Path: csiph.com!xmission!news.snarked.org!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail From: Eduardo =?iso-8859-1?Q?A=2E_Bustamante_L=F3pez?= Newsgroups: gnu.bash.bug Subject: expand_prompt_string segmentation faults Date: Fri, 14 Sep 2018 00:26:55 -0700 Lines: 117 Approved: bug-bash@gnu.org Message-ID: NNTP-Posting-Host: lists.gnu.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: usenet.stanford.edu 1536910028 28005 208.118.235.17 (14 Sep 2018 07:27:08 GMT) X-Complaints-To: action@cs.stanford.edu To: bug-bash@gnu.org Envelope-to: bug-bash@gnu.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:mail-followup-to:mime-version :content-disposition:user-agent; bh=JfZOxSPLkiQ9eaKlaG+oRV5P9Coi/lxCTQdeS267K1Q=; b=Ysx1uZTdaMQRAVGGGjowKUZBdP2r8y/dUOoe3WmPc6MAeE945fLx0+BFnxxLHiXoOZ WPF/+Q2HlStwQoM+lGCxYpSQ0scDfZcLOISul3u1EsuAjcwQYfNTgVJwyV9aSyTG2G/6 jNDxHnt7tS143fBdBv5oc+Gds/WTbtOouHvyxuo0ICaGi8qBhTYveTUy5hrdLTs9NPQe OqzxvxtNMbVRD9R77P3OyZncoXPPRcJ2dDHrEt9y3uM4ClGyjFeZ0W9VhclEedwSWbG4 D52ekYcytWqZkRUryquAtocPqlPB3GAKcXSdgX1JX+VSFKKic6YNAwoSSI1Oc9MbAenv ePBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mail-followup-to :mime-version:content-disposition:user-agent; bh=JfZOxSPLkiQ9eaKlaG+oRV5P9Coi/lxCTQdeS267K1Q=; b=t0S3uF0vLhTgikibdd6lvb1YpzWL2SMrq1lzLWwxwBSvemMgOmOhTLCdWcY//eOBsM mhfQvQuXFK3tbwD/EnkGwsUEdsxjivpiwKy/mjpV7bDF5tKY/DXIKRvxtL7rROBhcALo 2LmvmhW8UAuvWjKGMN1RtTAgMjN7dnz2TuqEW0n8TyI8pL3EMDO3AybihBrT7CaHHCRm yH5b6eeihEnqqkLU1Wjv0qEVzSbzhKJ+t1gcYFZMTfw0c3fQr9XQWMD9isznISCEyhMP 9IurNYshYxvyGRg9CJhE+rYeWFoNp3CcEzJ4cdWyVwGZlgM8c5WG5vCGkYWnTcvHHAcR ggoA== X-Gm-Message-State: APzg51Di+KNqWqWX85cev2YGeIlhU18THN0FbCcyj8kL4r8vmkEUDAvW ooaDJlssaDaPSXtDPBfoed2IfiYg X-Google-Smtp-Source: ANB0VdYT6Cye79reuCNSTtk9QmB+5aInn+dxu5FnciRqNzZ8In1lF0NNmnOPj6NUA+Gmj0yqt1M+qw== X-Received: by 2002:a62:5d03:: with SMTP id r3-v6mr11044581pfb.150.1536910017777; Fri, 14 Sep 2018 00:26:57 -0700 (PDT) Mail-Followup-To: bug-bash@gnu.org Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4864:20::532 X-BeenThere: bug-bash@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Bug reports for the GNU Bourne Again SHell List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Xref: csiph.com gnu.bash.bug:14578 Found the following two cases by fuzzing with AFL: # Case #1: array_expand_index bash <<'EOF' x='${p[--b[?]]'; echo ${x@P} EOF # Case #1 backtrace : <<'EOF' Program received signal SIGSEGV, Segmentation fault. 0x000000000080e0d3 in __strchr_sse2 () #0 0x000000000080e0d3 in __strchr_sse2 () #1 0x00000000006d954b in mbschr (s=0x0, c=91) at mbschr.c:90 #2 0x000000000058acdf in valid_array_reference (name=0x0, flags=0) at arrayfunc.c:899 #3 0x000000000049c4e9 in bind_int_variable (lhs=0x0, rhs=0xbb5228 "-1", flags=0) at variables.c:3371 #4 0x00000000004c632c in expr_bind_variable (lhs=0x0, rhs=) at expr.c:333 #5 exp0 () at expr.c:1015 #6 exp1 () at expr.c:983 #7 0x00000000004c54ae in exppower () at expr.c:938 #8 0x00000000004c4cf8 in exp2 () at expr.c:863 #9 0x00000000004c4695 in exp3 () at expr.c:837 #10 expshift () at expr.c:813 #11 0x00000000004c3d95 in exp4 () at expr.c:783 #12 exp5 () at expr.c:761 #13 0x00000000004c3a61 in expband () at expr.c:743 #14 expbxor () at expr.c:724 #15 0x00000000004c3621 in expbor () at expr.c:705 #16 expland () at expr.c:678 #17 0x00000000004c2e01 in explor () at expr.c:650 #18 expcond () at expr.c:603 #19 0x00000000004c1f2b in expassign () at expr.c:488 #20 0x00000000004be48e in expcomma () at expr.c:472 #21 subexpr (expr=0xbc9a48 "--b[?]") at expr.c:450 #22 0x00000000004bdba0 in evalexp (expr=0xbc9a48 "--b[?]", flags=, validp=0x7fffffffce14) at expr.c:415 #23 0x0000000000589d81 in array_expand_index (var=, s=, len=, flags=) at arrayfunc.c:952 #24 0x000000000058b7f5 in array_value_internal (s=0xbc9a08 "p[--b[?]]", quoted=, flags=1, rtype=0x7fffffffce9c, indp=) at arrayfunc.c:1133 #25 0x000000000053eed1 in parameter_brace_expand_word (name=0xbc9a08 "p[--b[?]]", var_is_special=0, quoted=1, pflags=, indp=0x7fffffffcf40) at subst.c:6584 #26 0x0000000000536c7b in parameter_brace_expand (string=, quoted=, pflags=, contains_dollar_at=, indexp=, quoted_dollar_atp=) at subst.c:8702 #27 param_expand (string=0xbc5fe8 "${p[--b[?]]", sindex=, quoted=, expanded_something=, contains_dollar_at=, quoted_dollar_at_p=, had_quoted_null_p=0x0, pflags=) at subst.c:9316 #28 0x0000000000510893 in expand_word_internal (word=0x7fffffffd0b0, quoted=, isexp=, contains_dollar_at=, expanded_something=) at subst.c:9887 #29 0x000000000050f595 in expand_prompt_string (string=0xbc7ec8 "${p[--b[?]]", quoted=1, wflags=) at subst.c:3804 #30 0x0000000000420e71 in decode_prompt_string (string=) at ./parse.y:6065 #31 0x000000000055059c in string_transform (xc=, v=0xbc7dc8, s=0xbc5fc8 "${p[--b[?]]") at subst.c:7468 #32 0x000000000054a2b5 in parameter_brace_transform (varname=, value=, ind=, xform=, rtype=0, quoted=, pflags=0, flags=) at subst.c:7616 #33 0x000000000053bb17 in parameter_brace_expand (string=, quoted=, pflags=, contains_dollar_at=, indexp=, quoted_dollar_atp=) at subst.c:8884 #34 param_expand (string=0xbc7e68 "${REPLY@P}", sindex=, quoted=, expanded_something=, contains_dollar_at=, quoted_dollar_at_p=, had_quoted_null_p=, pflags=) at subst.c:9316 #35 0x0000000000510893 in expand_word_internal (word=0xbc7828, quoted=, isexp=, contains_dollar_at=, expanded_something=) at subst.c:9887 #36 0x0000000000529560 in shell_expand_word_list (tlist=, eflags=0) at subst.c:11233 #37 expand_word_list_internal (list=, eflags=) at subst.c:11357 #38 0x000000000046f341 in execute_simple_command (simple_command=, pipe_in=-1, pipe_out=-1, async=, fds_to_close=) at execute_cmd.c:4278 #39 execute_command_internal (command=, asynchronous=, pipe_in=, pipe_out=, fds_to_close=) at execute_cmd.c:840 #40 0x000000000046b5cb in execute_connection (command=, asynchronous=, pipe_in=, pipe_out=, fds_to_close=) at execute_cmd.c:2689 #41 execute_command_internal (command=0xbc5e48, asynchronous=, pipe_in=, pipe_out=, fds_to_close=) at execute_cmd.c:1013 #42 0x0000000000605bcc in parse_and_execute (string=, from_file=, flags=4) at evalstring.c:436 #43 0x0000000000409a8c in run_one_command (command=) at shell.c:1416 #44 0x00000000004063a7 in main (argc=, argv=, env=) at shell.c:735 EOF # Case #2 bash <<'EOF' x='$[++K[+]]/'; echo ${x@P} EOF # Case #2 backtrace : <<'EOF' Program received signal SIGSEGV, Segmentation fault. 