Re: use-after-free in rl_display_match

bug-readline

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: use-after-free in rl_display_match_list

From:	Grisha Levit
Subject:	Re: use-after-free in rl_display_match_list
Date:	Wed, 22 Mar 2023 15:24:51 -0400

On Wed, Mar 22, 2023 at 3:11 PM Chet Ramey <chet.ramey@case.edu> wrote:
>
> I can't reproduce it with bash and command completion (that's the easiest
> way to get more possible completions than the completion-query-items
> limit) or filename completion on /usr/bin. This is on RHEL 9 without any
> completions installed. It jumps back to PS1.

On a terminal that's not too tall:

cat >/tmp/irc <<EOF
set completion-display-width 0
set completion-query-items 1
set prefer-visible-bell on
EOF

INPUTRC=/tmp/irc timeout -s INT 0.1 bash-debug --norc -in <<<$'$\e?y_'

ERROR: AddressSanitizer: heap-use-after-free on address 0xffffa9801198
at pc 0xaaaadfc46f70 bp 0xffffdf0cac90 sp 0xffffdf0cac88
READ of size 8 at 0xffffa9801198 thread T0
    #0 0xaaaadfc46f6c in rl_display_match_list lib/readline/complete.c:1604:23
    #1 0xaaaadfc4f40c in display_matches lib/readline/complete.c:1748:3
    #2 0xaaaadfc44160 in rl_complete_internal lib/readline/complete.c:2163:7
    #3 0xaaaadfc44578 in rl_possible_completions lib/readline/complete.c:459:11
    #4 0xaaaadfc08278 in _rl_dispatch_subseq lib/readline/readline.c:922:8
    #5 0xaaaadfc0a4a0 in _rl_dispatch_subseq lib/readline/readline.c:1068:8
    #6 0xaaaadfc05edc in _rl_dispatch lib/readline/readline.c:866:10
    #7 0xaaaadfc0574c in readline_internal_char lib/readline/readline.c:680:11
    #8 0xaaaadfc0fd44 in readline_internal_charloop
lib/readline/readline.c:727:11
    #9 0xaaaadfc04754 in readline_internal lib/readline/readline.c:739:18
    #10 0xaaaadfc045b0 in readline lib/readline/readline.c:387:11
    #11 0xaaaadf730618 in yy_readline_get parse.y:1564:31
    #12 0xaaaadf749fe4 in yy_getc parse.y:1501:10
    #13 0xaaaadf74c298 in shell_getc parse.y:2396:8
    #14 0xaaaadf7474f8 in read_token parse.y:3425:23
    #15 0xaaaadf72dfcc in yylex parse.y:2915:19
    #16 0xaaaadf709780 in yyparse /home/parallels/bld/bash-debug/y.tab.c:1869:16
    #17 0xaaaadf7078c0 in parse_command eval.c:345:7
    #18 0xaaaadf706b34 in read_command eval.c:389:12
    #19 0xaaaadf705dd8 in reader_loop eval.c:139:11
    #20 0xaaaadf6f9b5c in main shell.c:821:3
    #21 0xffffae7473f8 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #22 0xffffae7474c8 in __libc_start_main csu/../csu/libc-start.c:392:3
    #23 0xaaaadf648a2c in _start
(/home/parallels/bld/bash-debug/bash+0x2c8a2c) (BuildId:
7a7e7161ae1d372574b0356a380f758f66d5f3c4)

0xffffa9801198 is located 536 bytes inside of 584-byte region
[0xffffa9800f80,0xffffa98011c8)
freed by thread T0 here:
    #0 0xaaaadf6bf94c in free
(/home/parallels/bld/bash-debug/bash+0x33f94c) (BuildId:
7a7e7161ae1d372574b0356a380f758f66d5f3c4)
    #1 0xaaaadfa9f258 in xfree xmalloc.c:144:5
    #2 0xaaaadfc4acc0 in _rl_free_match_list lib/readline/complete.c:1973:3
    #3 0xaaaadfc51600 in _rl_complete_sigcleanup lib/readline/complete.c:506:7
    #4 0xaaaadfcd9370 in _rl_handle_signal lib/readline/signals.c:196:7
    #5 0xaaaadfcd9198 in _rl_signal_handler lib/readline/signals.c:149:5
    #6 0xaaaadfcee9b4 in rl_getc lib/readline/input.c:832:7
    #7 0xaaaadfcf3e24 in rl_read_key lib/readline/input.c:806:10
    #8 0xaaaadfc5af28 in get_y_or_n lib/readline/complete.c:547:11
    #9 0xaaaadfc4a940 in _rl_internal_pager lib/readline/complete.c:571:7
    #10 0xaaaadfc47598 in rl_display_match_list lib/readline/complete.c:1632:16
    #11 0xaaaadfc4f40c in display_matches lib/readline/complete.c:1748:3
    #12 0xaaaadfc44160 in rl_complete_internal lib/readline/complete.c:2163:7
    #13 0xaaaadfc44578 in rl_possible_completions lib/readline/complete.c:459:11
    #14 0xaaaadfc08278 in _rl_dispatch_subseq lib/readline/readline.c:922:8
    #15 0xaaaadfc0a4a0 in _rl_dispatch_subseq lib/readline/readline.c:1068:8
    #16 0xaaaadfc05edc in _rl_dispatch lib/readline/readline.c:866:10
    #17 0xaaaadfc0574c in readline_internal_char lib/readline/readline.c:680:11
    #18 0xaaaadfc0fd44 in readline_internal_charloop
lib/readline/readline.c:727:11
    #19 0xaaaadfc04754 in readline_internal lib/readline/readline.c:739:18
    #20 0xaaaadfc045b0 in readline lib/readline/readline.c:387:11
    #21 0xaaaadf730618 in yy_readline_get parse.y:1564:31
    #22 0xaaaadf749fe4 in yy_getc parse.y:1501:10
    #23 0xaaaadf74c298 in shell_getc parse.y:2396:8
    #24 0xaaaadf7474f8 in read_token parse.y:3425:23
    #25 0xaaaadf72dfcc in yylex parse.y:2915:19
    #26 0xaaaadf709780 in yyparse /home/parallels/bld/bash-debug/y.tab.c:1869:16
    #27 0xaaaadf7078c0 in parse_command eval.c:345:7
    #28 0xaaaadf706b34 in read_command eval.c:389:12
    #29 0xaaaadf705dd8 in reader_loop eval.c:139:11

