41abfa63 in rl_complete_internal (/home/dualbus/src/gnu/bash-build/bash+0x216a63)
    #5 0x55ae41ab91e0 in rl_complete (/home/dualbus/src/gnu/bash-build/bash+0x2101e0)
    #6 0x55ae41aa530d in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
    #7 0x55ae41aa4ee8 in _rl_dispatch (/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
    #8 0x55ae41aa4727 in readline_internal_char (/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
    #9 0x55ae41aa47b9 in readline_internal_charloop (/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
    #10 0x55ae41aa47dd in readline_internal (/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
    #11 0x55ae41aa3e93 in readline (/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
    #12 0x55ae41a5f136 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
    #13 0x55ae41a5caa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
    #14 0x55ae41972c89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
    #15 0x55ae4197489f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
    #16 0x55ae4197211f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f)
    #17 0x55ae4195ff42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
    #18 0x55ae4196882e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
    #19 0x55ae41960d17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
    #20 0x55ae41a4a0f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
    #21 0x55ae4192b401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401)
    #22 0x55ae419298da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
    #23 0x7fee1119d2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #24 0x55ae41928749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x55ae41d95c5c is located 56 bytes to the right of global variable 'sh_syntabsiz' defined in 'syntax.c:11:5' (0x55ae41d95c20) of size 4
0x55ae41d95c5c is located 4 bytes to the left of global variable 'sh_syntaxtab' defined in 'syntax.c:12:5' (0x55ae41d95c60) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/dualbus/src/gnu/bash-build/bash+0x17a6c9) in bash_dequote_filename
Shadow bytes around the buggy address:
  0x0ab6483aab30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab6483aab40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab6483aab50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab6483aab60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab6483aab70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ab6483aab80: 00 00 00 00 04 f9 f9 f9 f9 f9 f9[f9]00 00 00 00
  0x0ab6483aab90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab6483aaba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab6483aabb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab6483aabc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab6483aabd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22733==ABORTING

INPUT
G+ABawIA+gAYKgUC/w4YKgUiPNHR0dHRGxgqBf9/AFwA/3+i6SR7JF4WKHmxsVQEzTVBXjFBQV1B
KUFVfRb6QBQAAWh/QAAAAAH9fgv9JCg8TUth7u7uGWFNPk1NTU1NZB39TSQJqw5AIRkuGRYZGRkG
Qx/8jjwZEAA8/yoZGRkuHTYZEBkZGRkGQx/8jjwkPI6k+xlW0QAcyAQ/AAMVGVY8KBIoPCgoKCgo
KCgqKCj1KCgoPB0eHh4YF/UoAGQBnGAtJhkQf4AeIAD+0x4eGRSAGwU=



