[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
AddressSanitizer: heap-buffer-overflow lib/readline/bind.c:437 in rl_tra
From: |
Eduardo Bustamante |
Subject: |
AddressSanitizer: heap-buffer-overflow lib/readline/bind.c:437 in rl_translate_keyseq |
Date: |
Thu, 27 Apr 2017 07:02:25 -0500 |
dualbus@debian:~/src/gnu/bash$ xxd inputrc
00000000: 225c 432d 2230 3030 200a "\C-"000 .
# with ASAN
dualbus@debian:~/src/gnu/bash$ ./bash --noprofile --norc -ic 'bind -f inputrc'
=================================================================
==27315==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000009bb9 at pc 0x5628fdaa420b bp 0x7ffcde1bef40 sp
0x7ffcde1bef38
READ of size 1 at 0x602000009bb9 thread T0
#0 0x5628fdaa420a in rl_translate_keyseq
/home/dualbus/src/gnu/bash/lib/readline/bind.c:437
#1 0x5628fdaa2934 in rl_generic_bind
/home/dualbus/src/gnu/bash/lib/readline/bind.c:347
#2 0x5628fdaa2520 in rl_bind_keyseq
/home/dualbus/src/gnu/bash/lib/readline/bind.c:251
#3 0x5628fdaa82ab in rl_parse_and_bind
/home/dualbus/src/gnu/bash/lib/readline/bind.c:1405
#4 0x5628fdaa6103 in _rl_read_init_file
/home/dualbus/src/gnu/bash/lib/readline/bind.c:927
#5 0x5628fdaa5d4c in rl_read_init_file
/home/dualbus/src/gnu/bash/lib/readline/bind.c:870
#6 0x5628fda1901c in bind_builtin bind.def:248
#7 0x5628fd95272b in execute_builtin
/home/dualbus/src/gnu/bash/execute_cmd.c:4603
#8 0x5628fd954341 in execute_builtin_or_function
/home/dualbus/src/gnu/bash/execute_cmd.c:5101
#9 0x5628fd951bc1 in execute_simple_command
/home/dualbus/src/gnu/bash/execute_cmd.c:4389
#10 0x5628fd93fac2 in execute_command_internal
/home/dualbus/src/gnu/bash/execute_cmd.c:811
#11 0x5628fda294ae in parse_and_execute
/home/dualbus/src/gnu/bash/builtins/evalstring.c:430
#12 0x5628fd90b121 in run_one_command
/home/dualbus/src/gnu/bash/shell.c:1405
#13 0x5628fd9095fa in main /home/dualbus/src/gnu/bash/shell.c:718
#14 0x7fc1396332b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#15 0x5628fd908469 in _start (/home/dualbus/src/gnu/bash/bash+0x7f469)
0x602000009bb9 is located 0 bytes to the right of 9-byte region
[0x602000009bb0,0x602000009bb9)
allocated by thread T0 here:
#0 0x7fc139ea0d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x5628fda18195 in xmalloc /home/dualbus/src/gnu/bash/xmalloc.c:112
#2 0x5628fdaa7e6f in rl_parse_and_bind
/home/dualbus/src/gnu/bash/lib/readline/bind.c:1372
#3 0x5628fdaa6103 in _rl_read_init_file
/home/dualbus/src/gnu/bash/lib/readline/bind.c:927
#4 0x5628fdaa5d4c in rl_read_init_file
/home/dualbus/src/gnu/bash/lib/readline/bind.c:870
#5 0x5628fda1901c in bind_builtin bind.def:248
#6 0x5628fd95272b in execute_builtin
/home/dualbus/src/gnu/bash/execute_cmd.c:4603
#7 0x5628fd954341 in execute_builtin_or_function
/home/dualbus/src/gnu/bash/execute_cmd.c:5101
#8 0x5628fd951bc1 in execute_simple_command
/home/dualbus/src/gnu/bash/execute_cmd.c:4389
#9 0x5628fd93fac2 in execute_command_internal
/home/dualbus/src/gnu/bash/execute_cmd.c:811
#10 0x5628fda294ae in parse_and_execute
/home/dualbus/src/gnu/bash/builtins/evalstring.c:430
#11 0x5628fd90b121 in run_one_command
/home/dualbus/src/gnu/bash/shell.c:1405
#12 0x5628fd9095fa in main /home/dualbus/src/gnu/bash/shell.c:718
#13 0x7fc1396332b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/dualbus/src/gnu/bash/lib/readline/bind.c:437 in
rl_translate_keyseq
Shadow bytes around the buggy address:
0x0c047fff9320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9370: fa fa 07 fa fa fa 00[01]fa fa 00 fa fa fa 00 03
0x0c047fff9380: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 07
0x0c047fff9390: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff93a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff93b0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff93c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27315==ABORTING
# With Valgrind + without bash malloc
dualbus@debian:~/src/gnu/bash$ valgrind ./bash --noprofile --norc -ic
'bind -f inputrc'
==2112== Memcheck, a memory error detector
==2112== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==2112== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
==2112== Command: ./bash --noprofile --norc -ic bind\ -f\ inputrc
==2112==
==2112== Conditional jump or move depends on uninitialised value(s)
==2112== at 0x1EE229: rl_translate_keyseq (bind.c:437)
==2112== by 0x1ED979: rl_generic_bind (bind.c:347)
==2112== by 0x1ED767: rl_bind_keyseq (bind.c:251)
==2112== by 0x1EFB79: rl_parse_and_bind (bind.c:1405)
==2112== by 0x1EEE3F: _rl_read_init_file (bind.c:927)
==2112== by 0x1EECA8: rl_read_init_file (bind.c:870)
==2112== by 0x1AAE4B: bind_builtin (bind.def:248)
==2112== by 0x155FF0: execute_builtin (execute_cmd.c:4603)
==2112== by 0x156ECC: execute_builtin_or_function (execute_cmd.c:5101)
==2112== by 0x1558F6: execute_simple_command (execute_cmd.c:4389)
==2112== by 0x14F2AE: execute_command_internal (execute_cmd.c:811)
==2112== by 0x1B21E7: parse_and_execute (evalstring.c:430)
==2112==
==2112==
==2112== HEAP SUMMARY:
==2112== in use at exit: 226,535 bytes in 790 blocks
==2112== total heap usage: 1,519 allocs, 729 frees, 286,870 bytes allocated
==2112==
==2112== LEAK SUMMARY:
==2112== definitely lost: 0 bytes in 0 blocks
==2112== indirectly lost: 0 bytes in 0 blocks
==2112== possibly lost: 0 bytes in 0 blocks
==2112== still reachable: 226,535 bytes in 790 blocks
==2112== suppressed: 0 bytes in 0 blocks
==2112== Rerun with --leak-check=full to see details of leaked memory
==2112==
==2112== For counts of detected and suppressed errors, rerun with: -v
==2112== Use --track-origins=yes to see where uninitialised values come from
==2112== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
# With bash malloc
dualbus@debian:~/src/gnu/bash$ ./bash --noprofile --norc -ic 'bind -f inputrc'
malloc: unknown:0: assertion botched
malloc: 0x557ac4e2f948: allocated: last allocated from unknown:0
free: start and end chunk sizes differ
Aborting...Aborted
- AddressSanitizer: heap-buffer-overflow lib/readline/bind.c:437 in rl_translate_keyseq,
Eduardo Bustamante <=