Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #14578
| Path | csiph.com!xmission!news.snarked.org!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Eduardo A. Bustamante López <dualbus@gmail.com> |
| Newsgroups | gnu.bash.bug |
| Subject | expand_prompt_string segmentation faults |
| Date | Fri, 14 Sep 2018 00:26:55 -0700 |
| Lines | 117 |
| Approved | bug-bash@gnu.org |
| Message-ID | <mailman.765.1536910027.1284.bug-bash@gnu.org> (permalink) |
| NNTP-Posting-Host | lists.gnu.org |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=us-ascii |
| X-Trace | usenet.stanford.edu 1536910028 28005 208.118.235.17 (14 Sep 2018 07:27:08 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| To | bug-bash@gnu.org |
| Envelope-to | bug-bash@gnu.org |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:mail-followup-to:mime-version :content-disposition:user-agent; bh=JfZOxSPLkiQ9eaKlaG+oRV5P9Coi/lxCTQdeS267K1Q=; b=Ysx1uZTdaMQRAVGGGjowKUZBdP2r8y/dUOoe3WmPc6MAeE945fLx0+BFnxxLHiXoOZ WPF/+Q2HlStwQoM+lGCxYpSQ0scDfZcLOISul3u1EsuAjcwQYfNTgVJwyV9aSyTG2G/6 jNDxHnt7tS143fBdBv5oc+Gds/WTbtOouHvyxuo0ICaGi8qBhTYveTUy5hrdLTs9NPQe OqzxvxtNMbVRD9R77P3OyZncoXPPRcJ2dDHrEt9y3uM4ClGyjFeZ0W9VhclEedwSWbG4 D52ekYcytWqZkRUryquAtocPqlPB3GAKcXSdgX1JX+VSFKKic6YNAwoSSI1Oc9MbAenv ePBw== |
| X-Google-DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mail-followup-to :mime-version:content-disposition:user-agent; bh=JfZOxSPLkiQ9eaKlaG+oRV5P9Coi/lxCTQdeS267K1Q=; b=t0S3uF0vLhTgikibdd6lvb1YpzWL2SMrq1lzLWwxwBSvemMgOmOhTLCdWcY//eOBsM mhfQvQuXFK3tbwD/EnkGwsUEdsxjivpiwKy/mjpV7bDF5tKY/DXIKRvxtL7rROBhcALo 2LmvmhW8UAuvWjKGMN1RtTAgMjN7dnz2TuqEW0n8TyI8pL3EMDO3AybihBrT7CaHHCRm yH5b6eeihEnqqkLU1Wjv0qEVzSbzhKJ+t1gcYFZMTfw0c3fQr9XQWMD9isznISCEyhMP 9IurNYshYxvyGRg9CJhE+rYeWFoNp3CcEzJ4cdWyVwGZlgM8c5WG5vCGkYWnTcvHHAcR ggoA== |
| X-Gm-Message-State | APzg51Di+KNqWqWX85cev2YGeIlhU18THN0FbCcyj8kL4r8vmkEUDAvW ooaDJlssaDaPSXtDPBfoed2IfiYg |
| X-Google-Smtp-Source | ANB0VdYT6Cye79reuCNSTtk9QmB+5aInn+dxu5FnciRqNzZ8In1lF0NNmnOPj6NUA+Gmj0yqt1M+qw== |
| X-Received | by 2002:a62:5d03:: with SMTP id r3-v6mr11044581pfb.150.1536910017777; Fri, 14 Sep 2018 00:26:57 -0700 (PDT) |
| Mail-Followup-To | bug-bash@gnu.org |
| Content-Disposition | inline |
| User-Agent | Mutt/1.10.1 (2018-07-13) |
| X-detected-operating-system | by eggs.gnu.org: Genre and OS details not recognized. |
| X-Received-From | 2607:f8b0:4864:20::532 |
| X-BeenThere | bug-bash@gnu.org |
| X-Mailman-Version | 2.1.21 |
| Precedence | list |
| List-Id | Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org> |
| List-Unsubscribe | <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe> |
| List-Archive | <http://lists.gnu.org/archive/html/bug-bash/> |
| List-Post | <mailto:bug-bash@gnu.org> |
| List-Help | <mailto:bug-bash-request@gnu.org?subject=help> |
| List-Subscribe | <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe> |
| Xref | csiph.com gnu.bash.bug:14578 |
Show key headers only | View raw
Found the following two cases by fuzzing with AFL:
# Case #1: array_expand_index
bash <<'EOF'
x='${p[--b[?]]'; echo ${x@P}
EOF
# Case #1 backtrace
: <<'EOF'
Program received signal SIGSEGV, Segmentation fault.