==23291==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55dc526e9c5c at pc 0x55dc523776ca bp 0x7ffd94ca3770 sp 0x7ffd94ca3768
READ of size 4 at 0x55dc526e9c5c thread T0
    #0 0x55dc523776c9 in bash_dequote_filename (/home/dualbus/src/gnu/bash-build/bash+0x17a6c9)
    #1 0x55dc52415c30 in rl_filename_completion_function (/home/dualbus/src/gnu/bash-build/bash+0x218c30)
    #2 0x55dc52414702 in rl_completion_matches (/home/dualbus/src/gnu/bash-build/bash+0x217702)
    #3 0x55dc5240faab in gen_completion_matches (/home/dualbus/src/gnu/bash-build/bash+0x212aab)
    #4 0x55dc52413a63 in rl_complete_internal (/home/dualbus/src/gnu/bash-build/bash+0x216a63)
    #5 0x55dc5240d1e0 in rl_complete (/home/dualbus/src/gnu/bash-build/bash+0x2101e0)
    #6 0x55dc523f930d in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
    #7 0x55dc523f9f47 in _rl_subseq_result (/home/dualbus/src/gnu/bash-build/bash+0x1fcf47)
    #8 0x55dc523f9b07 in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fcb07)
    #9 0x55dc523f9aef in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fcaef)
    #10 0x55dc523f8ee8 in _rl_dispatch (/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
    #11 0x55dc523f8727 in readline_internal_char (/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
    #12 0x55dc523f87b9 in readline_internal_charloop (/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
    #13 0x55dc523f87dd in readline_internal (/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
    #14 0x55dc523f7e93 in readline (/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
    #15 0x55dc523b3136 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
    #16 0x55dc523b0aa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
    #17 0x55dc522c6c89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
    #18 0x55dc522c889f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
    #19 0x55dc522c611f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f)
    #20 0x55dc522b3f42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
    #21 0x55dc522bc82e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
    #22 0x55dc522b4d17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
    #23 0x55dc5239e0f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
    #24 0x55dc5227f401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401)
    #25 0x55dc5227d8da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
    #26 0x7fc98b7912b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #27 0x55dc5227c749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x55dc526e9c5c is located 56 bytes to the right of global variable 'sh_syntabsiz' defined in 'syntax.c:11:5' (0x55dc526e9c20) of size 4
0x55dc526e9c5c is located 4 bytes to the left of global variable 'sh_syntaxtab' defined in 'syntax.c:12:5' (0x55dc526e9c60) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/dualbus/src/gnu/bash-build/bash+0x17a6c9) in bash_dequote_filename
Shadow bytes around the buggy address:
  0x0abc0a4d5330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abc0a4d5340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abc0a4d5350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abc0a4d5360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abc0a4d5370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0abc0a4d5380: 00 00 00 00 04 f9 f9 f9 f9 f9 f9[f9]00 00 00 00
  0x0abc0a4d5390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abc0a4d53a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abc0a4d53b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abc0a4d53c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abc0a4d53d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23291==ABORTING

INPUT
BtAQV1sAAAABIAQqBQMQPXAFAgAAASAEQAUDEABdPQABFC1JAAABXFuYAABAXFsAf/8BIAQiBQMU
DhgqBSpfoxAO+CoFEicbqKiVuwAQ/xQbG1MkG3kF/3sQEBBQEBAQEBAQEBAhECwQEBADFQIbfyQt
lhQbG1NnZ3l5cnl5eXl5eXl5eXl5iHl5eXl5QFVW/BvnoAAhBDMZGRkZAACAABkBSygofx4eHhgZ
nAAAPQtAJi4ZLQEmAht/JC2WFBsbU2cZBkMAQCg5GAABSygofx4eAAEAAAAAPQtCJhknAAAQ/xQb
G1MkG3kF/3sQEBAQEGQeAAACAB4eGesZGQFLKBgAASgoKH8eHh4YGZwAAD0LQCYZEBpknAAAPQtA
JhkQGmQeOQD8wQB5GRSmHjkA/MGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYEAeRkUphsF



