Bash read -r abort on `free: start and end chunk sizes differ'

Eduardo Bustamante Mon, 08 May 2017 09:20:42 -0700

(tested against the latest devel, i.e. May/8 push)

dualbus@debian:~/src/gnu/bash$ git rev-parse HEAD
af2a77fbbcf6e50edbc535eb3fd267bd3f4d1a14


dualbus@debian:~/bash-fuzzing/bash-read/read-r$ cat -v read_builtin
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000M-lM-=M-=00M-|

dualbus@debian:~/bash-fuzzing/bash-read/read-r$ base64 read_builtin
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDDsvb0wMPw=

dualbus@debian:~/bash-fuzzing/bash-read/read-r$ md5sum read_builtin
dd5d776c6dc83e57a64034bb6cfee574  read_builtin

(gdb) r -c 'read -r < read_builtin'
Starting program: /home/dualbus/src/gnu/bash/bash -c 'read -r < read_builtin'

malloc: ./read.def:806: assertion botched
malloc: 0x829f88: allocated: last allocated from ./read.def:361
free: start and end chunk sizes differ
Aborting...
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff76413fa in __GI_abort () at abort.c:89
#2  0x000000000045c745 in programming_error (format=0x551e9b "free:
start and end chunk sizes differ") at error.c:175
#3  0x00000000005335c2 in xbotch (mem=0x829f88, e=8, s=0x551e9b "free:
start and end chunk sizes differ",
    file=0x54c793 "./read.def", line=806) at malloc.c:329
#4  0x0000000000532b6e in internal_free (mem=0x829f88, file=0x54c793
"./read.def", line=806, flags=1) at malloc.c:916
#5  0x0000000000532888 in sh_free (mem=0x829f88, file=0x54c793
"./read.def", line=806) at malloc.c:1271
#6  0x00000000004b811e in sh_xfree (string=0x829f88, file=0x54c793
"./read.def", line=806) at xmalloc.c:221
#7  0x00000000004cc741 in read_builtin (list=0x0) at ./read.def:806
#8  0x000000000044efaf in execute_builtin (builtin=0x4cad80
<read_builtin>, words=0x8297e8, flags=0, subshell=0)
    at execute_cmd.c:4605
#9  0x000000000044e3e0 in execute_builtin_or_function (words=0x8297e8,
builtin=0x4cad80 <read_builtin>, var=0x0, redirects=0x829988,
    fds_to_close=0x8299c8, flags=0) at execute_cmd.c:5103
#10 0x0000000000447095 in execute_simple_command
(simple_command=0x827f48, pipe_in=-1, pipe_out=-1, async=0,
fds_to_close=0x8299c8)
    at execute_cmd.c:4391
#11 0x0000000000444b71 in execute_command_internal (command=0x827f08,
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x8299c8)
    at execute_cmd.c:812
#12 0x00000000004c1fd7 in parse_and_execute (string=0x827b48 "read -r
< read_builtin", from_file=0x535b6f "-c", flags=4)
    at evalstring.c:430
#13 0x00000000004271af in run_one_command (command=0x7fffffffe6fc
"read -r < read_builtin") at shell.c:1405
#14 0x00000000004251fd in main (argc=3, argv=0x7fffffffe448,
env=0x7fffffffe468) at shell.c:718

Bash read -r abort on `free: start and end chunk sizes differ'

Reply via email to