dualbus@debian:~/src/gnu/bash$ xxd ../cases/1
00000000: 3010 1f0e 0...
dualbus@debian:~/src/gnu/bash$ cat -A ../cases/1
0^P^_^N
To reproduce,
- run: ./bash -c 'read -e' # it doesn't seem to happen for interactive bash
- then type the following sequence: 0 \C-p \C-_ \C-n <ret>
(in my keyboard, \C-_ is <ctrl>-<shift>-<->)
dualbus@debian:~/src/gnu/bash$ ./bash -c 'read -e'
0
=================================================================
==24334==ERROR: AddressSanitizer: heap-use-after-free on address
0x60300000c100 at pc 0x55ad664b341d bp 0x7fff83ff6580 sp
0x7fff83ff6578
READ of size 8 at 0x60300000c100 thread T0
#0 0x55ad664b341c in _rl_free_undo_list
/home/dualbus/src/gnu/bash/lib/readline/undo.c:106
#1 0x55ad664b34d6 in rl_free_undo_list
/home/dualbus/src/gnu/bash/lib/readline/undo.c:122
#2 0x55ad6646f757 in readline_internal_teardown
/home/dualbus/src/gnu/bash/lib/readline/readline.c:482
#3 0x55ad6646fccf in readline_internal
/home/dualbus/src/gnu/bash/lib/readline/readline.c:671
#4 0x55ad6646f378 in readline
/home/dualbus/src/gnu/bash/lib/readline/readline.c:374
#5 0x55ad6642a74d in edit_line read.def:1069
#6 0x55ad664281dd in read_builtin read.def:550
#7 0x55ad6633e93a in execute_builtin
/home/dualbus/src/gnu/bash/execute_cmd.c:4605
#8 0x55ad66340550 in execute_builtin_or_function
/home/dualbus/src/gnu/bash/execute_cmd.c:5103
#9 0x55ad6633ddd0 in execute_simple_command
/home/dualbus/src/gnu/bash/execute_cmd.c:4391
#10 0x55ad6632bccf in execute_command_internal
/home/dualbus/src/gnu/bash/execute_cmd.c:811
#11 0x55ad66415858 in parse_and_execute
/home/dualbus/src/gnu/bash/builtins/evalstring.c:430
#12 0x55ad662f72a1 in run_one_command
/home/dualbus/src/gnu/bash/shell.c:1405
#13 0x55ad662f577a in main /home/dualbus/src/gnu/bash/shell.c:718
#14 0x7f41165482b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#15 0x55ad662f45e9 in _start (/home/dualbus/src/gnu/bash/bash+0x7f5e9)
0x60300000c100 is located 0 bytes inside of 32-byte region
[0x60300000c100,0x60300000c120)
freed by thread T0 here:
#0 0x7f4116db5a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
#1 0x55ad66404600 in xfree /home/dualbus/src/gnu/bash/xmalloc.c:148
#2 0x55ad664b3e4f in rl_do_undo
/home/dualbus/src/gnu/bash/lib/readline/undo.c:240
#3 0x55ad664b41aa in rl_undo_command
/home/dualbus/src/gnu/bash/lib/readline/undo.c:331
#4 0x55ad664707f2 in _rl_dispatch_subseq
/home/dualbus/src/gnu/bash/lib/readline/readline.c:851
#5 0x55ad664703cd in _rl_dispatch
/home/dualbus/src/gnu/bash/lib/readline/readline.c:797
#6 0x55ad6646fc0c in readline_internal_char
/home/dualbus/src/gnu/bash/lib/readline/readline.c:629
#7 0x55ad6646fc9e in readline_internal_charloop
/home/dualbus/src/gnu/bash/lib/readline/readline.c:656
#8 0x55ad6646fcc2 in readline_internal
/home/dualbus/src/gnu/bash/lib/readline/readline.c:670
#9 0x55ad6646f378 in readline
/home/dualbus/src/gnu/bash/lib/readline/readline.c:374
#10 0x55ad6642a74d in edit_line read.def:1069
#11 0x55ad664281dd in read_builtin read.def:550
#12 0x55ad6633e93a in execute_builtin
/home/dualbus/src/gnu/bash/execute_cmd.c:4605
#13 0x55ad66340550 in execute_builtin_or_function
/home/dualbus/src/gnu/bash/execute_cmd.c:5103
#14 0x55ad6633ddd0 in execute_simple_command
/home/dualbus/src/gnu/bash/execute_cmd.c:4391
#15 0x55ad6632bccf in execute_command_internal
/home/dualbus/src/gnu/bash/execute_cmd.c:811
#16 0x55ad66415858 in parse_and_execute
/home/dualbus/src/gnu/bash/builtins/evalstring.c:430
#17 0x55ad662f72a1 in run_one_command