==27624==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55e20518ac5c at pc 0x55e204e186ca bp 0x7fff45327ba0 sp 0x7fff45327b98
READ of size 4 at 0x55e20518ac5c thread T0
    #0 0x55e204e186c9 in bash_dequote_filename (/home/dualbus/src/gnu/bash-build/bash+0x17a6c9)
    #1 0x55e204eb6a08 in rl_filename_completion_function (/home/dualbus/src/gnu/bash-build/bash+0x218a08)
    #2 0x55e204eb5702 in rl_completion_matches (/home/dualbus/src/gnu/bash-build/bash+0x217702)
    #3 0x55e204eb0aab in gen_completion_matches (/home/dualbus/src/gnu/bash-build/bash+0x212aab)
    #4 0x55e204eb4a63 in rl_complete_internal (/home/dualbus/src/gnu/bash-build/bash+0x216a63)
    #5 0x55e204eae1e0 in rl_complete (/home/dualbus/src/gnu/bash-build/bash+0x2101e0)
    #6 0x55e204e9a30d in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
    #7 0x55e204e99ee8 in _rl_dispatch (/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
    #8 0x55e204e99727 in readline_internal_char (/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
    #9 0x55e204e997b9 in readline_internal_charloop (/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
    #10 0x55e204e997dd in readline_internal (/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
    #11 0x55e204e98e93 in readline (/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
    #12 0x55e204e54136 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
    #13 0x55e204e51aa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
    #14 0x55e204d67c89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
    #15 0x55e204d6989f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
    #16 0x55e204d6711f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f)
    #17 0x55e204d54f42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
    #18 0x55e204d5d82e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
    #19 0x55e204d55d17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
    #20 0x55e204e3f0f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
    #21 0x55e204d20401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401)
    #22 0x55e204d1e8da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
    #23 0x7f21e44ed2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #24 0x55e204d1d749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x55e20518ac5c is located 56 bytes to the right of global variable 'sh_syntabsiz' defined in 'syntax.c:11:5' (0x55e20518ac20) of size 4
0x55e20518ac5c is located 4 bytes to the left of global variable 'sh_syntaxtab' defined in 'syntax.c:12:5' (0x55e20518ac60) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/dualbus/src/gnu/bash-build/bash+0x17a6c9) in bash_dequote_filename
Shadow bytes around the buggy address:
  0x0abcc0a29530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abcc0a29540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abcc0a29550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abcc0a29560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abcc0a29570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0abcc0a29580: 00 00 00 00 04 f9 f9 f9 f9 f9 f9[f9]00 00 00 00
  0x0abcc0a29590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abcc0a295a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abcc0a295b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abcc0a295c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abcc0a295d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27624==ABORTING

INPUT
G+ABf2QB0YDR0QL5JgkAGhQBXAlfAAAACQACAK9cCQli/wEbU4CfFJQbUyQo4C8UlmQA/AAqAP8U
IgUgGAobZB8WJwD6GRW9AACA//8ZgOsYABkIAwgICQcZGRi9PX//ABn//729vQgMB/sICBsQCI8J
CCqADL29h729CAgaCHgZ+wgICAiAvb29CAiY9AgfAAIACP8PHwgI/tlAf5A=



==2732==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55b2cee4cc5c at pc 0x55b2ceada6ca bp 0x7ffe47c5ab90 sp 0x7ffe47c5ab88
READ of size 4 at 0x55b2cee4cc5c thread T0
    #0 0x55b2ceada6c9 in bash_dequote_filename (/home/dualbus/src/gnu/bash-build/bash+0x17a6c9)
    #1 0x55b2ceb78c30 in rl_filename_completion_function (/home/dualbus/src/gnu/bash-build/bash+0x218c30)
    #2 0x55b2ceb77702 in rl_completion_matches (/home/dualbus/src/gnu/bash-build/bash+0x217702)
    #3 0x55b2ceb72aab in gen_completion_matches (/home/dualbus/src/gnu/bash-build/bash+0x212aab)
    #4 0x55b2ceb76a63 in rl_complete_internal (/home/dualbus/src/gnu/bash-build/bash+0x216a63)
    #5 0x55b2ceac7a94 in bash_brace_completion (/home/dualbus/src/gnu/bash-build/bash+0x167a94)
    #6 0x55b2ceb5c30d in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
    #7 0x55b2ceb5caef in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fcaef)
    #8 0x55b2ceb5bee8 in _rl_dispatch (/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
    #9 0x55b2ceb5b727 in readline_internal_char (/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
    #10 0x55b2ceb5b7b9 in readline_internal_charloop (/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
    #11 0x55b2ceb5b7dd in readline_internal (/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
    #12 0x55b2ceb5ae93 in readline (/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
    #13 0x55b2ceb16136 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
    #14 0x55b2ceb13aa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
    #15 0x55b2cea29c89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
    #16 0x55b2cea2b89f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
    #17 0x55b2cea2911f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f)
    #18 0x55b2cea16f42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
    #19 0x55b2cea1f82e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
    #20 0x55b2cea17d17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
    #21 0x55b2ceb010f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
    #22 0x55b2ce9e2401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401)
    #23 0x55b2ce9e08da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
    #24 0x7fbbd390b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #25 0x55b2ce9df749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x55b2cee4cc5c is located 56 bytes to the right of global variable 'sh_syntabsiz' defined in 'syntax.c:11:5' (0x55b2cee4cc20) of size 4
0x55b2cee4cc5c is located 4 bytes to the left of global variable 'sh_syntaxtab' defined in 'syntax.c:12:5' (0x55b2cee4cc60) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/dualbus/src/gnu/bash-build/bash+0x17a6c9) in bash_dequote_filename
Shadow bytes around the buggy address:
  0x0ab6d9dc1930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab6d9dc1940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab6d9dc1950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab6d9dc1960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab6d9dc1970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ab6d9dc1980: 00 00 00 00 04 f9 f9 f9 f9 f9 f9[f9]00 00 00 00
  0x0ab6d9dc1990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab6d9dc19a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab6d9dc19b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab6d9dc19c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab6d9dc19d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2732==ABORTING