0x000000000080e0d3 in __strchr_sse2 ()
#0 0x000000000080e0d3 in __strchr_sse2 ()
#1 0x00000000006d954b in mbschr (s=0x0, c=91) at mbschr.c:90
#2 0x000000000058acdf in valid_array_reference (name=0x0, flags=0) at arrayfunc.c:899
#3 0x000000000049c4e9 in bind_int_variable (lhs=0x0, rhs=0xbb5228 "-1", flags=0) at variables.c:3371
#4 0x00000000004c632c in expr_bind_variable (lhs=0x0, rhs=<optimized out>) at expr.c:333
#5 exp0 () at expr.c:1015
#6 exp1 () at expr.c:983
#7 0x00000000004c54ae in exppower () at expr.c:938
#8 0x00000000004c4cf8 in exp2 () at expr.c:863
#9 0x00000000004c4695 in exp3 () at expr.c:837
#10 expshift () at expr.c:813
#11 0x00000000004c3d95 in exp4 () at expr.c:783
#12 exp5 () at expr.c:761
#13 0x00000000004c3a61 in expband () at expr.c:743
#14 expbxor () at expr.c:724
#15 0x00000000004c3621 in expbor () at expr.c:705
#16 expland () at expr.c:678
#17 0x00000000004c2e01 in explor () at expr.c:650
#18 expcond () at expr.c:603
#19 0x00000000004c1f2b in expassign () at expr.c:488
#20 0x00000000004be48e in expcomma () at expr.c:472
#21 subexpr (expr=0xbc9a48 "--b[?]") at expr.c:450
#22 0x00000000004bdba0 in evalexp (expr=0xbc9a48 "--b[?]", flags=<optimized out>, validp=0x7fffffffce14) at expr.c:415
#23 0x0000000000589d81 in array_expand_index (var=<optimized out>, s=<optimized out>, len=<optimized out>, flags=<optimized out>) at arrayfunc.c:952
#24 0x000000000058b7f5 in array_value_internal (s=0xbc9a08 "p[--b[?]]", quoted=<optimized out>, flags=1, rtype=0x7fffffffce9c, indp=<optimized out>) at arrayfunc.c:1133
#25 0x000000000053eed1 in parameter_brace_expand_word (name=0xbc9a08 "p[--b[?]]", var_is_special=0, quoted=1, pflags=<optimized out>, indp=0x7fffffffcf40) at subst.c:6584
#26 0x0000000000536c7b in parameter_brace_expand (string=<optimized out>, quoted=<optimized out>, pflags=<optimized out>, contains_dollar_at=<optimized out>, indexp=<optimized out>, quoted_dollar_atp=<optimized out>) at subst.c:8702
#27 param_expand (string=0xbc5fe8 "${p[--b[?]]", sindex=<optimized out>, quoted=<optimized out>, expanded_something=<optimized out>, contains_dollar_at=<optimized out>, quoted_dollar_at_p=<optimized out>, had_quoted_null_p=0x0, pflags=<optimized out>) at subst.c:9316
#28 0x0000000000510893 in expand_word_internal (word=0x7fffffffd0b0, quoted=<optimized out>, isexp=<optimized out>, contains_dollar_at=<optimized out>, expanded_something=<optimized out>) at subst.c:9887
#29 0x000000000050f595 in expand_prompt_string (string=0xbc7ec8 "${p[--b[?]]", quoted=1, wflags=<optimized out>) at subst.c:3804
#30 0x0000000000420e71 in decode_prompt_string (string=<optimized out>) at ./parse.y:6065
#31 0x000000000055059c in string_transform (xc=<optimized out>, v=0xbc7dc8, s=0xbc5fc8 "${p[--b[?]]") at subst.c:7468
#32 0x000000000054a2b5 in parameter_brace_transform (varname=<optimized out>, value=<optimized out>, ind=<optimized out>, xform=<optimized out>, rtype=0, quoted=<optimized out>, pflags=0, flags=<optimized out>) at subst.c:7616
#33 0x000000000053bb17 in parameter_brace_expand (string=<optimized out>, quoted=<optimized out>, pflags=<optimized out>, contains_dollar_at=<optimized out>, indexp=<optimized out>, quoted_dollar_atp=<optimized out>) at subst.c:8884
