dualbus@debian:~/src/gnu/bash$ xxd bar
00000000: 3a22 3030 5c43 2d0a 3030 3030 3030 3030 :"00\C-.00000000
00000010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
# With system malloc
(gdb) r --noprofile --norc -ic 'bind -f bar'
Starting program: /home/dualbus/src/gnu/bash/bash --noprofile --norc
-ic 'bind -f bar'
*** Error in `/home/dualbus/src/gnu/bash/bash': free(): invalid next
size (fast): 0x00005555558cac00 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7ffff767dbcb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7ffff7683f96]
/lib/x86_64-linux-gnu/libc.so.6(+0x7778e)[0x7ffff768478e]
/home/dualbus/src/gnu/bash/bash(xfree+0x1f)[0x5555555f66b6]
/home/dualbus/src/gnu/bash/bash(rl_generic_bind+0x46)[0x55555563993a]
/home/dualbus/src/gnu/bash/bash(rl_macro_bind+0x7a)[0x5555556398ed]
/home/dualbus/src/gnu/bash/bash(rl_parse_and_bind+0x759)[0x55555563bd08]
/home/dualbus/src/gnu/bash/bash(+0xe6e40)[0x55555563ae40]
/home/dualbus/src/gnu/bash/bash(rl_read_init_file+0x8a)[0x55555563aca9]
/home/dualbus/src/gnu/bash/bash(bind_builtin+0x382)[0x5555555f6e4c]
/home/dualbus/src/gnu/bash/bash(+0x4dff1)[0x5555555a1ff1]
/home/dualbus/src/gnu/bash/bash(+0x4eecd)[0x5555555a2ecd]
/home/dualbus/src/gnu/bash/bash(+0x4d8f7)[0x5555555a18f7]
/home/dualbus/src/gnu/bash/bash(execute_command_internal+0x80a)[0x55555559b2af]
/home/dualbus/src/gnu/bash/bash(parse_and_execute+0x548)[0x5555555fe1e8]
/home/dualbus/src/gnu/bash/bash(+0x2f32f)[0x55555558332f]
/home/dualbus/src/gnu/bash/bash(main+0x83a)[0x5555555824aa]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7ffff762d2b1]
/home/dualbus/src/gnu/bash/bash(_start+0x2a)[0x555555581b6a]
======= Memory map: ========
555555554000-55555568e000 r-xp 00000000 fe:01 17570830
/home/dualbus/src/gnu/bash/bash
55555588e000-555555891000 r--p 0013a000 fe:01 17570830
/home/dualbus/src/gnu/bash/bash
555555891000-55555589b000 rw-p 0013d000 fe:01 17570830
/home/dualbus/src/gnu/bash/bash
55555589b000-555555908000 rw-p 00000000 00:00 0 [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0
7ffff6bb8000-7ffff6bce000 r-xp 00000000 fe:01 1310769
/lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff6bce000-7ffff6dcd000 ---p 00016000 fe:01 1310769
/lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff6dcd000-7ffff6dce000 r--p 00015000 fe:01 1310769
/lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff6dce000-7ffff6dcf000 rw-p 00016000 fe:01 1310769
/lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff6dcf000-7ffff6dd9000 r-xp 00000000 fe:01 1311109
/lib/x86_64-linux-gnu/libnss_files-2.24.so
7ffff6dd9000-7ffff6fd9000 ---p 0000a000 fe:01 1311109
/lib/x86_64-linux-gnu/libnss_files-2.24.so
7ffff6fd9000-7ffff6fda000 r--p 0000a000 fe:01 1311109
/lib/x86_64-linux-gnu/libnss_files-2.24.so
7ffff6fda000-7ffff6fdb000 rw-p 0000b000 fe:01 1311109
/lib/x86_64-linux-gnu/libnss_files-2.24.so
7ffff6fdb000-7ffff6fe1000 rw-p 00000000 00:00 0
7ffff6fe1000-7ffff6fec000 r-xp 00000000 fe:01 1311111
/lib/x86_64-linux-gnu/libnss_nis-2.24.so
7ffff6fec000-7ffff71eb000 ---p 0000b000 fe:01 1311111
/lib/x86_64-linux-gnu/libnss_nis-2.24.so
7ffff71eb000-7ffff71ec000 r--p 0000a000 fe:01 1311111
