Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > gnu.bash.bug > #14606

free: start and end chunk sizes differ - in _rl_isearch_cleanup

Path csiph.com!xmission!news.snarked.org!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail
From Eduardo A. Bustamante López <dualbus@gmail.com>
Newsgroups gnu.bash.bug
Subject free: start and end chunk sizes differ - in _rl_isearch_cleanup
Date Thu, 20 Sep 2018 00:45:44 -0700
Lines 48
Approved bug-bash@gnu.org
Message-ID <mailman.1015.1537429552.1284.bug-bash@gnu.org> (permalink)
NNTP-Posting-Host lists.gnu.org
Mime-Version 1.0
Content-Type text/plain; charset=utf-8
Content-Transfer-Encoding 8bit
X-Trace usenet.stanford.edu 1537429552 15094 208.118.235.17 (20 Sep 2018 07:45:52 GMT)
X-Complaints-To action@cs.stanford.edu
To bug-bash@gnu.org
Envelope-to bug-bash@gnu.org
DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:mail-followup-to:mime-version :content-disposition:content-transfer-encoding:user-agent; bh=I3nAGjStS44ArFz/Z0xPe65hptmu69Ez5GIWEuWrJTg=; b=q/h38UWLdCotVqNlfWyd33bpa2qYwhGQDK9M7xQ9kwQIxDSicd9Bhey2oFjsCEQVKb dX6CW2GQvmz89y6dIZMzEIcPtN3M3gzm3fYYpiQp67dYUum3lHAGfbN8WTPyCRP6IBgj 62QYzFEsWxS68VxkpJKNNmpnyFU5ff5xsKRIRJ4yf3MYT13+n8p+wnLI6cI1t8gk9DnZ 5bsNobOpkZdi9gndvNggCvJji8QCGMhcmxBSZC4Hg0+CAKzjN0wJzjZJne1/s4CRNUaj I1NrZGdy7NFhA1q0mpoiIN6+eN/UO/au2nAYSIoWy/JaD9RvHcnI7dZrKWdKB0nw8vyL fCQg==
X-Google-DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mail-followup-to :mime-version:content-disposition:content-transfer-encoding :user-agent; bh=I3nAGjStS44ArFz/Z0xPe65hptmu69Ez5GIWEuWrJTg=; b=h0QtVHzUqsabKnpb7MFRM3YiMgUbkHKHF7J5LCzFN2ZJ3KANeK7Gf8N8K62IV1W3i/ fyO08yiX+fOLrhOmU8h7piR+6r/EAuwFzt/yqQOQuiRtvFY6G2K3tQMYwiX1q1Znr5gf 0CbmicQwAeB90yvryVhJYV8UnSU/JgpX/pUq6QJlVnAOZ36NmuvJ2OOkU2YzSb7srRV9 gzPN8w3MzjJigIRP+R5WcmFLINDDT6zOKXsKa7kra2RwA2XDh2UMQL8HGgPbTt4zWwOb ZztRhGWg55SsBxeDF7isod9BScvLzeQfkpREAF8v5qs0EC1PHGlZ0A8G7J7Detyf8GXG 3YRA==
X-Gm-Message-State APzg51A8IvojCKpKctdCVHtmISBeVx7USHHrdr9RJ1CrJ1l9ya8zF+TO Pu1rLUyCEKvIiuZEYQeZDwp5Pnpx
X-Google-Smtp-Source ANB0VdYFB4H+hLVZUDe7ZH9P+dAauCC4qGkVxFWsa/hXChx08Nsmcoeh2ZwDB+VYxZQdXY3NzNBSmQ==
X-Received by 2002:a63:5321:: with SMTP id h33-v6mr4085628pgb.139.1537429547357; Thu, 20 Sep 2018 00:45:47 -0700 (PDT)
Mail-Followup-To bug-bash@gnu.org
Content-Disposition inline
User-Agent Mutt/1.10.1 (2018-07-13)
X-detected-operating-system by eggs.gnu.org: Genre and OS details not recognized.
X-Received-From 2607:f8b0:4864:20::42e
X-BeenThere bug-bash@gnu.org
X-Mailman-Version 2.1.21
Precedence list
List-Id Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive <http://lists.gnu.org/archive/html/bug-bash/>
List-Post <mailto:bug-bash@gnu.org>
List-Help <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
Xref csiph.com gnu.bash.bug:14606

Show key headers only | View raw

Found by fuzzing with AFL.

