AddressSanitizer: heap-buffer-overflow in rl_kill_text

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

AddressSanitizer: heap-buffer-overflow in rl_kill_text

Eduardo A. Bustamante López
Found by fuzzing `read -e' with AFL. The stacktrace reported by Address
Sanitizer is followed by the base64 encoded crashing input.


==11018==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000ccc0 at pc 0x559bb60f1be7 bp 0x7ffc36ec8710 sp 0x7ffc36ec8708
READ of size 8 at 0x60700000ccc0 thread T0
    #0 0x559bb60f1be6 in _rl_copy_to_kill_ring (/home/dualbus/src/gnu/bash-build/bash+0x23cbe6)
    #1 0x559bb60f1f79 in rl_kill_text (/home/dualbus/src/gnu/bash-build/bash+0x23cf79)
    #2 0x559bb60f31f9 in rl_unix_line_discard (/home/dualbus/src/gnu/bash-build/bash+0x23e1f9)
    #3 0x559bb60b130d in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
    #4 0x559bb60b0ee8 in _rl_dispatch (/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
    #5 0x559bb60b0727 in readline_internal_char (/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
    #6 0x559bb60b07b9 in readline_internal_charloop (/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
    #7 0x559bb60b07dd in readline_internal (/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
    #8 0x559bb60afe93 in readline (/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
    #9 0x559bb606b136 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
    #10 0x559bb6068aa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
    #11 0x559bb5f7ec89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
    #12 0x559bb5f8089f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
    #13 0x559bb5f7e11f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f)
    #14 0x559bb5f6bf42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
    #15 0x559bb5f7482e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
    #16 0x559bb5f6cd17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
    #17 0x559bb60560f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
    #18 0x559bb5f37401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401)
    #19 0x559bb5f358da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
    #20 0x7f50ebc9d2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #21 0x559bb5f34749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x60700000ccc0 is located 0 bytes to the right of 80-byte region [0x60700000cc70,0x60700000ccc0)
allocated by thread T0 here:
    #0 0x7f50ec50b090 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090)
    #1 0x559bb6044e00 in xrealloc (/home/dualbus/src/gnu/bash-build/bash+0x18fe00)
    #2 0x559bb60f1c4e in _rl_copy_to_kill_ring (/home/dualbus/src/gnu/bash-build/bash+0x23cc4e)
    #3 0x559bb60f1f79 in rl_kill_text (/home/dualbus/src/gnu/bash-build/bash+0x23cf79)
    #4 0x559bb60f23eb in rl_kill_line (/home/dualbus/src/gnu/bash-build/bash+0x23d3eb)
    #5 0x559bb60b130d in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
    #6 0x559bb60b0ee8 in _rl_dispatch (/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
    #7 0x559bb60b0727 in readline_internal_char (/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
    #8 0x559bb60b07b9 in readline_internal_charloop (/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
    #9 0x559bb60b07dd in readline_internal (/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
    #10 0x559bb60afe93 in readline (/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
    #11 0x559bb606b136 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
    #12 0x559bb6068aa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
    #13 0x559bb5f7ec89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
    #14 0x559bb5f8089f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
    #15 0x559bb5f7e11f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f)
    #16 0x559bb5f6bf42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
    #17 0x559bb5f7482e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
    #18 0x559bb5f6cd17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
    #19 0x559bb60560f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
    #20 0x559bb5f37401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401)
    #21 0x559bb5f358da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
    #22 0x7f50ebc9d2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/dualbus/src/gnu/bash-build/bash+0x23cbe6) in _rl_copy_to_kill_ring
Shadow bytes around the buggy address:
  0x0c0e7fff9940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
=>0x0c0e7fff9990: 00 00 00 00 00 00 00 00[fa]fa fa fa fd fd fd fd
  0x0c0e7fff99a0: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff99b0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff99c0: 02 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 06
  0x0c0e7fff99d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c0e7fff99e0: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11018==ABORTING

INPUT
AAIbLbUAAlsQGDIYFRkYGBn//4DdHxgYGAAYGGQAAICAgICAgICAgICAgICAgICAgICAgICAgICA
GBj6FxgZGBgjGAAYGGjw8PAgAAAA8Gjw8PDwjisrK448PDw9C0BdC0A+BP///38BARgoFRUVmBAQ
EC8BEAsQEBUVFRUVFPQUGC8IEDgbOBMYKDiTkxAQFRUFFRUVFRUVFPQUGC8IEDgbOBMYKDgbOBMU
RRgAAAYBJyJhHQIAGzgTGCh/GzgTGGUYAAAGGCf3AD8AGzgkGEX3ABAAAAAQGEUYZAAGABDbAIAA
ABjEAj9ADjs=



