While fuzzing bash 4.4.0(1)-beta compiled from the devel branch, I found a 'script' that causes a segfault. The attached also crashes bash 4.2.37(1)-release. The file is 1012B in size and I was unable to minimize it any further using the afl-tmin tool that comes with the AFL fuzzer.
Starting program: /home/geeknik/bash/bash test00 Program received signal SIGSEGV, Segmentation fault. 0x00000000005643a5 in extract_delimited_string () at subst.c:1291 1291 c = string[i]; (gdb) bt #0 0x00000000005643a5 in extract_delimited_string () at subst.c:1291 #1 0x0000000000562f53 in skip_matched_pair.constprop.27 () at subst.c:1702 #2 0x00000000005635cc in string_extract.constprop.26 () at subst.c:1724 #3 0x0000000000596424 in parameter_brace_expand () at subst.c:7604 #4 0x00000000005a1eec in param_expand () at subst.c:8384 #5 0x00000000005a94a7 in expand_word_internal () at subst.c:8936 #6 0x00000000005b2b94 in expand_string_assignment () at subst.c:3348 #7 0x00000000005b4585 in do_assignment_internal () at subst.c:3139 #8 0x00000000005c8712 in expand_word_list_internal () at subst.c:2956 #9 0x00000000004a9965 in execute_simple_command () at execute_cmd.c:4079 #10 0x00000000004b497e in execute_command_internal () at execute_cmd.c:813 #11 0x00000000004bcf1d in execute_command () at execute_cmd.c:416 #12 0x00000000004317e0 in reader_loop () #13 0x0000000000429bdb in main () at shell.c:767 ==47296== Command: /home/geeknik/bash/bash test00 ==47296== ==47296== Conditional jump or move depends on uninitialised value(s) ==47296== at 0x5643B0: extract_delimited_string (subst.c:1293) ==47296== by 0x564FF0: extract_delimited_string (subst.c:1350) ==47296== by 0x564FF0: extract_delimited_string (subst.c:1350) ==47296== by 0x564FF0: extract_delimited_string (subst.c:1350) ==47296== by 0x564FF0: extract_delimited_string (subst.c:1350) ==47296== by 0x562F52: skip_matched_pair.constprop.27 (subst.c:1702) ==47296== by 0x5635CB: skipsubscript (subst.c:1724) ==47296== by 0x5635CB: string_extract.constprop.26 (subst.c:779) ==47296== by 0x596423: parameter_brace_expand (subst.c:7604) ==47296== by 0x5A1EEB: param_expand (subst.c:8384) ==47296== by 0x5A94A6: expand_word_internal (subst.c:8936) ==47296== by 0x5B2B93: call_expand_word_internal (subst.c:3348) ==47296== by 0x5B2B93: expand_string_assignment (subst.c:3436) ==47296== by 0x5B4584: expand_string_if_necessary (subst.c:3139) ==47296== by 0x5B4584: do_assignment_internal (subst.c:2867) ==47296== ==47296== Conditional jump or move depends on uninitialised value(s) ==47296== at 0x5643B0: extract_delimited_string (subst.c:1293) ==47296== by 0x564FF0: extract_delimited_string (subst.c:1350) ==47296== by 0x564FF0: extract_delimited_string (subst.c:1350) ==47296== by 0x562F52: skip_matched_pair.constprop.27 (subst.c:1702) ==47296== by 0x5635CB: skipsubscript (subst.c:1724) ==47296== by 0x5635CB: string_extract.constprop.26 (subst.c:779) ==47296== by 0x596423: parameter_brace_expand (subst.c:7604) ==47296== by 0x5A1EEB: param_expand (subst.c:8384) ==47296== by 0x5A94A6: expand_word_internal (subst.c:8936) ==47296== by 0x5B2B93: call_expand_word_internal (subst.c:3348) ==47296== by 0x5B2B93: expand_string_assignment (subst.c:3436) ==47296== by 0x5B4584: expand_string_if_necessary (subst.c:3139) ==47296== by 0x5B4584: do_assignment_internal (subst.c:2867) ==47296== by 0x5C8711: do_word_assignment (subst.c:2956) ==47296== by 0x5C8711: expand_word_list_internal (subst.c:10267) ==47296== by 0x4A9964: execute_simple_command (execute_cmd.c:4079) ==47296== ==47296== Conditional jump or move depends on uninitialised value(s) ==47296== at 0x5643B0: extract_delimited_string (subst.c:1293) ==47296== by 0x564FF0: extract_delimited_string (subst.c:1350) ==47296== by 0x562F52: skip_matched_pair.constprop.27 (subst.c:1702) ==47296== by 0x5635CB: skipsubscript (subst.c:1724) ==47296== by 