AddressSanitizer: heap-use-after-free in readtok | PS1='$((b[x++}]))'

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

AddressSanitizer: heap-use-after-free in readtok | PS1='$((b[x++}]))'

Eduardo A. Bustamante López
I don't know how to fix this.


dualbus@debian:~/readline$ ASAN_OPTIONS=disable_coredump=0:unmap_shadow_on_exit=1:abort_on_error=1:detect_leaks=0 ~/src/gnu/bash-builds/devel-asan/bash
bash-4.4$ PS1='$((b[x++}]))'
bash: x++}: syntax error: invalid arithmetic operator (error token is "}")
=================================================================
==11490==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000001f77 at pc 0x55c081f6ad7e bp 0x7ffd7429f4a0 sp 0x7ffd7429f498
READ of size 1 at 0x602000001f77 thread T0
    #0 0x55c081f6ad7d in readtok ../../bash/expr.c:1274
    #1 0x55c081f6a32a in exp0 ../../bash/expr.c:1042
    #2 0x55c081f6a08e in exp1 ../../bash/expr.c:982
    #3 0x55c081f69f7d in exppower ../../bash/expr.c:937
    #4 0x55c081f69c62 in exp2 ../../bash/expr.c:862
    #5 0x55c081f69b76 in exp3 ../../bash/expr.c:836
    #6 0x55c081f69b07 in expshift ../../bash/expr.c:812
    #7 0x55c081f69a5a in exp4 ../../bash/expr.c:782
    #8 0x55c081f699e3 in exp5 ../../bash/expr.c:760
    #9 0x55c081f699a1 in expband ../../bash/expr.c:742
    #10 0x55c081f69963 in expbxor ../../bash/expr.c:723
    #11 0x55c081f69925 in expbor ../../bash/expr.c:704
    #12 0x55c081f69896 in expland ../../bash/expr.c:677
    #13 0x55c081f69803 in explor ../../bash/expr.c:649
    #14 0x55c081f696c6 in expcond ../../bash/expr.c:602
    #15 0x55c081f692f5 in expassign ../../bash/expr.c:487
    #16 0x55c081f69240 in expcomma ../../bash/expr.c:467
    #17 0x55c081f691cf in subexpr ../../bash/expr.c:449
    #18 0x55c081f68f2a in evalexp ../../bash/expr.c:414
    #19 0x55c081fb0527 in param_expand ../../bash/subst.c:9159
    #20 0x55c081fb2ea4 in expand_word_internal ../../bash/subst.c:9655
    #21 0x55c081f93a17 in expand_prompt_string ../../bash/subst.c:3785
    #22 0x55c081f2199d in decode_prompt_string ../../bash/parse.y:5973
    #23 0x55c081f1f71b in prompt_again ../../bash/parse.y:5484
    #24 0x55c081f11c6a in yylex ../../bash/parse.y:2677
    #25 0x55c081f068a1 in yyparse /home/dualbus/src/gnu/bash-builds/devel-asan/y.tab.c:1821
    #26 0x55c081f05a72 in parse_command ../../bash/eval.c:294
    #27 0x55c081f05cc7 in read_command ../../bash/eval.c:338
    #28 0x55c081f04f03 in reader_loop ../../bash/eval.c:140
    #29 0x55c081f006ad in main ../../bash/shell.c:794
    #30 0x7f9bcc9c02b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #31 0x55c081eff2a9 in _start (/home/dualbus/src/gnu/bash-builds/devel-asan/bash+0x842a9)