==11019==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000ccc0 at pc 0x55d397c1bbe7 bp 0x7ffe1d93d800 sp 0x7ffe1d93d7f8
READ of size 8 at 0x60700000ccc0 thread T0
    #0 0x55d397c1bbe6 in _rl_copy_to_kill_ring (/home/dualbus/src/gnu/bash-build/bash+0x23cbe6)
    #1 0x55d397c1bf79 in rl_kill_text (/home/dualbus/src/gnu/bash-build/bash+0x23cf79)
    #2 0x55d397c1c3eb in rl_kill_line (/home/dualbus/src/gnu/bash-build/bash+0x23d3eb)
    #3 0x55d397bdb30d in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
    #4 0x55d397bdaee8 in _rl_dispatch (/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
    #5 0x55d397bda727 in readline_internal_char (/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
    #6 0x55d397bda7b9 in readline_internal_charloop (/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
    #7 0x55d397bda7dd in readline_internal (/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
    #8 0x55d397bd9e93 in readline (/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
    #9 0x55d397b95136 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
    #10 0x55d397b92aa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
    #11 0x55d397aa8c89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
    #12 0x55d397aaa89f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
    #13 0x55d397aa811f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f)
    #14 0x55d397a95f42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
    #15 0x55d397a9e82e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
    #16 0x55d397a96d17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
    #17 0x55d397b800f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
    #18 0x55d397a61401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401)
    #19 0x55d397a5f8da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
    #20 0x7f27342a32b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #21 0x55d397a5e749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x60700000ccc0 is located 0 bytes to the right of 80-byte region [0x60700000cc70,0x60700000ccc0)
allocated by thread T0 here:
    #0 0x7f2734b11090 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090)
    #1 0x55d397b6ee00 in xrealloc (/home/dualbus/src/gnu/bash-build/bash+0x18fe00)
    #2 0x55d397c1bc4e in _rl_copy_to_kill_ring (/home/dualbus/src/gnu/bash-build/bash+0x23cc4e)
    #3 0x55d397c1bf79 in rl_kill_text (/home/dualbus/src/gnu/bash-build/bash+0x23cf79)
    #4 0x55d397c1d1f9 in rl_unix_line_discard (/home/dualbus/src/gnu/bash-build/bash+0x23e1f9)
    #5 0x55d397bdb30d in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
    #6 0x55d397bdaee8 in _rl_dispatch (/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
    #7 0x55d397bda727 in readline_internal_char (/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
    #8 0x55d397bda7b9 in readline_internal_charloop (/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
    #9 0x55d397bda7dd in readline_internal (/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
    #10 0x55d397bd9e93 in readline (/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
    #11 0x55d397b95136 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
    #12 0x55d397b92aa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
    #13 0x55d397aa8c89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
    #14 0x55d397aaa89f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
    #15 0x55d397aa811f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f)
    #16 0x55d397a95f42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
    #17 0x55d397a9e82e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
    #18 0x55d397a96d17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
    #19 0x55d397b800f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
    #20 0x55d397a61401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401)
    #21 0x55d397a5f8da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
    #22 0x7f27342a32b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/dualbus/src/gnu/bash-build/bash+0x23cbe6) in _rl_copy_to_kill_ring
Shadow bytes around the buggy address:
  0x0c0e7fff9940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
=>0x0c0e7fff9990: 00 00 00 00 00 00 00 00[fa]fa fa fa fd fd fd fd
  0x0c0e7fff99a0: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff99b0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff99c0: 02 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 06
  0x0c0e7fff99d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c0e7fff99e0: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11019==ABORTING

INPUT
AAIbLbUAAlsQGDIYFRkYGBn//4DdHxgYGAAYGGQAAICAgICAgICAgICAgICAgICAgICAgICAgICA
GBj6FxgZGBgjGAAYGGjw8PDwjh4S8Gjw8PDwjisrK448PDw9C0BdC0A+BP///38BARgoFRUVmBAQ
EC8BEAsQEBUVFRUVFPQUGC8IEDgbOBMYKDiTkxAQFRUFFRUVFRUVFPQUGC8IEDgbOBMYKDgfOBMU
RRgAAAYBJyJhHQIAGzgTGCh/GzgTCmUYAAAGGCf3AD8AGzgTGEX3ABAAAAAQGEUYZAAGABDbAIAA
ABjEAj9ADjs=