0x5635CB: string_extract.constprop.26 (subst.c:779) ==47296== by 0x596423: parameter_brace_expand (subst.c:7604) ==47296== by 0x5A1EEB: param_expand (subst.c:8384) ==47296== by 0x5A94A6: expand_word_internal (subst.c:8936) ==47296== by 0x5B2B93: call_expand_word_internal (subst.c:3348) ==47296== by 0x5B2B93: expand_string_assignment (subst.c:3436) ==47296== by 0x5B4584: expand_string_if_necessary (subst.c:3139) ==47296== by 0x5B4584: do_assignment_internal (subst.c:2867) ==47296== by 0x5C8711: do_word_assignment (subst.c:2956) ==47296== by 0x5C8711: expand_word_list_internal (subst.c:10267) ==47296== by 0x4A9964: execute_simple_command (execute_cmd.c:4079) ==47296== by 0x4B497D: execute_command_internal (execute_cmd.c:813) ==47296== ==47296== Invalid read of size 1 ==47296== at 0x5643A5: extract_delimited_string (subst.c:1291) ==47296== by 0x562F52: skip_matched_pair.constprop.27 (subst.c:1702) ==47296== by 0x5635CB: skipsubscript (subst.c:1724) ==47296== by 0x5635CB: string_extract.constprop.26 (subst.c:779) ==47296== by 0x596423: parameter_brace_expand (subst.c:7604) ==47296== by 0x5A1EEB: param_expand (subst.c:8384) ==47296== by 0x5A94A6: expand_word_internal (subst.c:8936) ==47296== by 0x5B2B93: call_expand_word_internal (subst.c:3348) ==47296== by 0x5B2B93: expand_string_assignment (subst.c:3436) ==47296== by 0x5B4584: expand_string_if_necessary (subst.c:3139) ==47296== by 0x5B4584: do_assignment_internal (subst.c:2867) ==47296== by 0x5C8711: do_word_assignment (subst.c:2956) ==47296== by 0x5C8711: expand_word_list_internal (subst.c:10267) ==47296== by 0x4A9964: execute_simple_command (execute_cmd.c:4079) ==47296== by 0x4B497D: execute_command_internal (execute_cmd.c:813) ==47296== by 0x4BCF1C: execute_command (execute_cmd.c:416) ==47296== Address 0x423c000 is not stack'd, malloc'd or (recently) free'd ==47296== ==47296== ==47296== Process terminating with default action of signal 11 (SIGSEGV) ==47296== Access not within mapped region at address 0x423C000 ==47296== at 0x5643A5: extract_delimited_string (subst.c:1291) ==47296== by 0x562F52: skip_matched_pair.constprop.27 (subst.c:1702) ==47296== by 0x5635CB: skipsubscript (subst.c:1724) ==47296== by 0x5635CB: string_extract.constprop.26 (subst.c:779) ==47296== by 0x596423: parameter_brace_expand (subst.c:7604) ==47296== by 0x5A1EEB: param_expand (subst.c:8384) ==47296== by 0x5A94A6: expand_word_internal (subst.c:8936) ==47296== by 0x5B2B93: call_expand_word_internal (subst.c:3348) ==47296== by 0x5B2B93: expand_string_assignment (subst.c:3436) ==47296== by 0x5B4584: expand_string_if_necessary (subst.c:3139) ==47296== by 0x5B4584: do_assignment_internal (subst.c:2867) ==47296== by 0x5C8711: do_word_assignment (subst.c:2956) ==47296== by 0x5C8711: expand_word_list_internal (subst.c:10267) ==47296== by 0x4A9964: execute_simple_command (execute_cmd.c:4079) ==47296== by 0x4B497D: execute_command_internal (execute_cmd.c:813) ==47296== by 0x4BCF1C: execute_command (execute_cmd.c:416) ==47296== If you believe this happened as a result of a stack ==47296== overflow in your program's main thread (unlikely but ==47296== possible), you can try to increase the size of the ==47296== main thread stack using the --main-stacksize= flag. ==47296== The main thread stack size used in this run was 8388608. ==47296== ==47296== HEAP SUMMARY: ==47296== in use at exit: 0 bytes in 0 blocks ==47296== total heap usage: 0 allocs, 0 frees, 0 bytes allocated ==47296== ==47296== All heap blocks were freed -- no leaks are possible ==47296== ==47296== For counts of detected and suppressed errors, rerun with: -v ==47296== Use --track-origins=yes to see where uninitialised values come from ==47296== ERROR SUMMARY: 5 errors from 4 contexts (suppressed: 2 from 2) Segmentation fault Regards, Brian 'geeknik' Carpenter
test00
Description: Binary data