#34 param_expand (string=0xbc7e68 "${REPLY@P}", sindex=<optimized out>, quoted=<optimized out>, expanded_something=<optimized out>, contains_dollar_at=<optimized out>, quoted_dollar_at_p=<optimized out>, had_quoted_null_p=<optimized out>, pflags=<optimized out>) at subst.c:9316
#35 0x0000000000510893 in expand_word_internal (word=0xbc7828, quoted=<optimized out>, isexp=<optimized out>, contains_dollar_at=<optimized out>, expanded_something=<optimized out>) at subst.c:9887
#36 0x0000000000529560 in shell_expand_word_list (tlist=<optimized out>, eflags=0) at subst.c:11233
#37 expand_word_list_internal (list=<optimized out>, eflags=<optimized out>) at subst.c:11357
#38 0x000000000046f341 in execute_simple_command (simple_command=<optimized out>, pipe_in=-1, pipe_out=-1, async=<optimized out>, fds_to_close=<optimized out>) at execute_cmd.c:4278
#39 execute_command_internal (command=<optimized out>, asynchronous=<optimized out>, pipe_in=<optimized out>, pipe_out=<optimized out>, fds_to_close=<optimized out>) at execute_cmd.c:840
#40 0x000000000046b5cb in execute_connection (command=<optimized out>, asynchronous=<optimized out>, pipe_in=<optimized out>, pipe_out=<optimized out>, fds_to_close=<optimized out>) at execute_cmd.c:2689
#41 execute_command_internal (command=0xbc5e48, asynchronous=<optimized out>, pipe_in=<optimized out>, pipe_out=<optimized out>, fds_to_close=<optimized out>) at execute_cmd.c:1013
#42 0x0000000000605bcc in parse_and_execute (string=<optimized out>, from_file=<optimized out>, flags=4) at evalstring.c:436
#43 0x0000000000409a8c in run_one_command (command=<optimized out>) at shell.c:1416
#44 0x00000000004063a7 in main (argc=<optimized out>, argv=<optimized out>, env=<optimized out>) at shell.c:735
EOF
# Case #2
bash <<'EOF'
x='$[++K[+]]/'; echo ${x@P}
EOF
# Case #2 backtrace
: <<'EOF'
Program received signal SIGSEGV, Segmentation fault.
0x000000000080e0d3 in __strchr_sse2 ()
#0 0x000000000080e0d3 in __strchr_sse2 ()
#1 0x00000000006d954b in mbschr (s=0x0, c=91) at mbschr.c:90
#2 0x000000000058acdf in valid_array_reference (name=0x0, flags=0) at arrayfunc.c:899
#3 0x000000000049c4e9 in bind_int_variable (lhs=0x0, rhs=0xbb5248 "1", flags=0) at variables.c:3371
#4 0x00000000004c632c in expr_bind_variable (lhs=0x0, rhs=<optimized out>) at expr.c:333
#5 exp0 () at expr.c:1015
#6 exp1 () at expr.c:983
#7 0x00000000004c54ae in exppower () at expr.c:938
#8 0x00000000004c4cf8 in exp2 () at expr.c:863
#9 0x00000000004c4695 in exp3 () at expr.c:837
#10 expshift () at expr.c:813
#11 0x00000000004c3d95 in exp4 () at expr.c:783
#12 exp5 () at expr.c:761
#13 0x00000000004c3a61 in expband () at expr.c:743
#14 expbxor () at expr.c:724
#15 0x00000000004c3621 in expbor () at expr.c:705
#16 expland () at expr.c:678
#17 0x00000000004c2e01 in explor () at expr.c:650
#18 expcond () at expr.c:603
#19 0x00000000004c1f2b in expassign () at expr.c:488
#20 0x00000000004be48e in expcomma () at expr.c:472
#21 subexpr (expr=0xbcc9a8 "++K[+]") at expr.c:450
#22 0x00000000004bdba0 in evalexp (expr=0xbcc9a8 "++K[+]", flags=<optimized out>, validp=0x7fffffffdee0) at expr.c:415
#23 0x0000000000531828 in param_expand (string=0xbcc968 "$[++K[+]]/", sindex=<optimized out>, quoted=<optimized out>, expanded_something=<optimized out>, contains_dollar_at=<optimized out>, quoted_dollar_at_p=<optimized out>, had_quoted_null_p=0x0, pflags=<optimized out>) at subst.c:9391