==11020==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000cc50 at pc 0x556a2aae1be7 bp 0x7ffc9f2602d0 sp 0x7ffc9f2602c8
READ of size 8 at 0x60700000cc50 thread T0
    #0 0x556a2aae1be6 in _rl_copy_to_kill_ring (/home/dualbus/src/gnu/bash-build/bash+0x23cbe6)
    #1 0x556a2aae1f79 in rl_kill_text (/home/dualbus/src/gnu/bash-build/bash+0x23cf79)
    #2 0x556a2aae31f9 in rl_unix_line_discard (/home/dualbus/src/gnu/bash-build/bash+0x23e1f9)
    #3 0x556a2aaa130d in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
    #4 0x556a2aaa0ee8 in _rl_dispatch (/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
    #5 0x556a2aaa0727 in readline_internal_char (/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
    #6 0x556a2aaa07b9 in readline_internal_charloop (/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
    #7 0x556a2aaa07dd in readline_internal (/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
    #8 0x556a2aa9fe93 in readline (/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
    #9 0x556a2aa5b136 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
    #10 0x556a2aa58aa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
    #11 0x556a2a96ec89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
    #12 0x556a2a97089f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
    #13 0x556a2a96e11f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f)
    #14 0x556a2a95bf42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
    #15 0x556a2a96482e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
    #16 0x556a2a95cd17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
    #17 0x556a2aa460f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
    #18 0x556a2a927401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401)
    #19 0x556a2a9258da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
    #20 0x7f4fef4b92b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #21 0x556a2a924749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x60700000cc50 is located 0 bytes to the right of 80-byte region [0x60700000cc00,0x60700000cc50)
allocated by thread T0 here:
    #0 0x7f4fefd27090 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090)
    #1 0x556a2aa34e00 in xrealloc (/home/dualbus/src/gnu/bash-build/bash+0x18fe00)
    #2 0x556a2aae1c4e in _rl_copy_to_kill_ring (/home/dualbus/src/gnu/bash-build/bash+0x23cc4e)
    #3 0x556a2aae1f79 in rl_kill_text (/home/dualbus/src/gnu/bash-build/bash+0x23cf79)
    #4 0x556a2aae31f9 in rl_unix_line_discard (/home/dualbus/src/gnu/bash-build/bash+0x23e1f9)
    #5 0x556a2aaa130d in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
    #6 0x556a2aaa0ee8 in _rl_dispatch (/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
    #7 0x556a2aaa0727 in readline_internal_char (/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
    #8 0x556a2aaa07b9 in readline_internal_charloop (/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
    #9 0x556a2aaa07dd in readline_internal (/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
    #10 0x556a2aa9fe93 in readline (/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
    #11 0x556a2aa5b136 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
    #12 0x556a2aa58aa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
    #13 0x556a2a96ec89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
    #14 0x556a2a97089f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
    #15 0x556a2a96e11f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f)
    #16 0x556a2a95bf42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
    #17 0x556a2a96482e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
    #18 0x556a2a95cd17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
    #19 0x556a2aa460f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
    #20 0x556a2a927401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401)
    #21 0x556a2a9258da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
    #22 0x7f4fef4b92b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/dualbus/src/gnu/bash-build/bash+0x23cbe6) in _rl_copy_to_kill_ring
Shadow bytes around the buggy address:
  0x0c0e7fff9930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0e7fff9980: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fd fd
  0x0c0e7fff9990: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0e7fff99a0: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff99b0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff99c0: 02 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 06
  0x0c0e7fff99d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11020==ABORTING

INPUT
AAIbLbUAAlsQGDIYFRkYGBn//4DdHxgYGAAYGGQAAICAgICAgICAgICAgICAgICAgICAgICAgICA
GBj6FxgZGBhFGAAYGGjw8PDwjh4S8Gjw8PABGCgVFRWYEBAQLwEQEBAQFRUVFRUU9BgoFRUVmBAQ
EC8BEAsQEBUVFRUVFPQUGC8IEDgbOBMYKDiTk/sQFRUFFRUVFRUVFPQUGC8IEDgbOBMYKDgbOBMU
RRgAAAYBJyJhHQIAGzgTGCh/GzgTGGUYAAAGGCf3AD8AGzgTGEX3ABAAAAAQGEUYZAAGABDbAIAA
ABjEAj9ADjs=