INPUT
GyoQExgaNUxSAAIAAAcbVABAKwCX7ZYQGxsbChsUEDw8PEg8PP9/GfdPAABTYC48i6sB//9/YEAA
AAMbGTw8PDw8VP8BGxlgBHt7e3t7e3sQlvwAcQ7/IuAMFBAbGxsrAKEBAJqampqSljyAFH8bGxlU
9t7XllMkLZYAABAgUxP6GhveLwCV/ZYQGxsb/3///yR7e3t7e94vFAAA//8bKgCh8QJ///IbkCEk
+iADVP8bG28AGwIbUyQoeRv/GvpAFJQABAIbU+KVG1QE3iYUvxQbGwAC/VMbLxtUBBsbAAL9Uxsv
G1QEGxsbG1QAQCsAl+2WEBsbGwobFJYUGxsbSAAAQAAAg+2WEBsbGwrqdwAR+nx8YoB/aNkDMmRR
UVFR/fwAdgQbAhtdGxsfAIAUAACiEPwAlgQbAv1TGxUbABsbGVT//3//lgTelhQbGht7e/ogA1T/
GxtTJAp5G/8aDBSUAAR7/3t7e/oMFJQABHt7e3u/3hEUlhQbGxsqAKEUAoAAGxsbOBsfGxsE/+0F

--
Eduardo Bustamante
https://dualbus.me/

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AddressSanitizer: global-buffer-overflow in rl_filename_completion_function

Eduardo A. Bustamante López
On Thu, Jun 15, 2017 at 09:41:08AM -0500, Eduardo Bustamante wrote:
> Found by fuzzing `read -e' with AFL. The stacktrace reported by Address
> Sanitizer is followed by the base64 encoded crashing input.
>
>
> ==1098==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55e61a6b4c5c at pc 0x55e61a3426ca bp 0x7fff1820a300 sp 0x7fff1820a2f8
> READ of size 4 at 0x55e61a6b4c5c thread T0
>     #0 0x55e61a3426c9 in bash_dequote_filename (/home/dualbus/src/gnu/bash-build/bash+0x17a6c9)

Easy fix. `p' is a signed char pointer, therefore when `*p = 255', it tries to
dereference `sh_syntaxtab[-1]'.

dualbus@debian:~/src/gnu/bash$ git difftool -y -x 'diff -c' -- bashline.c
*** /tmp/mVc4sH_bashline.c      2017-06-16 09:52:56.471508904 -0500
--- bashline.c  2017-06-16 09:48:55.706503276 -0500
***************
*** 3886,3892 ****
            *r++ = *p;
          /* Backslashes are preserved within double quotes unless the
             character is one that is defined to be escaped */
!         else if (quoted == '"' && ((sh_syntaxtab[p[1]] & CBSDQUOTE) == 0))
            *r++ = *p;
 
