Hi Chet, On Fri, 10 Jul 2015 14:23:25 -0400 Chet Ramey <chet.ra...@case.edu> wrote:
> > To reproduce:
> > a) compile bash with CFLAGS="-fsanitize=address -g"
> > b) type in a=/ a
> > c) go back with the cursor behind the backslash and press tab
>
> Thanks for the report. I've attached a patch that should address the
> problem. It's not in bash-4.4-alpha.
Can confirm the patch fixes the issue.
However in 4.4 alpha I still get an asan error. However the stack trace
is different.
Here's the asan message on 4.4 alpha:
==5999==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002d6f
at pc 0x5ca2b8 bp 0x7fffc9d75240 sp 0x7fffc9d75230
READ of size 1 at 0x602000002d6f thread T0
#0 0x5ca2b7 in printable_part
/mnt/ram/bash-4.4-alpha/lib/readline/complete.c:738
#1 0x5ce776 in rl_display_match_list
/mnt/ram/bash-4.4-alpha/lib/readline/complete.c:1571
#2 0x5cf358 in display_matches
/mnt/ram/bash-4.4-alpha/lib/readline/complete.c:1753
#3 0x5d1448 in rl_complete_internal
/mnt/ram/bash-4.4-alpha/lib/readline/complete.c:2124
#4 0x5c986a in rl_complete
/mnt/ram/bash-4.4-alpha/lib/readline/complete.c:431
#5 0x5b7457 in _rl_dispatch_subseq
/mnt/ram/bash-4.4-alpha/lib/readline/readline.c:860
#6 0x5b7032 in _rl_dispatch
/mnt/ram/bash-4.4-alpha/lib/readline/readline.c:803
#7 0x5b683d in readline_internal_char
/mnt/ram/bash-4.4-alpha/lib/readline/readline.c:630
#8 0x5b68cd in readline_internal_charloop
/mnt/ram/bash-4.4-alpha/lib/readline/readline.c:657
#9 0x5b68f6 in readline_internal
/mnt/ram/bash-4.4-alpha/lib/readline/readline.c:671
#10 0x5b5f1e in readline /mnt/ram/bash-4.4-alpha/lib/readline/readline.c:376
#11 0x42ea53 in yy_readline_get /usr/homes/chet/src/bash/src/parse.y:1452
#12 0x42e8ff in yy_getc /usr/homes/chet/src/bash/src/parse.y:1386
#13 0x430c31 in shell_getc /usr/homes/chet/src/bash/src/parse.y:2288
#14 0x433468 in read_token /usr/homes/chet/src/bash/src/parse.y:3080
#15 0x432144 in yylex /usr/homes/chet/src/bash/src/parse.y:2662
#16 0x4270b1 in yyparse /mnt/ram/bash-4.4-alpha/y.tab.c:1830
#17 0x426117 in parse_command /mnt/ram/bash-4.4-alpha/eval.c:241
#18 0x426358 in read_command /mnt/ram/bash-4.4-alpha/eval.c:285
#19 0x425921 in reader_loop /mnt/ram/bash-4.4-alpha/eval.c:148
#20 0x420bdf in main /mnt/ram/bash-4.4-alpha/shell.c:760
#21 0x7feffcaebf9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
#22 0x41f948 (/mnt/ram/bash-4.4-alpha/bash+0x41f948)
0x602000002d6f is located 1 bytes to the left of 2-byte region
[0x602000002d70,0x602000002d72)
allocated by thread T0 here:
#0 0x7feffd31b787 in malloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x57787)
#1 0x52f7c1 in xmalloc /mnt/ram/bash-4.4-alpha/xmalloc.c:112
#2 0x5cc9bf in remove_duplicate_matches
/mnt/ram/bash-4.4-alpha/lib/readline/complete.c:1266
#3 0x5ce21b in postprocess_matches
/mnt/ram/bash-4.4-alpha/lib/readline/complete.c:1485
#4 0x5d0dcb in rl_complete_internal
/mnt/ram/bash-4.4-alpha/lib/readline/complete.c:2053
#5 0x5c986a in rl_complete
/mnt/ram/bash-4.4-alpha/lib/readline/complete.c:431
#6 0x5b7457 in _rl_dispatch_subseq
/mnt/ram/bash-4.4-alpha/lib/readline/readline.c:860
#7 0x5b7032 in _rl_dispatch
/mnt/ram/bash-4.4-alpha/lib/readline/readline.c:803
#8 0x5b683d in readline_internal_char
/mnt/ram/bash-4.4-alpha/lib/readline/readline.c:630
#9 0x5b68cd in readline_internal_charloop
/mnt/ram/bash-4.4-alpha/lib/readline/readline.c:657
#10 0x5b68f6 in readline_internal
/mnt/ram/bash-4.4-alpha/lib/readline/readline.c:671
#11 0x5b5f1e in readline /mnt/ram/bash-4.4-alpha/lib/readline/readline.c:376
#12 0x42ea53 in yy_readline_get /usr/homes/chet/src/bash/src/parse.y:1452
#13 0x42e8ff in yy_getc /usr/homes/chet/src/bash/src/parse.y:1386
#14 0x430c31 in shell_getc /usr/homes/chet/src/bash/src/parse.y:2288
#15 0x433468 in read_token /usr/homes/chet/src/bash/src/parse.y:3080
#16 0x432144 in yylex /usr/homes/chet/src/bash/src/parse.y:2662
#17 0x4270b1 in yyparse /mnt/ram/bash-4.4-alpha/y.tab.c:1830
#18 0x426117 in parse_command /mnt/ram/bash-4.4-alpha/eval.c:241
#19 0x426358 in read_command /mnt/ram/bash-4.4-alpha/eval.c:285
#20 0x425921 in reader_loop /mnt/ram/bash-4.4-alpha/eval.c:148
#21 0x420bdf in main /mnt/ram/bash-4.4-alpha/shell.c:760
#22 0x7feffcaebf9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/mnt/ram/bash-4.4-alpha/lib/readline/complete.c:738 printable_part
Shadow bytes around the buggy address:
0x0c047fff8550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff85a0: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]02 fa
0x0c047fff85b0: fa fa fd fa fa fa 07 fa fa fa 06 fa fa fa 00 05
0x0c047fff85c0: fa fa 06 fa fa fa 06 fa fa fa 06 fa fa fa 06 fa
0x0c047fff85d0: fa fa 06 fa fa fa 00 fa fa fa 06 fa fa fa 07 fa
0x0c047fff85e0: fa fa 07 fa fa fa 07 fa fa fa 06 fa fa fa 07 fa
0x0c047fff85f0: fa fa 00 fa fa fa 06 fa fa fa 06 fa fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==5999==ABORTING
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgpf1me1v0z7i.pgp
Description: OpenPGP digital signature