==15290==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000ccc0 at pc 0x55bf58a71be7 bp 0x7fff2f94b4c0 sp 0x7fff2f94b4b8
READ of size 8 at 0x60700000ccc0 thread T0
    #0 0x55bf58a71be6 in _rl_copy_to_kill_ring (/home/dualbus/src/gnu/bash-build/bash+0x23cbe6)
    #1 0x55bf58a71f79 in rl_kill_text (/home/dualbus/src/gnu/bash-build/bash+0x23cf79)
    #2 0x55bf58a731f9 in rl_unix_line_discard (/home/dualbus/src/gnu/bash-build/bash+0x23e1f9)
    #3 0x55bf58a3130d in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
    #4 0x55bf58a30ee8 in _rl_dispatch (/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
    #5 0x55bf58a30727 in readline_internal_char (/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
    #6 0x55bf58a307b9 in readline_internal_charloop (/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
    #7 0x55bf58a307dd in readline_internal (/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
    #8 0x55bf58a2fe93 in readline (/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
    #9 0x55bf589eb136 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
    #10 0x55bf589e8aa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
    #11 0x55bf588fec89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
    #12 0x55bf5890089f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
    #13 0x55bf588fe11f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f)
    #14 0x55bf588ebf42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
    #15 0x55bf588f482e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
    #16 0x55bf588ecd17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
    #17 0x55bf589d60f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
    #18 0x55bf588b7401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401)
    #19 0x55bf588b58da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
    #20 0x7fd3c37bd2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #21 0x55bf588b4749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x60700000ccc0 is located 0 bytes to the right of 80-byte region [0x60700000cc70,0x60700000ccc0)
allocated by thread T0 here:
    #0 0x7fd3c402b090 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090)
    #1 0x55bf589c4e00 in xrealloc (/home/dualbus/src/gnu/bash-build/bash+0x18fe00)
    #2 0x55bf58a71c4e in _rl_copy_to_kill_ring (/home/dualbus/src/gnu/bash-build/bash+0x23cc4e)
    #3 0x55bf58a71f79 in rl_kill_text (/home/dualbus/src/gnu/bash-build/bash+0x23cf79)
    #4 0x55bf58a731f9 in rl_unix_line_discard (/home/dualbus/src/gnu/bash-build/bash+0x23e1f9)
    #5 0x55bf58a3130d in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
    #6 0x55bf58a30ee8 in _rl_dispatch (/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
    #7 0x55bf58a30727 in readline_internal_char (/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
    #8 0x55bf58a307b9 in readline_internal_charloop (/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
    #9 0x55bf58a307dd in readline_internal (/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
    #10 0x55bf58a2fe93 in readline (/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
    #11 0x55bf589eb136 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
    #12 0x55bf589e8aa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
    #13 0x55bf588fec89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
    #14 0x55bf5890089f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
    #15 0x55bf588fe11f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f)
    #16 0x55bf588ebf42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
    #17 0x55bf588f482e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
    #18 0x55bf588ecd17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
    #19 0x55bf589d60f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
    #20 0x55bf588b7401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401)
    #21 0x55bf588b58da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
    #22 0x7fd3c37bd2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/dualbus/src/gnu/bash-build/bash+0x23cbe6) in _rl_copy_to_kill_ring
Shadow bytes around the buggy address:
  0x0c0e7fff9940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
=>0x0c0e7fff9990: 00 00 00 00 00 00 00 00[fa]fa fa fa fd fd fd fd
  0x0c0e7fff99a0: fd fd fd fd fd fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fff99b0: 00 00 00 03 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff99c0: 02 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 06
  0x0c0e7fff99d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c0e7fff99e0: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15290==ABORTING

INPUT
AAIbLbUAAlsQGDIYFxwYGBkYGJgYGBgYGAAYGBgwGAAAAEAYGBggAAAEANIY+xcYGRgYGBgYIAAA
BEA+BCbMBEABARgoFRUVFRAQ////gAsQEDMQEBAQEBAVCBA4Gzj+GH84GzgTGCYQEBUVBRUV4RUV
FRUVFPkVCBA4GzgTGCg4GzgTGBgoOBs4ExgmEBAVFQUVFeEVFRUVFRT5FRUVFRT5FQgQOBs4Exgo
OBs4ExgYKDgbGAAABgEnKGEdAgAbOBMVFeEVFRUVFRT5FQgQOBs4ExgoOBs4ExgmABs4ExgoOBs4
ExhlGAAFBhgn9wAmYR0CABs4ExgoOBs4ExgQEAsQEDMQGzgTGEX3ABAAANwQIEUYZAAGABDbAAAC
ABjEAj9ADjs=



