heap-use-after-free in GNU Bash 4.4.0

Fri, 09 Sep 2016 08:34:47 -0700 

Hi,

we recently found an invalid memory access parsing and executing fuzzed
bash code in GNU Bash 4.4.0 (bash-20160826 snapshot, found in
http://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=79eedac429c5112ae65a430674de5e4be1cd5444
).
We tested this issue on Ubuntu 14.04.5 (x86_64) but other configurations
could be affected. To reproduce it, compilation with Address Sanitizer is
required:

  $ ./configure --without-bash-malloc CFLAGS=-fsanitize=address -g -ggdb
LDFLAGS=-fsanitize=address
  $ make

Technical details about the issue are:

==25874== ERROR: AddressSanitizer: heap-use-after-free on address
0x60040000b9f0 at pc 0x437f17 bp 0x7fff4b7aaa80 sp 0x7fff4b7aaa78
READ of size 1 at 0x60040000b9f0 thread T0

And gdb backtrace is as follows:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGABRT, Aborted.
0x00007ffff468fc37 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#0  0x00007ffff468fc37 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff4693028 in __GI_abort () at abort.c:89
#2  0x00007ffff4e66829 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#3  0x00007ffff4e5d3ec in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#4  0x00007ffff4e64012 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#5  0x00007ffff4e63121 in __asan_report_error () from
/usr/lib/x86_64-linux-gnu/libasan.so.0
#6  0x00007ffff4e5d6a4 in __asan_report_load1 () from
/usr/lib/x86_64-linux-gnu/libasan.so.0
#7  0x0000000000437f17 in parse_comsub (qc=0, open=40, close=41,
lenp=0x7fffffffd7f0, flags=8) at ./parse.y:3926
#8  0x000000000043d057 in read_token_word (character=62) at ./parse.y:4854
#9  0x0000000000434e4d in read_token (command=0) at ./parse.y:3296
#10 0x0000000000432e7f in yylex () at ./parse.y:2675
#11 0x0000000000425a45 in yyparse () at y.tab.c:1832
#12 0x0000000000424e6b in parse_command () at eval.c:261
#13 0x0000000000424f72 in read_command () at eval.c:305
#14 0x0000000000424b20 in reader_loop () at eval.c:149
#15 0x0000000000420681 in main (argc=2, argv=0x7fffffffed28,
env=0x7fffffffed40) at shell.c:792

This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.

Attachment: -799646324984424118.iftlnsqdux.sh
Description: Bourne shell script

Reply via email to