#24 0x0000000000510893 in expand_word_internal (word=0x7fffffffe050, quoted=<optimized out>, isexp=<optimized out>, contains_dollar_at=<optimized out>, expanded_something=<optimized out>) at subst.c:9887
#25 0x000000000050f595 in expand_prompt_string (string=0xbcc948 "$[++K[+]]/", quoted=0, wflags=<optimized out>) at subst.c:3804
#26 0x00000000005b82a8 in bash_directory_completion_hook (dirname=0xb182f8 <rl_filename_completion_function.dirname>) at bashline.c:3284
#27 0x00000000007057c7 in rl_filename_completion_function (text=<optimized out>, state=<optimized out>) at complete.c:2508
#28 0x000000000070bacd in rl_completion_matches (text=0xbcc8c8 "$[++K[+]]/", entry_function=0x7051c0 <rl_filename_completion_function>) at complete.c:2185
#29 0x000000000070819f in gen_completion_matches (text=0xbcc8c8 "$[++K[+]]/", start=<optimized out>, end=<optimized out>, our_func=0x7051c0 <rl_filename_completion_function>, found_quote=<optimized out>, quote_char=<optimized out>) at complete.c:1228
#30 0x00000000006fd828 in rl_complete_internal (what_to_do=9) at complete.c:2013
#31 0x00000000006de509 in _rl_dispatch_subseq (key=9, map=0xb104d0 <vi_insertion_keymap>, got_subseq=0) at readline.c:852
#32 0x00000000006dc6ce in _rl_dispatch (key=0, map=0x5b) at readline.c:798
#33 readline_internal_char () at readline.c:632
#34 0x00000000006da72d in readline_internal_charloop () at readline.c:659
#35 readline_internal () at readline.c:671
#36 readline (prompt=0x8e11cf "") at readline.c:377
#37 0x0000000000629741 in edit_line (p=<optimized out>, itext=<optimized out>) at ./read.def:1104
#38 read_builtin (list=<optimized out>) at ./read.def:563
#39 0x0000000000483417 in execute_builtin (builtin=0x6268c0 <read_builtin>, words=<optimized out>, flags=<optimized out>, subshell=0) at execute_cmd.c:4677
#40 0x00000000004725d4 in execute_builtin_or_function (redirects=<optimized out>, fds_to_close=<optimized out>, flags=<optimized out>, words=<optimized out>, builtin=<optimized out>, var=<optimized out>) at execute_cmd.c:5185
#41 execute_simple_command (simple_command=<optimized out>, pipe_in=<optimized out>, pipe_out=<optimized out>, async=<optimized out>, fds_to_close=<optimized out>) at execute_cmd.c:4449
#42 execute_command_internal (command=<optimized out>, asynchronous=<optimized out>, pipe_in=<optimized out>, pipe_out=<optimized out>, fds_to_close=<optimized out>) at execute_cmd.c:840
#43 0x000000000046b5cb in execute_connection (command=<optimized out>, asynchronous=<optimized out>, pipe_in=<optimized out>, pipe_out=<optimized out>, fds_to_close=<optimized out>) at execute_cmd.c:2689
#44 execute_command_internal (command=0xbc5d88, asynchronous=<optimized out>, pipe_in=<optimized out>, pipe_out=<optimized out>, fds_to_close=<optimized out>) at execute_cmd.c:1013
#45 0x0000000000605bcc in parse_and_execute (string=<optimized out>, from_file=<optimized out>, flags=4) at evalstring.c:436
#46 0x0000000000409a8c in run_one_command (command=<optimized out>) at shell.c:1416
#47 0x00000000004063a7 in main (argc=<optimized out>, argv=<optimized out>, env=<optimized out>) at shell.c:735
EOF
Back to gnu.bash.bug | Previous | Next | Find similar | Unroll thread
expand_prompt_string segmentation faults Eduardo A. Bustamante López <dualbus@gmail.com> - 2018-09-14 00:26 -0700
csiph-web