bug-readline
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-readline] Null pointer dereference in _rl_copy_to_kill_ring


From: Clayton Smith
Subject: [Bug-readline] Null pointer dereference in _rl_copy_to_kill_ring
Date: Mon, 26 Jun 2017 13:53:21 -0400

The following keypresses seem to crash readline:

    0  Escape  0  Backspace  Ctrl-W

Typing those keystrokes into just about any program that uses readline (e.g. bash, gdb, python) causes a segfault. I've tested this on Ubuntu 14.04, 16.04 and 17.04. Also, I was able to reproduce a crash on OS X when I downloaded and built libreadline.

Steps to reproduce:

    git clone https://git.savannah.gnu.org/git/readline.git
    cd readline
    ./configure
    make
    cd examples
    make
    python3 -c 'print("\x30\x1b\x30\x7f\x17")' | ./rlbasic 

Output:

    0Segmentation fault: 11

Debug:

$ lldb ./rlbasic
(lldb) target create "./rlbasic"
Current executable set to './rlbasic' (x86_64).
(lldb) run
Process 92794 launched: './rlbasic' (x86_64)
0Process 92794 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x00007fffe566eb52 libsystem_c.dylib`strlen + 18
libsystem_c.dylib`strlen:
->  0x7fffe566eb52 <+18>: pcmpeqb (%rdi), %xmm0
    0x7fffe566eb56 <+22>: pmovmskb %xmm0, %esi
    0x7fffe566eb5a <+26>: andq   $0xf, %rcx
    0x7fffe566eb5e <+30>: orq    $-0x1, %rax
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00007fffe566eb52 libsystem_c.dylib`strlen + 18
    frame #1: 0x0000000100019f02 rlbasic`_rl_copy_to_kill_ring(text=<unavailable>, append=<unavailable>) at kill.c:137 [opt]
    frame #2: 0x000000010001a347 rlbasic`rl_unix_word_rubout [inlined] rl_kill_text(from=<unavailable>) at kill.c:183 [opt]
    frame #3: 0x000000010001a318 rlbasic`rl_unix_word_rubout(count=<unavailable>, key=<unavailable>) at kill.c:338 [opt]
    frame #4: 0x0000000100002356 rlbasic`_rl_dispatch_subseq(key=23, map=0x000000010002c5c0, got_subseq=0) at readline.c:859 [opt]
    frame #5: 0x0000000100001d88 rlbasic`readline_internal_char [inlined] _rl_dispatch(key=<unavailable>, map=<unavailable>) at readline.c:802 [opt]
    frame #6: 0x0000000100001d77 rlbasic`readline_internal_char at readline.c:629 [opt]
    frame #7: 0x0000000100001645 rlbasic`readline [inlined] readline_internal_charloop at readline.c:656 [opt]
    frame #8: 0x000000010000162a rlbasic`readline [inlined] readline_internal at readline.c:670 [opt]
    frame #9: 0x0000000100001625 rlbasic`readline(prompt=<unavailable>) at readline.c:376 [opt]
    frame #10: 0x000000010000151e rlbasic`main(c=<unavailable>, v=<unavailable>) at rlbasic.c:20 [opt]
    frame #11: 0x00007fffe5638235 libdyld.dylib`start + 1
(lldb) frame select 1
rlbasic was compiled with optimization - stepping may behave oddly; variables may not be available.
frame #1: 0x0000000100019f02 rlbasic`_rl_copy_to_kill_ring(text=<unavailable>, append=<unavailable>) at kill.c:137 [opt]
   134  if (_rl_last_command_was_kill && rl_editing_mode != vi_mode)
   135    {
   136      old = rl_kill_ring[slot];
-> 137      new = (char *)xmalloc (1 + strlen (old) + strlen (text));
   138
   139      if (append)
   140 {
(lldb) print old
(char *) $0 = 0x0000000000000000


A HackerOne researcher (https://hackerone.com/ssarong) discovered this crash while fuzzing mruby. I did some further investigation and traced the problem to libreadline.

Regards,
Clayton Smith
Application Security Engineer, Shopify

reply via email to

[Prev in Thread] Current Thread [Next in Thread]