Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > gnu.bash.bug > #14606

free: start and end chunk sizes differ - in _rl_isearch_cleanup

Show all headers | View raw

Found by fuzzing with AFL.

$ base64 -d >i
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwEzAwMDAwMDAA
MDAwMDAwMDAwMDAwMDAwMDAw/zAwMDAwMDAwMDAwMDAwMDAwMDABExMZMDAw86Iw

$ cat -A i
000000000000000000000000000000000000000000000000^S0000000^@000000000000000000M-^?0000000000000000000^A^S^S^Y000M-sM-"0

$ gdb -batch -ex=r -ex=bt --args ./bash --noprofile --norc -c 'set -o emacs; read -e < i'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
(failed i-search)`0000000': 000000000000000000000000000000000000000000000000�0000000000000000000
malloc: unknown:0: assertion botched
malloc: 0x686408: allocated: last allocated from unknown:0
free: start and end chunk sizes differ
Aborting...
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff79a7535 in __GI_abort () at abort.c:79
#2  0x00000000004597bb in programming_error (format=0x55584b "free: start and end chunk sizes differ") at error.c:175
#3  0x0000000000532422 in xbotch (mem=0x686408, e=8, s=0x55584b "free: start and end chunk sizes differ", file=0x0, line=0) at malloc.c:354
#4  0x00000000005318aa in internal_free (mem=0x686408, file=0x0, line=0, flags=0) at malloc.c:960
#5  0x0000000000531eaf in free (mem=0x686408) at malloc.c:1388
#6  0x0000000000511b3b in _rl_scxt_dispose (cxt=0x686008, flags=0) at isearch.c:124
#7  0x000000000051331d in _rl_isearch_cleanup (cxt=0x686008, r=-1) at isearch.c:741
#8  0x0000000000511c73 in rl_search_history (direction=1, invoking_key=19) at isearch.c:783
#9  0x0000000000511c99 in rl_forward_search_history (sign=1, key=19) at isearch.c:144
#10 0x00000000004fb3a0 in _rl_dispatch_subseq (key=19, map=0x575db0 <emacs_standard_keymap>, got_subseq=0) at readline.c:852
#11 0x00000000004fad39 in _rl_dispatch (key=19, map=0x575db0 <emacs_standard_keymap>) at readline.c:798
#12 0x00000000004faca9 in readline_internal_char () at readline.c:632
#13 0x00000000004fc2d2 in readline_internal_charloop () at readline.c:659
#14 0x00000000004fa5fe in readline_internal () at readline.c:671
#15 0x00000000004fa4c0 in readline (prompt=0x55466f "") at readline.c:377
#16 0x00000000004caa96 in edit_line (p=0x55466f "", itext=0x0) at ./read.def:1104
#17 0x00000000004c953a in read_builtin (list=0x0) at ./read.def:563
#18 0x000000000044b599 in execute_builtin (builtin=0x4c85e0 <read_builtin>, words=0x628f88, flags=0, subshell=0) at execute_cmd.c:4677
#19 0x000000000044a96f in execute_builtin_or_function (words=0x628f88, builtin=0x4c85e0 <read_builtin>, var=0x0, redirects=0x628b88, fds_to_close=0x628aa8, flags=0) at execute_cmd.c:5185
#20 0x00000000004437c9 in execute_simple_command (simple_command=0x628b48, pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x628aa8) at execute_cmd.c:4449
#21 0x00000000004412ab in execute_command_internal (command=0x628b08, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628aa8) at execute_cmd.c:840
#22 0x0000000000445208 in execute_connection (command=0x628c08, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628aa8) at execute_cmd.c:2689
#23 0x0000000000441681 in execute_command_internal (command=0x628c08, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628aa8) at execute_cmd.c:1013
#24 0x00000000004bf587 in parse_and_execute (string=0x628408 "set -o emacs; read -e < i", from_file=0x5353fb "-c", flags=4) at evalstring.c:436
#25 0x0000000000423845 in run_one_command (command=0x7fffffffeaaa "set -o emacs; read -e < i") at shell.c:1416
#26 0x0000000000421920 in main (argc=5, argv=0x7fffffffe778, env=0x7fffffffe7a8) at shell.c:735

Back to gnu.bash.bug | Previous | Next | Find similar | Unroll thread

Thread

free: start and end chunk sizes differ - in _rl_isearch_cleanup Eduardo A. Bustamante López <dualbus@gmail.com> - 2018-09-20 00:45 -0700

csiph-web