$ base64 -d >i
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwEzAwMDAwMDAA
MDAwMDAwMDAwMDAwMDAwMDAw/zAwMDAwMDAwMDAwMDAwMDAwMDABExMZMDAw86Iw

$ cat -A i
000000000000000000000000000000000000000000000000^S0000000^@000000000000000000M-^?0000000000000000000^A^S^S^Y000M-sM-"0

$ gdb -batch -ex=r -ex=bt --args ./bash --noprofile --norc -c 'set -o emacs; read -e < i'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
(failed i-search)`0000000': 000000000000000000000000000000000000000000000000�0000000000000000000
malloc: unknown:0: assertion botched
malloc: 0x686408: allocated: last allocated from unknown:0
free: start and end chunk sizes differ
Aborting...
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff79a7535 in __GI_abort () at abort.c:79
#2  0x00000000004597bb in programming_error (format=0x55584b "free: start and end chunk sizes differ") at error.c:175
#3  0x0000000000532422 in xbotch (mem=0x686408, e=8, s=0x55584b "free: start and end chunk sizes differ", file=0x0, line=0) at malloc.c:354
#4  0x00000000005318aa in internal_free (mem=0x686408, file=0x0, line=0, flags=0) at malloc.c:960
#5  0x0000000000531eaf in free (mem=0x686408) at malloc.c:1388
#6  0x0000000000511b3b in _rl_scxt_dispose (cxt=0x686008, flags=0) at isearch.c:124
#7  0x000000000051331d in _rl_isearch_cleanup (cxt=0x686008, r=-1) at isearch.c:741
#8  0x0000000000511c73 in rl_search_history (direction=1, invoking_key=19) at isearch.c:783
#9  0x0000000000511c99 in rl_forward_search_history (sign=1, key=19) at isearch.c:144
#10 0x00000000004fb3a0 in _rl_dispatch_subseq (key=19, map=0x575db0 <emacs_standard_keymap>, got_subseq=0) at readline.c:852
#11 0x00000000004fad39 in _rl_dispatch (key=19, map=0x575db0 <emacs_standard_keymap>) at readline.c:798
#12 0x00000000004faca9 in readline_internal_char () at readline.c:632
#13 0x00000000004fc2d2 in readline_internal_charloop () at readline.c:659
#14 0x00000000004fa5fe in readline_internal () at readline.c:671
#15 0x00000000004fa4c0 in readline (prompt=0x55466f "") at readline.c:377
#16 0x00000000004caa96 in edit_line (p=0x55466f "", itext=0x0) at ./read.def:1104
#17 0x00000000004c953a in read_builtin (list=0x0) at ./read.def:563
#18 0x000000000044b599 in execute_builtin (builtin=0x4c85e0 <read_builtin>, words=0x628f88, flags=0, subshell=0) at execute_cmd.c:4677
#19 0x000000000044a96f in execute_builtin_or_function (words=0x628f88, builtin=0x4c85e0 <read_builtin>, var=0x0, redirects=0x628b88, fds_to_close=0x628aa8, flags=0) at execute_cmd.c:5185
#20 0x00000000004437c9 in execute_simple_command (simple_command=0x628b48, pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x628aa8) at execute_cmd.c:4449
#21 0x00000000004412ab in execute_command_internal (command=0x628b08, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628aa8) at execute_cmd.c:840
#22 0x0000000000445208 in execute_connection (command=0x628c08, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628aa8) at execute_cmd.c:2689
#23 0x0000000000441681 in execute_command_internal (command=0x628c08, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628aa8) at execute_cmd.c:1013
#24 0x00000000004bf587 in parse_and_execute (string=0x628408 "set -o emacs; read -e < i", from_file=0x5353fb "-c", flags=4) at evalstring.c:436
#25 0x0000000000423845 in run_one_command (command=0x7fffffffeaaa "set -o emacs; read -e < i") at shell.c:1416
#26 0x0000000000421920 in main (argc=5, argv=0x7fffffffe778, env=0x7fffffffe7a8) at shell.c:735

Back to gnu.bash.bug | Previous | Next | Find similar | Unroll thread

Thread

free: start and end chunk sizes differ - in _rl_isearch_cleanup Eduardo A. Bustamante López <dualbus@gmail.com> - 2018-09-20 00:45 -0700

csiph-web