<<0 r["$(<<0)"] triggers a null ptr deref and segfault in bash
4.2.37(1)-release, 4.3.30(1)-release and 4.3.42(1)-release. This bug was
found with American Fuzzy Lop.
valgrind -q ~/bash/bash test00
test00: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `0')
test00: line 1: make_here_document: bad instruction type -808464433
==4137== Invalid read of size 1
==4137== at 0x4C2C1A2: strlen (vg_replace_strmem.c:412)
==4137== by 0x47C237: cprintf (print_cmd.c:1508)
==4137== by 0x48143F: print_heredoc_header (print_cmd.c:1090)
==4137== by 0x47F8D3: print_redirection (print_cmd.c:1162)
==4137== by 0x47E5FF: print_heredocs (print_cmd.c:970)
==4137== by 0x47E5FF: print_redirection_list (print_cmd.c:1062)
==4137== by 0x47DCBC: print_simple_command (print_cmd.c:957)
==4137== by 0x48FF25: execute_simple_command (execute_cmd.c:3892)
==4137== by 0x48FF25: execute_command_internal (execute_cmd.c:788)
==4137== by 0x4879B4: execute_command (execute_cmd.c:390)
==4137== by 0x42C9B2: reader_loop (eval.c:160)
==4137== by 0x429382: main (shell.c:756)
==4137== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==4137==
==4137==
==4137== Process terminating with default action of signal 11 (SIGSEGV)
==4137== Access not within mapped region at address 0x0
==4137== at 0x4C2C1A2: strlen (vg_replace_strmem.c:412)
==4137== by 0x47C237: cprintf (print_cmd.c:1508)
==4137== by 0x48143F: print_heredoc_header (print_cmd.c:1090)
==4137== by 0x47F8D3: print_redirection (print_cmd.c:1162)
==4137== by 0x47E5FF: print_heredocs (print_cmd.c:970)
==4137== by 0x47E5FF: print_redirection_list (print_cmd.c:1062)
==4137== by 0x47DCBC: print_simple_command (print_cmd.c:957)
==4137== by 0x48FF25: execute_simple_command (execute_cmd.c:3892)
==4137== by 0x48FF25: execute_command_internal (execute_cmd.c:788)
==4137== by 0x4879B4: execute_command (execute_cmd.c:390)
==4137== by 0x42C9B2: reader_loop (eval.c:160)
==4137== by 0x429382: main (shell.c:756)
==4137== If you believe this happened as a result of a stack
==4137== overflow in your program's main thread (unlikely but
==4137== possible), you can try to increase the size of the
==4137== main thread stack using the --main-stacksize= flag.
==4137== The main thread stack size used in this run was 8388608.
Segmentation fault
Starting program: /home/geeknik/bash/bash test00
test00: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `0')
test00: line 1: make_here_document: bad instruction type -808464433
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x000000000047c238 in cprintf (control=<optimized out>) at
print_cmd.c:1508
#2 0x0000000000481440 in print_heredoc_header (redirect=<optimized out>)
at print_cmd.c:1090
#3 0x000000000047f8d4 in print_redirection (redirect=0x9c1808)
at print_cmd.c:1162
#4 0x000000000047e600 in print_heredocs (heredocs=<optimized out>)
at print_cmd.c:970
#5 print_redirection_list (redirects=<optimized out>) at print_cmd.c:1062
#6 0x000000000047dcbd in print_simple_command (simple_command=0x9c1288)
at print_cmd.c:957
#7 0x000000000048ff26 in execute_simple_command (simple_command=0x9c1288,
pipe_in=<optimized out>, pipe_out=<optimized out>, async=<optimized
out>,
fds_to_close=<optimized out>) at execute_cmd.c:3892
#8 execute_command_internal (command=0x9c1248, asynchronous=0, pipe_in=-1,
pipe_out=-1, fds_to_close=0x9c1768) at execute_cmd.c:788
#9 0x00000000004879b5 in execute_command (command=0x0) at execute_cmd.c:390
#10 0x000000000042c9b3 in reader_loop () at eval.c:160
#11 0x0000000000429383 in main (argc=<optimized out>, argv=<optimized out>,
env=<optimized out>) at shell.c:756
Regards,
Brian 'geeknik' Carpenter
https://twitter.com/geeknik