/lib/x86_64-linux-gnu/libnss_nis-2.24.so
7ffff71ec000-7ffff71ed000 rw-p 0000b000 fe:01 1311111
/lib/x86_64-linux-gnu/libnss_nis-2.24.so
7ffff71ed000-7ffff7201000 r-xp 00000000 fe:01 1311105
/lib/x86_64-linux-gnu/libnsl-2.24.so
7ffff7201000-7ffff7401000 ---p 00014000 fe:01 1311105
/lib/x86_64-linux-gnu/libnsl-2.24.so
7ffff7401000-7ffff7402000 r--p 00014000 fe:01 1311105
/lib/x86_64-linux-gnu/libnsl-2.24.so
7ffff7402000-7ffff7403000 rw-p 00015000 fe:01 1311105
/lib/x86_64-linux-gnu/libnsl-2.24.so
7ffff7403000-7ffff7405000 rw-p 00000000 00:00 0
7ffff7405000-7ffff740c000 r-xp 00000000 fe:01 1311107
/lib/x86_64-linux-gnu/libnss_compat-2.24.so
7ffff740c000-7ffff760b000 ---p 00007000 fe:01 1311107
/lib/x86_64-linux-gnu/libnss_compat-2.24.so
7ffff760b000-7ffff760c000 r--p 00006000 fe:01 1311107
/lib/x86_64-linux-gnu/libnss_compat-2.24.so
7ffff760c000-7ffff760d000 rw-p 00007000 fe:01 1311107
/lib/x86_64-linux-gnu/libnss_compat-2.24.so
7ffff760d000-7ffff77a2000 r-xp 00000000 fe:01 1311097
/lib/x86_64-linux-gnu/libc-2.24.so
7ffff77a2000-7ffff79a1000 ---p 00195000 fe:01 1311097
/lib/x86_64-linux-gnu/libc-2.24.so
7ffff79a1000-7ffff79a5000 r--p 00194000 fe:01 1311097
/lib/x86_64-linux-gnu/libc-2.24.so
7ffff79a5000-7ffff79a7000 rw-p 00198000 fe:01 1311097
/lib/x86_64-linux-gnu/libc-2.24.so
7ffff79a7000-7ffff79ab000 rw-p 00000000 00:00 0
7ffff79ab000-7ffff79ad000 r-xp 00000000 fe:01 1311100
/lib/x86_64-linux-gnu/libdl-2.24.so
7ffff79ad000-7ffff7bad000 ---p 00002000 fe:01 1311100
/lib/x86_64-linux-gnu/libdl-2.24.so
7ffff7bad000-7ffff7bae000 r--p 00002000 fe:01 1311100
/lib/x86_64-linux-gnu/libdl-2.24.so
7ffff7bae000-7ffff7baf000 rw-p 00003000 fe:01 1311100
/lib/x86_64-linux-gnu/libdl-2.24.so
7ffff7baf000-7ffff7bd4000 r-xp 00000000 fe:01 1310814
/lib/x86_64-linux-gnu/libtinfo.so.5.9
7ffff7bd4000-7ffff7dd4000 ---p 00025000 fe:01 1310814
/lib/x86_64-linux-gnu/libtinfo.so.5.9
7ffff7dd4000-7ffff7dd8000 r--p 00025000 fe:01 1310814
/lib/x86_64-linux-gnu/libtinfo.so.5.9
7ffff7dd8000-7ffff7dd9000 rw-p 00029000 fe:01 1310814
/lib/x86_64-linux-gnu/libtinfo.so.5.9
7ffff7dd9000-7ffff7dfc000 r-xp 00000000 fe:01 1310829
/lib/x86_64-linux-gnu/ld-2.24.so
7ffff7e60000-7ffff7e61000 rw-p 00000000 00:00 0
7ffff7e61000-7ffff7eb2000 r--p 00000000 fe:01 26352446
/usr/lib/locale/aa_DJ.utf8/LC_CTYPE
7ffff7eb2000-7ffff7fe2000 r--p 00000000 fe:01 26352445
/usr/lib/locale/aa_DJ.utf8/LC_COLLATE
7ffff7fe2000-7ffff7fe4000 rw-p 00000000 00:00 0
7ffff7fe4000-7ffff7fe5000 r--p 00000000 fe:01 26352476
/usr/lib/locale/aa_ET/LC_NUMERIC
7ffff7fe5000-7ffff7fe6000 r--p 00000000 fe:01 26476650
/usr/lib/locale/en_US.utf8/LC_TIME
7ffff7fe6000-7ffff7fe7000 r--p 00000000 fe:01 26353097
/usr/lib/locale/chr_US/LC_MONETARY
7ffff7fe7000-7ffff7fe8000 r--p 00000000 fe:01 26353383
/usr/lib/locale/en_AG/LC_MESSAGES/SYS_LC_MESSAGES
7ffff7fe8000-7ffff7fe9000 r--p 00000000 fe:01 26353099
/usr/lib/locale/chr_US/LC_PAPER
7ffff7fe9000-7ffff7fea000 r--p 00000000 fe:01 26353098
/usr/lib/locale/chr_US/LC_NAME
7ffff7fea000-7ffff7feb000 r--p 00000000 fe:01 26476647
/usr/lib/locale/en_US.utf8/LC_ADDRESS
7ffff7feb000-7ffff7fec000 r--p 00000000 fe:01 26353100
/usr/lib/locale/chr_US/LC_TELEPHONE