==15291==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000cd30 at pc 0x563cebd3dbe7 bp 0x7ffe4f50b390 sp 0x7ffe4f50b388
READ of size 8 at 0x60700000cd30 thread T0
    #0 0x563cebd3dbe6 in _rl_copy_to_kill_ring (/home/dualbus/src/gnu/bash-build/bash+0x23cbe6)
    #1 0x563cebd3df79 in rl_kill_text (/home/dualbus/src/gnu/bash-build/bash+0x23cf79)
    #2 0x563cebd3f1f9 in rl_unix_line_discard (/home/dualbus/src/gnu/bash-build/bash+0x23e1f9)
    #3 0x563cebcfd30d in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
    #4 0x563cebcfcee8 in _rl_dispatch (/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
    #5 0x563cebcfc727 in readline_internal_char (/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
    #6 0x563cebcfc7b9 in readline_internal_charloop (/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
    #7 0x563cebcfc7dd in readline_internal (/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
    #8 0x563cebcfbe93 in readline (/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
    #9 0x563cebcb7136 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
    #10 0x563cebcb4aa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
    #11 0x563cebbcac89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
    #12 0x563cebbcc89f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
    #13 0x563cebbca11f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f)
    #14 0x563cebbb7f42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
    #15 0x563cebbc082e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
    #16 0x563cebbb8d17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
    #17 0x563cebca20f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
    #18 0x563cebb83401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401)
    #19 0x563cebb818da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
    #20 0x7f2089e212b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #21 0x563cebb80749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x60700000cd30 is located 0 bytes to the right of 80-byte region [0x60700000cce0,0x60700000cd30)
allocated by thread T0 here:
    #0 0x7f208a68f090 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090)
    #1 0x563cebc90e00 in xrealloc (/home/dualbus/src/gnu/bash-build/bash+0x18fe00)
    #2 0x563cebd3dc4e in _rl_copy_to_kill_ring (/home/dualbus/src/gnu/bash-build/bash+0x23cc4e)
    #3 0x563cebd3df79 in rl_kill_text (/home/dualbus/src/gnu/bash-build/bash+0x23cf79)
    #4 0x563cebd3f1f9 in rl_unix_line_discard (/home/dualbus/src/gnu/bash-build/bash+0x23e1f9)
    #5 0x563cebcfd30d in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
    #6 0x563cebcfcee8 in _rl_dispatch (/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
    #7 0x563cebcfc727 in readline_internal_char (/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
    #8 0x563cebcfc7b9 in readline_internal_charloop (/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
    #9 0x563cebcfc7dd in readline_internal (/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
    #10 0x563cebcfbe93 in readline (/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
    #11 0x563cebcb7136 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
    #12 0x563cebcb4aa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
    #13 0x563cebbcac89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
    #14 0x563cebbcc89f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
    #15 0x563cebbca11f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f)
    #16 0x563cebbb7f42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
    #17 0x563cebbc082e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
    #18 0x563cebbb8d17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
    #19 0x563cebca20f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
    #20 0x563cebb83401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401)
    #21 0x563cebb818da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
    #22 0x7f2089e212b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/dualbus/src/gnu/bash-build/bash+0x23cbe6) in _rl_copy_to_kill_ring
Shadow bytes around the buggy address:
  0x0c0e7fff9950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9990: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
=>0x0c0e7fff99a0: 00 00 00 00 00 00[fa]fa fa fa fd fd fd fd fd fd
  0x0c0e7fff99b0: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff99c0: 02 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 06
  0x0c0e7fff99d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c0e7fff99e0: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0e7fff99f0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15291==ABORTING

INPUT
AAIbLbUAAlsQGDIYFxwYGBkYGJgYGBgYGAAYGBgwGAAAAEAYGBggAAAEANIY+xcYGRgYGBgYIAAA
BEA+BEDMBEABARgoFRUVFRAQ////gAsQEDMQEBAQEBAVCBA4Gzj+GEU4GzgTGCYQEBUVBRUV4RUV
FRUVFPkVCBA4/wAAAEE4GzgTGBgoOBs4ExgmEBAVFQUVFeEVFRUVFRT5FRUVFRT5FQgQOBs4Exgo
OBs4ExgYKDgbGAAABgEnKGEdAgAbOBMVFeEVFRUVFRQ1NTU1NTU1NTU1NfkVCBA4GzgTGCg4GzgT
GCYAGzgTGCg4GzgTGGUYAAAGGCf3ACZhHQIAGzgTGCg4GzgTGBAQCxAQMxAbOPf39/f39/f39/f3
9/f39/f39/f39wAAGMQCP0AOOw==



