Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > gnu.bash.bug > #14639

Segmentation fault in restore_tilde (bashline.c)

Path csiph.com!goblin1!goblin.stu.neva.ru!usenet.stanford.edu!not-for-mail
From Eduardo A. Bustamante López <dualbus@gmail.com>
Newsgroups gnu.bash.bug
Subject Segmentation fault in restore_tilde (bashline.c)
Date Sat, 22 Sep 2018 12:01:12 -0700
Lines 76
Approved bug-bash@gnu.org
Message-ID <mailman.1144.1537663635.1284.bug-bash@gnu.org> (permalink)
NNTP-Posting-Host lists.gnu.org
Mime-Version 1.0
Content-Type text/plain; charset=us-ascii
X-Trace usenet.stanford.edu 1537663635 16535 208.118.235.17 (23 Sep 2018 00:47:15 GMT)
X-Complaints-To action@cs.stanford.edu
To bug-bash@gnu.org
Envelope-to bug-bash@gnu.org
DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:mail-followup-to:mime-version :content-disposition:user-agent; bh=hCTQQIio/9+1ezPQ3b3Xp8b73fS33mm0hAV2Uq1Cgds=; b=XSXVUfpzQ0R4y8o10wiDaTFCVxwJfenKybOT7KiDu8qq0X4dkYVN4Hx0nFSnqtv75h ZObbH8lF5ASRcC70pawAfDQfvhr4eI4aw5vxXDaS/2mtxgFHsKj2xLYOUcun1cJ97eku OgapExrIl84Do2i7DabknOAaImRFtbSfCjrxcI/g6bLWskXmQoFfl7vr+Pl6nG7eFweS bxQgkaGN+sURo4nwvB0l2d97yzKZCfCPBaBpsDCVIqe3ekPO63HE9BQz7rjGwzAusqiN 70GKo/OWc14Dib4F4PoCpW3FzMk2reHOPdtqtIucdahIeAvwxqqvDZtzH/owJ5lqTW1D vs7Q==
X-Google-DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mail-followup-to :mime-version:content-disposition:user-agent; bh=hCTQQIio/9+1ezPQ3b3Xp8b73fS33mm0hAV2Uq1Cgds=; b=J166jaTmj4nHdfCIIZxauMBT2M0wQNwYvnjFdziC8gy0MUTc0oi+qIVdWm/aRRqAhU XLLg/zYo2Jt2dHMz4pADLYIIn5BGo0g8c8lL6P5qdtQpQUSvp6Xsvw4wG8fX/NuZBeoX uGQqk8olhxQyCmYQRkRuDzsNm+7RLE+lX6+6SgpOePUsXuP94VcFXK0dynk1BSv7VBEo 9G3Jy88PIgo3biFHuJN82IEua0ZAO3GHIx1UIOTOxELAERJ5ivWsdpTgR9RqCQkZ70NK PkFR4qsWgW62fLZ5QiRuPdWdd6Oh5d324Gn9X4qkL2khqnqm/DXI05SbD3Y2n9+7K8rr Fk9A==
X-Gm-Message-State ABuFfoga4u6TKiuK+zp7f2WumWXdVKJsGKBVWT9KJD9Gcm8ipYTu+teh aDghiQwWyTNBclJbpIStrHlGz2ns
X-Google-Smtp-Source ACcGV62SAKiZQpjG87CtKU+uRr6AHjeLNrvMFGbUed8gWC6uQXArdIdAuhyxHKsEytjU0qqWmEnFeg==
X-Received by 2002:a63:4826:: with SMTP id v38-v6mr3219916pga.379.1537642874617; Sat, 22 Sep 2018 12:01:14 -0700 (PDT)
Mail-Followup-To bug-bash@gnu.org
Content-Disposition inline
User-Agent Mutt/1.10.1 (2018-07-13)
X-detected-operating-system by eggs.gnu.org: Genre and OS details not recognized.
X-Received-From 2607:f8b0:4864:20::531
X-BeenThere bug-bash@gnu.org
X-Mailman-Version 2.1.21
Precedence list
List-Id Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive <http://lists.gnu.org/archive/html/bug-bash/>
List-Post <mailto:bug-bash@gnu.org>
List-Help <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
Xref csiph.com gnu.bash.bug:14639

Show key headers only | View raw

Found via fuzzing (of `read -e') using AFL,

To reproduce:

In a shell with `emacs' readline mode, type:

~""""""""""""""""/<M><!>

e.g.

(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/dualbus/src/gnu/bash/bash 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
bash-5.0$ ~""""""""""""""""/
Program received signal SIGSEGV, Segmentation fault.
__memset_avx2_unaligned_erms () at ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:206
206	../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S: No such file or directory.