previously allocated by thread T0 here:
    #0 0xaaaadf6bfbe0 in __interceptor_malloc
(/home/parallels/bld/bash-debug/bash+0x33fbe0) (BuildId:
7a7e7161ae1d372574b0356a380f758f66d5f3c4)
    #1 0xaaaadfa9f130 in xmalloc xmalloc.c:111:10
    #2 0xaaaadfc5be34 in remove_duplicate_matches
lib/readline/complete.c:1288:25
    #3 0xaaaadfc4d090 in postprocess_matches lib/readline/complete.c:1471:22
    #4 0xaaaadfc42074 in rl_complete_internal lib/readline/complete.c:2079:7
    #5 0xaaaadfc44578 in rl_possible_completions lib/readline/complete.c:459:11
    #6 0xaaaadfc08278 in _rl_dispatch_subseq lib/readline/readline.c:922:8
    #7 0xaaaadfc0a4a0 in _rl_dispatch_subseq lib/readline/readline.c:1068:8
    #8 0xaaaadfc05edc in _rl_dispatch lib/readline/readline.c:866:10
    #9 0xaaaadfc0574c in readline_internal_char lib/readline/readline.c:680:11
    #10 0xaaaadfc0fd44 in readline_internal_charloop
lib/readline/readline.c:727:11
    #11 0xaaaadfc04754 in readline_internal lib/readline/readline.c:739:18
    #12 0xaaaadfc045b0 in readline lib/readline/readline.c:387:11
    #13 0xaaaadf730618 in yy_readline_get parse.y:1564:31
    #14 0xaaaadf749fe4 in yy_getc parse.y:1501:10
    #15 0xaaaadf74c298 in shell_getc parse.y:2396:8
    #16 0xaaaadf7474f8 in read_token parse.y:3425:23
    #17 0xaaaadf72dfcc in yylex parse.y:2915:19
    #18 0xaaaadf709780 in yyparse /home/parallels/bld/bash-debug/y.tab.c:1869:16
    #19 0xaaaadf7078c0 in parse_command eval.c:345:7
    #20 0xaaaadf706b34 in read_command eval.c:389:12
    #21 0xaaaadf705dd8 in reader_loop eval.c:139:11
    #22 0xaaaadf6f9b5c in main shell.c:821:3
    #23 0xffffae7473f8 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #24 0xffffae7474c8 in __libc_start_main csu/../csu/libc-start.c:392:3
    #25 0xaaaadf648a2c in _start
(/home/parallels/bld/bash-debug/bash+0x2c8a2c) (BuildId:
7a7e7161ae1d372574b0356a380f758f66d5f3c4)

[Prev in Thread]

Current Thread

[Next in Thread]

use-after-free in rl_display_match_list, Grisha Levit, 2023/03/20
- Re: use-after-free in rl_display_match_list, Grisha Levit, 2023/03/20
  - Re: use-after-free in rl_display_match_list, Chet Ramey, 2023/03/22
    - Re: use-after-free in rl_display_match_list, Grisha Levit, 2023/03/22
    - Re: use-after-free in rl_display_match_list, Chet Ramey, 2023/03/22
    - Re: use-after-free in rl_display_match_list, Grisha Levit <=

Prev by Date: Re: use-after-free in rl_display_match_list
Previous by thread: Re: use-after-free in rl_display_match_list
Next by thread: Problem compiling on systems without pselect
Index(es):
- Date
- Thread