==15292==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000ccc0 at pc 0x5581a900ebe7 bp 0x7ffe212a21a0 sp 0x7ffe212a2198
READ of size 8 at 0x60700000ccc0 thread T0
    #0 0x5581a900ebe6 in _rl_copy_to_kill_ring (/home/dualbus/src/gnu/bash-build/bash+0x23cbe6)
    #1 0x5581a900ef79 in rl_kill_text (/home/dualbus/src/gnu/bash-build/bash+0x23cf79)
    #2 0x5581a90101f9 in rl_unix_line_discard (/home/dualbus/src/gnu/bash-build/bash+0x23e1f9)
    #3 0x5581a8fce30d in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
    #4 0x5581a8fcdee8 in _rl_dispatch (/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
    #5 0x5581a8fcd727 in readline_internal_char (/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
    #6 0x5581a8fcd7b9 in readline_internal_charloop (/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
    #7 0x5581a8fcd7dd in readline_internal (/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
    #8 0x5581a8fcce93 in readline (/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
    #9 0x5581a8f88136 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
    #10 0x5581a8f85aa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
    #11 0x5581a8e9bc89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
    #12 0x5581a8e9d89f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
    #13 0x5581a8e9b11f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f)
    #14 0x5581a8e88f42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
    #15 0x5581a8e9182e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
    #16 0x5581a8e89d17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
    #17 0x5581a8f730f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
    #18 0x5581a8e54401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401)
    #19 0x5581a8e528da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
    #20 0x7f40896ae2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #21 0x5581a8e51749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x60700000ccc0 is located 0 bytes to the right of 80-byte region [0x60700000cc70,0x60700000ccc0)
allocated by thread T0 here:
    #0 0x7f4089f1c090 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090)
    #1 0x5581a8f61e00 in xrealloc (/home/dualbus/src/gnu/bash-build/bash+0x18fe00)
    #2 0x5581a900ec4e in _rl_copy_to_kill_ring (/home/dualbus/src/gnu/bash-build/bash+0x23cc4e)
    #3 0x5581a900ef79 in rl_kill_text (/home/dualbus/src/gnu/bash-build/bash+0x23cf79)
    #4 0x5581a90101f9 in rl_unix_line_discard (/home/dualbus/src/gnu/bash-build/bash+0x23e1f9)
    #5 0x5581a8fce30d in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
    #6 0x5581a8fcdee8 in _rl_dispatch (/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
    #7 0x5581a8fcd727 in readline_internal_char (/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
    #8 0x5581a8fcd7b9 in readline_internal_charloop (/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
    #9 0x5581a8fcd7dd in readline_internal (/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
    #10 0x5581a8fcce93 in readline (/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
    #11 0x5581a8f88136 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
    #12 0x5581a8f85aa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
    #13 0x5581a8e9bc89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
    #14 0x5581a8e9d89f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
    #15 0x5581a8e9b11f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f)
    #16 0x5581a8e88f42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
    #17 0x5581a8e9182e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
    #18 0x5581a8e89d17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
    #19 0x5581a8f730f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
    #20 0x5581a8e54401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401)
    #21 0x5581a8e528da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
    #22 0x7f40896ae2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/dualbus/src/gnu/bash-build/bash+0x23cbe6) in _rl_copy_to_kill_ring
Shadow bytes around the buggy address:
  0x0c0e7fff9940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
=>0x0c0e7fff9990: 00 00 00 00 00 00 00 00[fa]fa fa fa fd fd fd fd
  0x0c0e7fff99a0: fd fd fd fd fd fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fff99b0: 00 00 00 03 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff99c0: 02 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 06
  0x0c0e7fff99d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c0e7fff99e0: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15292==ABORTING

INPUT
AAIbLbUAAlsQGDIYFxwYGBkYGJgYGBgYGAAYGBgwGAAAAEAYGBggAAAEANIY+xcYGRgYGBgYIAAA
BEA+BEDMBEABARgoFRUVFRAQ////gAsQEDMQEBAQEBAVCBA4Gzj+GEU4Gzg4GzgTGBgoOBs4Exgl
7xAVFQUVFeEVFRUVFRT5FRWAFRT5FQgQOBs4ExgoOBs4ExgYKDgbGAAABgEnKGEdAgAbOBMVFeEV
FRUVFRT5FQgQOBs4ExgoOBs4ExgmABs4ExgoOBs4ExhlGAAABhgn9wAmYSkCABs4ExgoOBs4ExgQ
EAsQEDMQGzgTGEX3ABAAANwQIEUYZAAGABDbABAAABjEAj9ADjs=