(gdb) bt
#0  __memset_avx2_unaligned_erms () at ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:206
#1  0x000055555575518e in internal_malloc (n=18446744073709551609, file=0x555555762db7 "bashline.c", line=3015, flags=1) at malloc.c:870
#2  0x00005555557568dc in sh_malloc (bytes=18446744073709551609, file=0x555555762db7 "bashline.c", line=3015) at malloc.c:1302
#3  0x000055555569bf1f in sh_xmalloc (bytes=18446744073709551609, file=0x555555762db7 "bashline.c", line=3015) at xmalloc.c:185
#4  0x00005555556854f6 in restore_tilde (val=0x555555990aa8 "~/.swt", directory_part=0x555555990ac8 "~", '\"' <repeats 16 times>) at bashline.c:3015
#5  0x00005555556855fe in maybe_restore_tilde (val=0x555555990aa8 "~/.swt", directory_part=0x555555990ac8 "~", '\"' <repeats 16 times>) at bashline.c:3031
#6  0x0000555555682940 in command_word_completion_function (hint_text=0x555555990a88 "~", '\"' <repeats 16 times>, "/", state=0) at bashline.c:2157
#7  0x0000555555718e12 in rl_completion_matches (text=0x555555990a88 "~", '\"' <repeats 16 times>, "/", entry_function=0x555555680f3c <command_word_completion_function>) at complete.c:2185
#8  0x0000555555714eb3 in gen_completion_matches (text=0x555555990a88 "~", '\"' <repeats 16 times>, "/", start=0, end=18, our_func=0x555555680f3c <command_word_completion_function>, found_quote=2, quote_char=0)
    at complete.c:1228
#9  0x0000555555718352 in rl_complete_internal (what_to_do=9) at complete.c:2013
#10 0x0000555555688187 in bash_specific_completion (what_to_do=9, generator=0x555555680f3c <command_word_completion_function>) at bashline.c:3812
#11 0x0000555555687a6c in bash_complete_command_internal (what_to_do=9) at bashline.c:3690
#12 0x0000555555687958 in bash_complete_command (ignore=1, ignore2=33) at bashline.c:3662
#13 0x0000555555704df2 in _rl_dispatch_subseq (key=33, map=0x5555557cec60 <emacs_meta_keymap>, got_subseq=0) at readline.c:852
#14 0x0000555555705793 in _rl_dispatch_subseq (key=27, map=0x5555557cdc40 <emacs_standard_keymap>, got_subseq=0) at readline.c:986
#15 0x00005555557049e5 in _rl_dispatch (key=1437245440, map=0x5555557cdc40 <emacs_standard_keymap>) at readline.c:798
#16 0x000055555570432d in readline_internal_char () at readline.c:632
#17 0x000055555570441a in readline_internal_charloop () at readline.c:659
#18 0x0000555555704470 in readline_internal () at readline.c:671
#19 0x000055555570374f in readline (prompt=0x55555598f3e8 "bash-5.0$ ") at readline.c:377
#20 0x00005555555c5b2a in yy_readline_get () at ./parse.y:1476
#21 0x00005555555c5945 in yy_getc () at ./parse.y:1409
#22 0x00005555555c7648 in shell_getc (remove_quoted_newline=1) at ./parse.y:2334
#23 0x00005555555ca34c in read_token (command=0) at ./parse.y:3230
#24 0x00005555555c8e07 in yylex () at ./parse.y:2744
#25 0x00005555555bfef6 in yyparse () at y.tab.c:1823
#26 0x00005555555bf299 in parse_command () at eval.c:303
#27 0x00005555555bf4a9 in read_command () at eval.c:347
#28 0x00005555555bea6b in reader_loop () at eval.c:143
#29 0x00005555555ba3e7 in main (argc=1, argv=0x7fffffffe7d8, env=0x7fffffffe7e8) at shell.c:805

(gdb) frame 4
#4  0x00005555556854f6 in restore_tilde (val=0x555555990aa8 "~/.swt", directory_part=0x555555990ac8 "~", '\"' <repeats 16 times>) at bashline.c:3015
3015	  ret = (char *)xmalloc (dl2 + 2 + l);

(gdb) p dl2
$3 = 1
(gdb) p l
$4 = -10
(gdb) p vl
$5 = 6
(gdb) p xl
$6 = 17

(gdb) p rl_line_buffer
$8 = 0x555555a40e08 '\337' <repeats 199 times>, <incomplete sequence \337>...



Due to the expansions performed in restore_tilde, xl ends up being larger than
vl, and thus, we end up requesting a negative amount of memory. I kind of
understand what the problem is, but I don't really know how to fix it.

Back to gnu.bash.bug | Previous | Next | Find similar | Unroll thread

Thread

Segmentation fault in restore_tilde (bashline.c) Eduardo A. Bustamante López <dualbus@gmail.com> - 2018-09-22 12:01 -0700

csiph-web