0x000000000080e0d3 in __strchr_sse2 () #0 0x000000000080e0d3 in __strchr_sse2 () #1 0x00000000006d954b in mbschr (s=0x0, c=91) at mbschr.c:90 #2 0x000000000058acdf in valid_array_reference (name=0x0, flags=0) at arrayfunc.c:899 #3 0x000000000049c4e9 in bind_int_variable (lhs=0x0, rhs=0xbb5248 "1", flags=0) at variables.c:3371 #4 0x00000000004c632c in expr_bind_variable (lhs=0x0, rhs=) at expr.c:333 #5 exp0 () at expr.c:1015 #6 exp1 () at expr.c:983 #7 0x00000000004c54ae in exppower () at expr.c:938 #8 0x00000000004c4cf8 in exp2 () at expr.c:863 #9 0x00000000004c4695 in exp3 () at expr.c:837 #10 expshift () at expr.c:813 #11 0x00000000004c3d95 in exp4 () at expr.c:783 #12 exp5 () at expr.c:761 #13 0x00000000004c3a61 in expband () at expr.c:743 #14 expbxor () at expr.c:724 #15 0x00000000004c3621 in expbor () at expr.c:705 #16 expland () at expr.c:678 #17 0x00000000004c2e01 in explor () at expr.c:650 #18 expcond () at expr.c:603 #19 0x00000000004c1f2b in expassign () at expr.c:488 #20 0x00000000004be48e in expcomma () at expr.c:472 #21 subexpr (expr=0xbcc9a8 "++K[+]") at expr.c:450 #22 0x00000000004bdba0 in evalexp (expr=0xbcc9a8 "++K[+]", flags=, validp=0x7fffffffdee0) at expr.c:415 #23 0x0000000000531828 in param_expand (string=0xbcc968 "$[++K[+]]/", sindex=, quoted=, expanded_something=, contains_dollar_at=, quoted_dollar_at_p=, had_quoted_null_p=0x0, pflags=) at subst.c:9391 #24 0x0000000000510893 in expand_word_internal (word=0x7fffffffe050, quoted=, isexp=, contains_dollar_at=, expanded_something=) at subst.c:9887 #25 0x000000000050f595 in expand_prompt_string (string=0xbcc948 "$[++K[+]]/", quoted=0, wflags=) at subst.c:3804 #26 0x00000000005b82a8 in bash_directory_completion_hook (dirname=0xb182f8 ) at bashline.c:3284 #27 0x00000000007057c7 in rl_filename_completion_function (text=, state=) at complete.c:2508 #28 0x000000000070bacd in rl_completion_matches (text=0xbcc8c8 "$[++K[+]]/", entry_function=0x7051c0 ) at complete.c:2185 #29 0x000000000070819f in gen_completion_matches (text=0xbcc8c8 "$[++K[+]]/", start=, end=, our_func=0x7051c0 , found_quote=, quote_char=) at complete.c:1228 #30 0x00000000006fd828 in rl_complete_internal (what_to_do=9) at complete.c:2013 #31 0x00000000006de509 in _rl_dispatch_subseq (key=9, map=0xb104d0 , got_subseq=0) at readline.c:852 #32 0x00000000006dc6ce in _rl_dispatch (key=0, map=0x5b) at readline.c:798 #33 readline_internal_char () at readline.c:632 #34 0x00000000006da72d in readline_internal_charloop () at readline.c:659 #35 readline_internal () at readline.c:671 #36 readline (prompt=0x8e11cf "") at readline.c:377 #37 0x0000000000629741 in edit_line (p=, itext=) at ./read.def:1104 #38 read_builtin (list=) at ./read.def:563 #39 0x0000000000483417 in execute_builtin (builtin=0x6268c0 , words=, flags=, subshell=0) at execute_cmd.c:4677 #40 0x00000000004725d4 in execute_builtin_or_function (redirects=, fds_to_close=, flags=, words=, builtin=, var=) at execute_cmd.c:5185 #41 execute_simple_command (simple_command=, pipe_in=, pipe_out=, async=, fds_to_close=) at execute_cmd.c:4449 #42 execute_command_internal (command=, asynchronous=, pipe_in=, pipe_out=, fds_to_close=) at execute_cmd.c:840 #43 0x000000000046b5cb in execute_connection (command=, asynchronous=, pipe_in=, pipe_out=, fds_to_close=) at execute_cmd.c:2689 #44 execute_command_internal (command=0xbc5d88, asynchronous=, pipe_in=, pipe_out=, fds_to_close=) at execute_cmd.c:1013 #45 0x0000000000605bcc in parse_and_execute (string=, from_file=, flags=4) at evalstring.c:436 #46 0x0000000000409a8c in run_one_command (command=) at shell.c:1416 #47 0x00000000004063a7 in main (argc=, argv=, env=) at shell.c:735 EOF