==15293==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000ccc0 at pc 0x557cf29f6be7 bp 0x7ffd788ea1e0 sp 0x7ffd788ea1d8
READ of size 8 at 0x60700000ccc0 thread T0
    #0 0x557cf29f6be6 in _rl_copy_to_kill_ring (/home/dualbus/src/gnu/bash-build/bash+0x23cbe6)
    #1 0x557cf29f6f79 in rl_kill_text (/home/dualbus/src/gnu/bash-build/bash+0x23cf79)
    #2 0x557cf29f81f9 in rl_unix_line_discard (/home/dualbus/src/gnu/bash-build/bash+0x23e1f9)
    #3 0x557cf29b630d in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
    #4 0x557cf29b5ee8 in _rl_dispatch (/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
    #5 0x557cf29b5727 in readline_internal_char (/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
    #6 0x557cf29b57b9 in readline_internal_charloop (/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
    #7 0x557cf29b57dd in readline_internal (/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
    #8 0x557cf29b4e93 in readline (/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
    #9 0x557cf2970136 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
    #10 0x557cf296daa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
    #11 0x557cf2883c89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
    #12 0x557cf288589f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
    #13 0x557cf288311f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f)
    #14 0x557cf2870f42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
    #15 0x557cf287982e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
    #16 0x557cf2871d17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
    #17 0x557cf295b0f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
    #18 0x557cf283c401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401)
    #19 0x557cf283a8da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
    #20 0x7f01c74ce2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #21 0x557cf2839749 in _start (/home/dualbus/src/gnu/bash-build/bash+0x7f749)
0x60700000ccc0 is located 0 bytes to the right of 80-byte region [0x60700000cc70,0x60700000ccc0)
allocated by thread T0 here:
    #0 0x7f01c7d3c090 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090)
    #1 0x557cf2949e00 in xrealloc (/home/dualbus/src/gnu/bash-build/bash+0x18fe00)
    #2 0x557cf29f6c4e in _rl_copy_to_kill_ring (/home/dualbus/src/gnu/bash-build/bash+0x23cc4e)
    #3 0x557cf29f6f79 in rl_kill_text (/home/dualbus/src/gnu/bash-build/bash+0x23cf79)
    #4 0x557cf29f81f9 in rl_unix_line_discard (/home/dualbus/src/gnu/bash-build/bash+0x23e1f9)
    #5 0x557cf29b630d in _rl_dispatch_subseq (/home/dualbus/src/gnu/bash-build/bash+0x1fc30d)
    #6 0x557cf29b5ee8 in _rl_dispatch (/home/dualbus/src/gnu/bash-build/bash+0x1fbee8)
    #7 0x557cf29b5727 in readline_internal_char (/home/dualbus/src/gnu/bash-build/bash+0x1fb727)
    #8 0x557cf29b57b9 in readline_internal_charloop (/home/dualbus/src/gnu/bash-build/bash+0x1fb7b9)
    #9 0x557cf29b57dd in readline_internal (/home/dualbus/src/gnu/bash-build/bash+0x1fb7dd)
    #10 0x557cf29b4e93 in readline (/home/dualbus/src/gnu/bash-build/bash+0x1fae93)
    #11 0x557cf2970136 in edit_line (/home/dualbus/src/gnu/bash-build/bash+0x1b6136)
    #12 0x557cf296daa4 in read_builtin (/home/dualbus/src/gnu/bash-build/bash+0x1b3aa4)
    #13 0x557cf2883c89 in execute_builtin (/home/dualbus/src/gnu/bash-build/bash+0xc9c89)
    #14 0x557cf288589f in execute_builtin_or_function (/home/dualbus/src/gnu/bash-build/bash+0xcb89f)
    #15 0x557cf288311f in execute_simple_command (/home/dualbus/src/gnu/bash-build/bash+0xc911f)
    #16 0x557cf2870f42 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb6f42)
    #17 0x557cf287982e in execute_connection (/home/dualbus/src/gnu/bash-build/bash+0xbf82e)
    #18 0x557cf2871d17 in execute_command_internal (/home/dualbus/src/gnu/bash-build/bash+0xb7d17)
    #19 0x557cf295b0f4 in parse_and_execute (/home/dualbus/src/gnu/bash-build/bash+0x1a10f4)
    #20 0x557cf283c401 in run_one_command (/home/dualbus/src/gnu/bash-build/bash+0x82401)
    #21 0x557cf283a8da in main (/home/dualbus/src/gnu/bash-build/bash+0x808da)
    #22 0x7f01c74ce2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/dualbus/src/gnu/bash-build/bash+0x23cbe6) in _rl_copy_to_kill_ring
Shadow bytes around the buggy address:
  0x0c0e7fff9940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
=>0x0c0e7fff9990: 00 00 00 00 00 00 00 00[fa]fa fa fa fd fd fd fd
  0x0c0e7fff99a0: fd fd fd fd fd fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fff99b0: 00 00 00 03 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff99c0: 02 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 06
  0x0c0e7fff99d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c0e7fff99e0: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15293==ABORTING