/home/dualbus/src/gnu/bash/shell.c:1405
#18 0x55ad662f577a in main /home/dualbus/src/gnu/bash/shell.c:718
#19 0x7f41165482b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
previously allocated by thread T0 here:
#0 0x7f4116db5d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x55ad6640453f in xmalloc /home/dualbus/src/gnu/bash/xmalloc.c:112
#2 0x55ad664b3252 in alloc_undo_entry
/home/dualbus/src/gnu/bash/lib/readline/undo.c:75
#3 0x55ad664b33a1 in rl_add_undo
/home/dualbus/src/gnu/bash/lib/readline/undo.c:92
#4 0x55ad664b9ec1 in rl_insert_text
/home/dualbus/src/gnu/bash/lib/readline/text.c:112
#5 0x55ad664bcf22 in _rl_insert_char
/home/dualbus/src/gnu/bash/lib/readline/text.c:863
#6 0x55ad664bd2d4 in rl_insert
/home/dualbus/src/gnu/bash/lib/readline/text.c:912
#7 0x55ad664707f2 in _rl_dispatch_subseq
/home/dualbus/src/gnu/bash/lib/readline/readline.c:851
#8 0x55ad664703cd in _rl_dispatch
/home/dualbus/src/gnu/bash/lib/readline/readline.c:797
#9 0x55ad6646fc0c in readline_internal_char
/home/dualbus/src/gnu/bash/lib/readline/readline.c:629
#10 0x55ad6646fc9e in readline_internal_charloop
/home/dualbus/src/gnu/bash/lib/readline/readline.c:656
#11 0x55ad6646fcc2 in readline_internal
/home/dualbus/src/gnu/bash/lib/readline/readline.c:670
#12 0x55ad6646f378 in readline
/home/dualbus/src/gnu/bash/lib/readline/readline.c:374
#13 0x55ad6642a74d in edit_line read.def:1069
#14 0x55ad664281dd in read_builtin read.def:550
#15 0x55ad6633e93a in execute_builtin
/home/dualbus/src/gnu/bash/execute_cmd.c:4605
#16 0x55ad66340550 in execute_builtin_or_function
/home/dualbus/src/gnu/bash/execute_cmd.c:5103
#17 0x55ad6633ddd0 in execute_simple_command
/home/dualbus/src/gnu/bash/execute_cmd.c:4391
#18 0x55ad6632bccf in execute_command_internal
/home/dualbus/src/gnu/bash/execute_cmd.c:811
#19 0x55ad66415858 in parse_and_execute
/home/dualbus/src/gnu/bash/builtins/evalstring.c:430
#20 0x55ad662f72a1 in run_one_command
/home/dualbus/src/gnu/bash/shell.c:1405
#21 0x55ad662f577a in main /home/dualbus/src/gnu/bash/shell.c:718
#22 0x7f41165482b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-use-after-free
/home/dualbus/src/gnu/bash/lib/readline/undo.c:106 in
_rl_free_undo_list
Shadow bytes around the buggy address:
0x0c067fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff97e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff97f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9810: fa fa fa fa fa fa fa fa fa fa fd fd fd fa fa fa
=>0x0c067fff9820:[fd]fd fd fd fa fa 00 00 04 fa fa fa fd fd fd fd
0x0c067fff9830: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x0c067fff9840: 00 02 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff9850: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c067fff9860: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x0c067fff9870: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==24334==ABORTING
Found by fuzzing with AFL using the following modification:
dualbus@debian:~/src/gnu/bash$ git diff -- builtins/read.def
diff --git a/builtins/read.def b/builtins/read.def
index e6db4393..245ed69f 100644
--- a/builtins/read.def
+++ b/builtins/read.def
@@ -389,6 +389,7 @@ read_builtin (list)
input_is_pipe = 1;
#endif
+#if 0
/* If the -p, -e or -s flags were given, but input is not coming from the
terminal, turn them off. */
if ((prompt || edit || silent) && input_is_tty == 0)
@@ -399,6 +400,7 @@ read_builtin (list)
#endif
edit = silent = 0;
}
+#endif
#if defined (READLINE)
if (edit)