7ffff7fec000-7ffff7fed000 r--p 00000000 fe:01 26353094
/usr/lib/locale/chr_US/LC_MEASUREMENT
7ffff7fed000-7ffff7ff4000 r--s 00000000 fe:01 25438256
/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
7ffff7ff4000-7ffff7ff5000 r--p 00000000 fe:01 26476648
/usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
7ffff7ff5000-7ffff7ff8000 rw-p 00000000 00:00 0
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00023000 fe:01 1310829
/lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffd000-7ffff7ffe000 rw-p 00024000 fe:01 1310829
/lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
58 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
#1 0x00007ffff764140a in __GI_abort () at abort.c:89
#2 0x00007ffff767dbd0 in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0x7ffff7772c30 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff7683f96 in malloc_printerr (action=3,
str=0x7ffff7772d40 "free(): invalid next size (fast)", ptr=<optimized
out>,
ar_ptr=<optimized out>) at malloc.c:5046
#4 0x00007ffff768478e in _int_free (av=0x7ffff79a5b00 <main_arena>,
p=0x5555558cabf0, have_lock=0) at malloc.c:3902
#5 0x00005555555f66b6 in xfree (string=0x5555558cac00) at xmalloc.c:148
#6 0x000055555563993a in rl_generic_bind (type=2,
keyseq=0x7fffffffde4a "", data=0x5555558cac00 "00",
map=0x555555895140 <emacs_standard_keymap>) at bind.c:338
#7 0x00005555556398ed in rl_macro_bind (keyseq=0x7fffffffde4a "",
macro=0x5555558cac62 "00\\C-",
map=0x555555895140 <emacs_standard_keymap>) at bind.c:315
#8 0x000055555563bd08 in rl_parse_and_bind (string=0x5555558cac60 "")
at bind.c:1450
#9 0x000055555563ae40 in _rl_read_init_file (filename=0x5555558b8740
"bar", include_level=0) at bind.c:927
#10 0x000055555563aca9 in rl_read_init_file (filename=0x5555558b8740
"bar") at bind.c:870
#11 0x00005555555f6e4c in bind_builtin (list=0x0) at ./bind.def:248
#12 0x00005555555a1ff1 in execute_builtin (builtin=0x5555555f6aca
<bind_builtin>, words=0x5555558b88e0, flags=64, subshell=0)
at execute_cmd.c:4603
#13 0x00005555555a2ecd in execute_builtin_or_function
(words=0x5555558b88e0, builtin=0x5555555f6aca <bind_builtin>, var=0x0,
redirects=0x0, fds_to_close=0x5555558b85d0, flags=64) at execute_cmd.c:5101
#14 0x00005555555a18f7 in execute_simple_command
(simple_command=0x5555558b8510, pipe_in=-1, pipe_out=-1, async=0,
fds_to_close=0x5555558b85d0) at execute_cmd.c:4389
#15 0x000055555559b2af in execute_command_internal
(command=0x5555558b84e0, asynchronous=0, pipe_in=-1, pipe_out=-1,
fds_to_close=0x5555558b85d0) at execute_cmd.c:811
#16 0x00005555555fe1e8 in parse_and_execute (string=0x5555558a9340
"bind -f bar", from_file=0x555555656830 "-c", flags=4)
at evalstring.c:430
#17 0x000055555558332f in run_one_command (command=0x7fffffffe72e
"bind -f bar") at shell.c:1405
#18 0x00005555555824aa in main (argc=5, argv=0x7fffffffe458,
env=0x7fffffffe488) at shell.c:718
# With ASAN
dualbus@debian:~/src/gnu/bash$ ./bash --noprofile --norc -ic 'bind -f bar'
=================================================================
==24192==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000009c3b at pc 0x55f8abc481c3 bp 0x7fff59f1f3f0 sp
0x7fff59f1f3e8
