Segmentation fault in restore

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Segmentation fault in restore_tilde (bashline.c)

From:	Eduardo A . Bustamante López
Subject:	Segmentation fault in restore_tilde (bashline.c)
Date:	Sat, 22 Sep 2018 12:01:12 -0700
User-agent:	Mutt/1.10.1 (2018-07-13)

Found via fuzzing (of `read -e') using AFL,

To reproduce:

In a shell with `emacs' readline mode, type:

~""""""""""""""""/<M><!>

e.g.

(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/dualbus/src/gnu/bash/bash 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
bash-5.0$ ~""""""""""""""""/
Program received signal SIGSEGV, Segmentation fault.
__memset_avx2_unaligned_erms () at 
../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:206
206     ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S: No such file 
or directory.

(gdb) bt
#0  __memset_avx2_unaligned_erms () at 
../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:206
#1  0x000055555575518e in internal_malloc (n=18446744073709551609, 
file=0x555555762db7 "bashline.c", line=3015, flags=1) at malloc.c:870
#2  0x00005555557568dc in sh_malloc (bytes=18446744073709551609, 
file=0x555555762db7 "bashline.c", line=3015) at malloc.c:1302
#3  0x000055555569bf1f in sh_xmalloc (bytes=18446744073709551609, 
file=0x555555762db7 "bashline.c", line=3015) at xmalloc.c:185
#4  0x00005555556854f6 in restore_tilde (val=0x555555990aa8 "~/.swt", 
directory_part=0x555555990ac8 "~", '\"' <repeats 16 times>) at bashline.c:3015
#5  0x00005555556855fe in maybe_restore_tilde (val=0x555555990aa8 "~/.swt", 
directory_part=0x555555990ac8 "~", '\"' <repeats 16 times>) at bashline.c:3031
#6  0x0000555555682940 in command_word_completion_function 
(hint_text=0x555555990a88 "~", '\"' <repeats 16 times>, "/", state=0) at 
bashline.c:2157
#7  0x0000555555718e12 in rl_completion_matches (text=0x555555990a88 "~", '\"' 
<repeats 16 times>, "/", entry_function=0x555555680f3c 
<command_word_completion_function>) at complete.c:2185
#8  0x0000555555714eb3 in gen_completion_matches (text=0x555555990a88 "~", '\"' 
<repeats 16 times>, "/", start=0, end=18, our_func=0x555555680f3c 
<command_word_completion_function>, found_quote=2, quote_char=0)
    at complete.c:1228
#9  0x0000555555718352 in rl_complete_internal (what_to_do=9) at complete.c:2013
#10 0x0000555555688187 in bash_specific_completion (what_to_do=9, 
generator=0x555555680f3c <command_word_completion_function>) at bashline.c:3812
#11 0x0000555555687a6c in bash_complete_command_internal (what_to_do=9) at 
bashline.c:3690
#12 0x0000555555687958 in bash_complete_command (ignore=1, ignore2=33) at 
bashline.c:3662
#13 0x0000555555704df2 in _rl_dispatch_subseq (key=33, map=0x5555557cec60 
<emacs_meta_keymap>, got_subseq=0) at readline.c:852
#14 0x0000555555705793 in _rl_dispatch_subseq (key=27, map=0x5555557cdc40 
<emacs_standard_keymap>, got_subseq=0) at readline.c:986
#15 0x00005555557049e5 in _rl_dispatch (key=1437245440, map=0x5555557cdc40 
<emacs_standard_keymap>) at readline.c:798
#16 0x000055555570432d in readline_internal_char () at readline.c:632
#17 0x000055555570441a in readline_internal_charloop () at readline.c:659
#18 0x0000555555704470 in readline_internal () at readline.c:671
#19 0x000055555570374f in readline (prompt=0x55555598f3e8 "bash-5.0$ ") at 
readline.c:377
#20 0x00005555555c5b2a in yy_readline_get () at ./parse.y:1476
#21 0x00005555555c5945 in yy_getc () at ./parse.y:1409
#22 0x00005555555c7648 in shell_getc (remove_quoted_newline=1) at ./parse.y:2334
#23 0x00005555555ca34c in read_token (command=0) at ./parse.y:3230
#24 0x00005555555c8e07 in yylex () at ./parse.y:2744
#25 0x00005555555bfef6 in yyparse () at y.tab.c:1823
#26 0x00005555555bf299 in parse_command () at eval.c:303
#27 0x00005555555bf4a9 in read_command () at eval.c:347
#28 0x00005555555bea6b in reader_loop () at eval.c:143
#29 0x00005555555ba3e7 in main (argc=1, argv=0x7fffffffe7d8, 
env=0x7fffffffe7e8) at shell.c:805

(gdb) frame 4
#4  0x00005555556854f6 in restore_tilde (val=0x555555990aa8 "~/.swt", 
directory_part=0x555555990ac8 "~", '\"' <repeats 16 times>) at bashline.c:3015
3015      ret = (char *)xmalloc (dl2 + 2 + l);

(gdb) p dl2
$3 = 1
(gdb) p l
$4 = -10
(gdb) p vl
$5 = 6
(gdb) p xl
$6 = 17

(gdb) p rl_line_buffer
$8 = 0x555555a40e08 '\337' <repeats 199 times>, <incomplete sequence \337>...



Due to the expansions performed in restore_tilde, xl ends up being larger than
vl, and thus, we end up requesting a negative amount of memory. I kind of
understand what the problem is, but I don't really know how to fix it.

[Prev in Thread]

Current Thread

[Next in Thread]

Segmentation fault in restore_tilde (bashline.c), Eduardo A . Bustamante López <=
- Re: Segmentation fault in restore_tilde (bashline.c), Chet Ramey, 2018/09/24

Prev by Date: Re: bash sockets: printf \x0a does TCP fragmentation
Next by Date: Re: bash sockets: printf \x0a does TCP fragmentation
Previous by thread: bash sockets: printf \x0a does TCP fragmentation
Next by thread: Re: Segmentation fault in restore_tilde (bashline.c)
Index(es):
- Date
- Thread