Machine: i686
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -g -Og -fsanitize=address -Wno-parentheses
-Wno-format-security
uname output: Linux debian 4.9.0-4-686-pae #1 SMP Debian 4.9.51-1 (2017-09-28)
i686 GNU/Linux
Machine Type: i686-pc-linux-gnu
Bash Version: 20171020 snapshot
Apparently an out-of-bounds read can happen in parse_comsub() when
checking script sytnax. To reproduce, rebuild bash with AddressSanitizer
enabled and run:
$ printf
'$(00\177%012d\1%d00\177%090d\177%028d(%0267d\177%010d<<-\276%019d\n\n' | bash
-n
=================================================================
==15619==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3b03a00
at pc 0xb722991e bp 0xbff6d7b8 sp 0xbff6d390
READ of size 2 at 0xb3b03a00 thread T0
#0 0xb722991d (/usr/lib/i386-linux-gnu/libasan.so.4+0x5491d)
#1 0x4e92d9 in parse_comsub parse.y:3841
#2 0x4ee81a in read_token_word parse.y:4969
#3 0x4f0d2a in read_token parse.y:3350
#4 0x4f137e in yylex parse.y:2691
#5 0x4f21af in yyparse y.tab.c:1821
#6 0x4e05e9 in parse_command eval.c:294
#7 0x4e080d in read_command eval.c:338
#8 0x4e12d2 in reader_loop eval.c:140
#9 0x4e0357 in main shell.c:804
#10 0xb700d285 in __libc_start_main
(/lib/i386-linux-gnu/libc.so.6+0x18285)
#11 0x4db500 (.../bash+0x3e500)
0xb3b03a00 is located 0 bytes to the right of 448-byte region
[0xb3b03840,0xb3b03a00)
allocated by thread T0 here:
#0 0xb72b41d4 in __interceptor_realloc
(/usr/lib/i386-linux-gnu/libasan.so.4+0xdf1d4)
#1 0x5c35d0 in xrealloc xmalloc.c:133
...
Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/
--
Jakub Wilk