INPUT
AAIbLbUAAlsQGDIYFxwYGBkTGEX3ABAAANwYGBgwGAAAAEAYGBggAAAEANIY+xcYGRgYGBgYIAAA
BEAjBEDMBEABARgoFRUVFRAQ////gAsQEDMQEBAQEBAVCBA4Gzj+GEU4GzgTGCYQEBUdBRUV4RUV
FRUVFPkVCBA4GzgTGCg4GzgTGBgoOBs4ExgmEBAVFQUVFeEVFRUVFRT5FRUVFRRkFQgQOBs4Exgo
OBs4ExgYKDgbGAAABgEnKGEdAgAbOBMVFeEVFRUVFRT5FQgQOBs4ExgoOBs4ExgmABs4ExgoOBs4
ExhlGAAABhgn9wAmYR0CABs4ExgoOBs4ExgQEAsQEDMQGzgTGEX3ABAAANwQIEUYZAAGABDbABAA
ABjEAj9ADjs=

--
Eduardo Bustamante
https://dualbus.me/

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AddressSanitizer: heap-buffer-overflow in rl_kill_text

Eduardo A. Bustamante López
On Thu, Jun 15, 2017 at 09:42:41AM -0500, Eduardo Bustamante wrote:
> Found by fuzzing `read -e' with AFL. The stacktrace reported by Address
> Sanitizer is followed by the base64 encoded crashing input.
>
>
> ==11018==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000ccc0 at pc 0x559bb60f1be7 bp 0x7ffc36ec8710 sp 0x7ffc36ec8708
> READ of size 8 at 0x60700000ccc0 thread T0
>     #0 0x559bb60f1be6 in _rl_copy_to_kill_ring (/home/dualbus/src/gnu/bash-build/bash+0x23cbe6)

Easy fix. When `rl_kill_ring_length == rl_max_kills (10)', all of the entries
in the kill ring are shifted. The loop has an off-by-one error though.

I also think that using `rl_max_kills' in the loop instead of `slot' makes the
code easier to read.

dualbus@debian:~/src/gnu/bash$ git difftool -y -x 'diff -c' -- lib/readline/kill.c
*** /tmp/uLCFvH_kill.c  2017-06-16 10:04:43.472930262 -0500
--- lib/readline/kill.c 2017-06-16 10:04:20.048344312 -0500
***************
*** 113,119 ****
            {
              register int i;
              xfree (rl_kill_ring[0]);
!             for (i = 0; i < slot; i++)
                rl_kill_ring[i] = rl_kill_ring[i + 1];
            }
          else
--- 113,119 ----
            {
              register int i;
              xfree (rl_kill_ring[0]);
!             for (i = 0; i < rl_max_kills - 1; i++)
                rl_kill_ring[i] = rl_kill_ring[i + 1];
            }
          else

--
Eduardo Bustamante
https://dualbus.me/

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AddressSanitizer: heap-buffer-overflow in rl_kill_text

Chet Ramey
On 6/16/17 11:10 AM, Eduardo A. Bustamante López wrote:

> On Thu, Jun 15, 2017 at 09:42:41AM -0500, Eduardo Bustamante wrote:
>> Found by fuzzing `read -e' with AFL. The stacktrace reported by Address
>> Sanitizer is followed by the base64 encoded crashing input.
>>
>>
>> ==11018==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000ccc0 at pc 0x559bb60f1be7 bp 0x7ffc36ec8710 sp 0x7ffc36ec8708
>> READ of size 8 at 0x60700000ccc0 thread T0
>>     #0 0x559bb60f1be6 in _rl_copy_to_kill_ring (/home/dualbus/src/gnu/bash-build/bash+0x23cbe6)
>
> Easy fix. When `rl_kill_ring_length == rl_max_kills (10)', all of the entries
> in the kill ring are shifted. The loop has an off-by-one error though.

This is one possible fix. There is also the asymmetry in the xrealloc
below.

--
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    [hidden email]    http://cnswww.cns.cwru.edu/~chet/

Loading...