0x602000001f77 is located 7 bytes inside of 8-byte region [0x602000001f70,0x602000001f78)
freed by thread T0 here:
    #0 0x7f9bcd22ea10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
    #1 0x55c081f689a9 in expr_unwind ../../bash/expr.c:311
    #2 0x55c081f68e9d in evalexp ../../bash/expr.c:404
    #3 0x55c081fde64e in array_expand_index ../../bash/arrayfunc.c:947
    #4 0x55c081fdf169 in array_value_internal ../../bash/arrayfunc.c:1128
    #5 0x55c081fdf917 in get_array_value ../../bash/arrayfunc.c:1198
    #6 0x55c081f6aa51 in expr_streval ../../bash/expr.c:1179
    #7 0x55c081f6b311 in readtok ../../bash/expr.c:1343
    #8 0x55c081f691ca in subexpr ../../bash/expr.c:447
    #9 0x55c081f68f2a in evalexp ../../bash/expr.c:414
    #10 0x55c081fb0527 in param_expand ../../bash/subst.c:9159
    #11 0x55c081fb2ea4 in expand_word_internal ../../bash/subst.c:9655
    #12 0x55c081f93a17 in expand_prompt_string ../../bash/subst.c:3785
    #13 0x55c081f2199d in decode_prompt_string ../../bash/parse.y:5973
    #14 0x55c081f1f71b in prompt_again ../../bash/parse.y:5484
    #15 0x55c081f11c6a in yylex ../../bash/parse.y:2677
    #16 0x55c081f068a1 in yyparse /home/dualbus/src/gnu/bash-builds/devel-asan/y.tab.c:1821
    #17 0x55c081f05a72 in parse_command ../../bash/eval.c:294
    #18 0x55c081f05cc7 in read_command ../../bash/eval.c:338
    #19 0x55c081f04f03 in reader_loop ../../bash/eval.c:140
    #20 0x55c081f006ad in main ../../bash/shell.c:794
    #21 0x7f9bcc9c02b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

previously allocated by thread T0 here:
    #0 0x7f9bcd22ed28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x55c08200fa54 in xmalloc ../../bash/xmalloc.c:112
    #2 0x55c081f6912e in subexpr ../../bash/expr.c:438
    #3 0x55c081f68f2a in evalexp ../../bash/expr.c:414
    #4 0x55c081fb0527 in param_expand ../../bash/subst.c:9159
    #5 0x55c081fb2ea4 in expand_word_internal ../../bash/subst.c:9655
    #6 0x55c081f93a17 in expand_prompt_string ../../bash/subst.c:3785
    #7 0x55c081f2199d in decode_prompt_string ../../bash/parse.y:5973
    #8 0x55c081f1f71b in prompt_again ../../bash/parse.y:5484
    #9 0x55c081f11c6a in yylex ../../bash/parse.y:2677
    #10 0x55c081f068a1 in yyparse /home/dualbus/src/gnu/bash-builds/devel-asan/y.tab.c:1821
    #11 0x55c081f05a72 in parse_command ../../bash/eval.c:294
    #12 0x55c081f05cc7 in read_command ../../bash/eval.c:338
    #13 0x55c081f04f03 in reader_loop ../../bash/eval.c:140
    #14 0x55c081f006ad in main ../../bash/shell.c:794
    #15 0x7f9bcc9c02b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-use-after-free ../../bash/expr.c:1274 in readtok
Shadow bytes around the buggy address:
  0x0c047fff8390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff83a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff83c0: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa fd fa
  0x0c047fff83d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff83e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa[fd]fa
  0x0c047fff83f0: fa fa 00 fa fa fa fd fd fa fa 00 02 fa fa 00 05
  0x0c047fff8400: fa fa 02 fa fa fa 01 fa fa fa 00 05 fa fa fd fd
  0x0c047fff8410: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa fd fd
  0x0c047fff8420: fa fa fd fd fa fa 00 00 fa fa 00 00 fa fa fd fd
  0x0c047fff8430: fa fa fd fa fa fa 00 04 fa fa 00 fa fa fa 00 03
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11490==ABORTING
Segmentation fault (core dumped)