          *r++ = *++p;
--- 3886,3892 ----
            *r++ = *p;
          /* Backslashes are preserved within double quotes unless the
             character is one that is defined to be escaped */
!         else if (quoted == '"' && ((sh_syntaxtab[(unsigned char)p[1]] & CBSDQUOTE) == 0))
            *r++ = *p;
 
          *r++ = *++p;





Maybe it's a good idea to change these too. In locale.c there shouldn't be a
problem, because the loop is constrained to `x < sh_syntabsiz', but perhaps
just to silence compiler warnings :-)?

dualbus@debian:~/src/gnu/bash$ git difftool -y -x 'diff -c' -- locale.c parse.y
*** /tmp/OyLWya_locale.c        2017-06-16 09:55:15.854368199 -0500
--- locale.c    2017-06-16 09:50:52.816950476 -0500
***************
*** 552,565 ****
    for (x = 0; x < sh_syntabsiz; x++)
      {
        if (isblank ((unsigned char)x))
!       sh_syntaxtab[x] |= CSHBRK|CBLANK;
        else if (member (x, shell_break_chars))
        {
!         sh_syntaxtab[x] |= CSHBRK;
!         sh_syntaxtab[x] &= ~CBLANK;
        }
        else
!       sh_syntaxtab[x] &= ~(CSHBRK|CBLANK);
      }
  }
 
--- 552,565 ----
    for (x = 0; x < sh_syntabsiz; x++)
      {
        if (isblank ((unsigned char)x))
!       sh_syntaxtab[(unsigned char)x] |= CSHBRK|CBLANK;
        else if (member (x, shell_break_chars))
        {
!         sh_syntaxtab[(unsigned char)x] |= CSHBRK;
!         sh_syntaxtab[(unsigned char)x] &= ~CBLANK;
        }
        else
!       sh_syntaxtab[(unsigned char)x] &= ~(CSHBRK|CBLANK);
      }
  }
 
*** /tmp/qKFxWa_parse.y 2017-06-16 09:55:15.862368362 -0500
--- parse.y     2017-06-16 09:52:22.522808775 -0500
***************
*** 4842,4848 ****
 
              /* If the next character is to be quoted, note it now. */
              if (cd == 0 || cd == '`' ||
!                 (cd == '"' && peek_char >= 0 && (sh_syntaxtab[peek_char] & CBSDQUOTE)))
                pass_next_character++;
 
              quoted = 1;
--- 4842,4848 ----
 
              /* If the next character is to be quoted, note it now. */
              if (cd == 0 || cd == '`' ||
!                 (cd == '"' && peek_char >= 0 && (sh_syntaxtab[(unsigned char)peek_char] & CBSDQUOTE)))
                pass_next_character++;
 
              quoted = 1;

--
Eduardo Bustamante
https://dualbus.me/

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AddressSanitizer: global-buffer-overflow in rl_filename_completion_function

Chet Ramey
On 6/16/17 10:57 AM, Eduardo A. Bustamante López wrote:

> On Thu, Jun 15, 2017 at 09:41:08AM -0500, Eduardo Bustamante wrote:
>> Found by fuzzing `read -e' with AFL. The stacktrace reported by Address
>> Sanitizer is followed by the base64 encoded crashing input.
>>
>>
>> ==1098==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55e61a6b4c5c at pc 0x55e61a3426ca bp 0x7fff1820a300 sp 0x7fff1820a2f8
>> READ of size 4 at 0x55e61a6b4c5c thread T0
>>     #0 0x55e61a3426c9 in bash_dequote_filename (/home/dualbus/src/gnu/bash-build/bash+0x17a6c9)
>
> Easy fix. `p' is a signed char pointer, therefore when `*p = 255', it tries to
> dereference `sh_syntaxtab[-1]'.

This is right.

--
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    [hidden email]    http://cnswww.cns.cwru.edu/~chet/

Loading...