WRITE of size 1 at 0x602000009c3b thread T0
#0 0x55f8abc481c2 in rl_translate_keyseq
/home/dualbus/src/gnu/bash/lib/readline/bind.c:548
#1 0x55f8abc46729 in rl_macro_bind
/home/dualbus/src/gnu/bash/lib/readline/bind.c:310
#2 0x55f8abc4c605 in rl_parse_and_bind
/home/dualbus/src/gnu/bash/lib/readline/bind.c:1450
#3 0x55f8abc4a103 in _rl_read_init_file
/home/dualbus/src/gnu/bash/lib/readline/bind.c:927
#4 0x55f8abc49d4c in rl_read_init_file
/home/dualbus/src/gnu/bash/lib/readline/bind.c:870
#5 0x55f8abbbd01c in bind_builtin bind.def:248
#6 0x55f8abaf672b in execute_builtin
/home/dualbus/src/gnu/bash/execute_cmd.c:4603
#7 0x55f8abaf8341 in execute_builtin_or_function
/home/dualbus/src/gnu/bash/execute_cmd.c:5101
#8 0x55f8abaf5bc1 in execute_simple_command
/home/dualbus/src/gnu/bash/execute_cmd.c:4389
#9 0x55f8abae3ac2 in execute_command_internal
/home/dualbus/src/gnu/bash/execute_cmd.c:811
#10 0x55f8abbcd4ae in parse_and_execute
/home/dualbus/src/gnu/bash/builtins/evalstring.c:430
#11 0x55f8abaaf121 in run_one_command
/home/dualbus/src/gnu/bash/shell.c:1405
#12 0x55f8abaad5fa in main /home/dualbus/src/gnu/bash/shell.c:718
#13 0x7f0963e132b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#14 0x55f8abaac469 in _start (/home/dualbus/src/gnu/bash/bash+0x7f469)
0x602000009c3b is located 0 bytes to the right of 11-byte region
[0x602000009c30,0x602000009c3b)
allocated by thread T0 here:
#0 0x7f0964680d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x55f8abbbc195 in xmalloc /home/dualbus/src/gnu/bash/xmalloc.c:112
#2 0x55f8abc46705 in rl_macro_bind
/home/dualbus/src/gnu/bash/lib/readline/bind.c:308
#3 0x55f8abc4c605 in rl_parse_and_bind
/home/dualbus/src/gnu/bash/lib/readline/bind.c:1450
#4 0x55f8abc4a103 in _rl_read_init_file
/home/dualbus/src/gnu/bash/lib/readline/bind.c:927
#5 0x55f8abc49d4c in rl_read_init_file
/home/dualbus/src/gnu/bash/lib/readline/bind.c:870
#6 0x55f8abbbd01c in bind_builtin bind.def:248
#7 0x55f8abaf672b in execute_builtin
/home/dualbus/src/gnu/bash/execute_cmd.c:4603
#8 0x55f8abaf8341 in execute_builtin_or_function
/home/dualbus/src/gnu/bash/execute_cmd.c:5101
#9 0x55f8abaf5bc1 in execute_simple_command
/home/dualbus/src/gnu/bash/execute_cmd.c:4389
#10 0x55f8abae3ac2 in execute_command_internal
/home/dualbus/src/gnu/bash/execute_cmd.c:811
#11 0x55f8abbcd4ae in parse_and_execute
/home/dualbus/src/gnu/bash/builtins/evalstring.c:430
#12 0x55f8abaaf121 in run_one_command
/home/dualbus/src/gnu/bash/shell.c:1405
#13 0x55f8abaad5fa in main /home/dualbus/src/gnu/bash/shell.c:718
#14 0x7f0963e132b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/dualbus/src/gnu/bash/lib/readline/bind.c:548 in
rl_translate_keyseq
Shadow bytes around the buggy address:
0x0c047fff9330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9380: fa fa fa fa fa fa 00[03]fa fa 04 fa fa fa fd fa
0x0c047fff9390: fa fa fd fa fa fa fd fa fa fa 00 07 fa fa fd fa
0x0c047fff93a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff93b0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff93c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff93d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==24192==ABORTING