(gdb) bt
#0  0x000055c081fcd16b in termsig_sighandler (sig=6) at ../../bash/sig.c:533
#1  <signal handler called>
#2  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#3  0x00007f9bcc9d43fa in __GI_abort () at abort.c:89
#4  0x00007f9bcd248329 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.3
#5  0x00007f9bcd23d9ab in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.3
#6  0x00007f9bcd237b57 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.3
#7  0x00007f9bcd2381e8 in __asan_report_load1 () from /usr/lib/x86_64-linux-gnu/libasan.so.3
#8  0x000055c081f6ad7e in readtok () at ../../bash/expr.c:1274
#9  0x000055c081f6a32b in exp0 () at ../../bash/expr.c:1042
#10 0x000055c081f6a08f in exp1 () at ../../bash/expr.c:982
#11 0x000055c081f69f7e in exppower () at ../../bash/expr.c:937
#12 0x000055c081f69c63 in exp2 () at ../../bash/expr.c:862
#13 0x000055c081f69b77 in exp3 () at ../../bash/expr.c:836
#14 0x000055c081f69b08 in expshift () at ../../bash/expr.c:812
#15 0x000055c081f69a5b in exp4 () at ../../bash/expr.c:782
#16 0x000055c081f699e4 in exp5 () at ../../bash/expr.c:760
#17 0x000055c081f699a2 in expband () at ../../bash/expr.c:742
#18 0x000055c081f69964 in expbxor () at ../../bash/expr.c:723
#19 0x000055c081f69926 in expbor () at ../../bash/expr.c:704
#20 0x000055c081f69897 in expland () at ../../bash/expr.c:677
#21 0x000055c081f69804 in explor () at ../../bash/expr.c:649
#22 0x000055c081f696c7 in expcond () at ../../bash/expr.c:602
#23 0x000055c081f692f6 in expassign () at ../../bash/expr.c:487
#24 0x000055c081f69241 in expcomma () at ../../bash/expr.c:467
#25 0x000055c081f691d0 in subexpr (expr=0x602000001f90 "b[x++}]") at ../../bash/expr.c:449
#26 0x000055c081f68f2b in evalexp (expr=0x602000001f90 "b[x++}]", flags=1, validp=0x7ffd7429fdc0) at ../../bash/expr.c:414
#27 0x000055c081fb0528 in param_expand (string=0x602000001ff0 "$((b[x++}]))", sindex=0x7ffd7429ffc0, quoted=1, expanded_something=0x0, contains_dollar_at=0x7ffd742a0080,
    quoted_dollar_at_p=0x7ffd742a0000, had_quoted_null_p=0x7ffd742a0040, pflags=0) at ../../bash/subst.c:9159
#28 0x000055c081fb2ea5 in expand_word_internal (word=0x7ffd742a0240, quoted=1, isexp=0, contains_dollar_at=0x0, expanded_something=0x0) at ../../bash/subst.c:9655
#29 0x000055c081f93a18 in expand_prompt_string (string=0x604000008d50 "$((b[x++}]))", quoted=1, wflags=0) at ../../bash/subst.c:3785
#30 0x000055c081f2199e in decode_prompt_string (string=0x60200000205d "") at ../../bash/parse.y:5973
#31 0x000055c081f1f71c in prompt_again () at ../../bash/parse.y:5484
#32 0x000055c081f11c6b in yylex () at ../../bash/parse.y:2677
#33 0x000055c081f068a2 in yyparse () at y.tab.c:1821
#34 0x000055c081f05a73 in parse_command () at ../../bash/eval.c:294
#35 0x000055c081f05cc8 in read_command () at ../../bash/eval.c:338
#36 0x000055c081f04f04 in reader_loop () at ../../bash/eval.c:140
#37 0x000055c081f006ae in main (argc=1, argv=0x7ffd742a29f8, env=0x7ffd742a2a08) at ../../bash/shell.c:794

--
Eduardo Bustamante
https://dualbus.me/

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AddressSanitizer: heap-use-after-free in readtok | PS1='$((b[x++}]))'

Chet Ramey
On 6/20/17 10:58 AM, Eduardo A. Bustamante López wrote:
> I don't know how to fix this.

I fixed it, it's in today's devel branch push.

--
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    [hidden email]    http://cnswww.cns.cwru.edu/~chet/

Loading...