undo.c:188

Eduardo A . Bustamante López Wed, 06 Feb 2019 09:15:59 -0800

I found another issue in rl_do_undo, but I haven't been successful in figuring 
out how it happens.


I've been working with the `devel' branch, commit 
`8a9718cfc93958b34e205d0507c3bbf64cba6db5'

Here's how I built the binaries I use below:

debian@debian-fuzz:~/tmp$ cat ~/build.sh 
#!/bin/bash
mkdir build-devel{,-asan,-gdb}
(cd build-devel      && CFLAGS='' CC='afl-clang-fast'                           
       ../bash-devel/configure --silent --without-bash-malloc && make 
-sj$(nproc))
(cd build-devel-asan && CFLAGS='-O0 -ggdb -fno-omit-frame-pointer 
-fsanitize=address ' ../bash-devel/configure --silent --without-bash-malloc && 
make -sj$(nproc))
(cd build-devel-gdb  && CFLAGS='-O0 -ggdb -fno-omit-frame-pointer '             
       ../bash-devel/configure --silent --without-bash-malloc && make 
-sj$(nproc))

This is the input to `read -e':

debian@debian-fuzz:~/tmp$ base64 < o
MBgFEBAQDhUwEBgoHx8wEDAYRRQbEDAYBTAYRQ4=

debian@debian-fuzz:~/tmp$ cat -A o
0^X^E^P^P^P^N^U0^P^X(^_^_0^P0^XE^T^[^P0^X^E0^XE^N


My poor attempt of a trace under GDB:

debian@debian-fuzz:~/tmp$ gdb --batch --command=trace_rl_undo.gdb --args 
~/build-devel-gdb/bash --noprofile --norc -c 'EDITOR=: PATH= read -e < o' > 
out.txt 2>&1
(no output)
-------------------------------------------------------------------------------

dualbus@system76-pc:~/src/dualbus/bash-fuzzing/tmp/tmp$ cat out.txt 
0
0
/tmp/bash-fc.9lfkNE: line 1: 0: No such file or directory
000
000
/tmp/bash-fc.HkVuNJ: line 1: 000: No such file or directory
0000readline: maximum macro execution nesting level exceeded

munmap_chunk(): invalid pointer
-------------------------------------------------------------------------------


dualbus@system76-pc:~/src/dualbus/bash-fuzzing/tmp/tmp$ cat gdb.txt 
Temporary breakpoint 1 at 0x2eea9: file ../bash-devel/shell.c, line 392.

Temporary breakpoint 1, main (argc=5, argv=0x7fffffffdfd8, env=0x7fffffffe008) 
at ../bash-devel/shell.c:392
392       code = setjmp_nosigs (top_level);
Breakpoint 2 at 0x55555565004c: file ../../../bash-devel/lib/readline/undo.c, 
line 177.
[Detaching after fork from child process 588]

Breakpoint 2, rl_do_undo () at ../../../bash-devel/lib/readline/undo.c:177
(... snip ...)

Breakpoint 2, rl_do_undo () at ../../../bash-devel/lib/readline/undo.c:177
177       start = end = waiting_for_begin = 0;
$625 = "~~~ print_rl_undo_list>"
$626 = 0
$627 = (UNDO_LIST *) 0x5555556f9e50
$628 = (struct undo_list *) 0x5555556fa6f0
$629 = 0x0
$630 = 1
$631 = (struct undo_list *) 0x5555556fa6f0
$632 = (struct undo_list *) 0x0
$633 = 0x0
$634 = "~~~ print_the_history>"
$635 = 0
$636 = (HIST_ENTRY *) 0x5555556fa720
$637 = 0x5555556debd0 "000"
$638 = 0
$639 = (UNDO_LIST *) 0x5555556fa6f0
$640 = (struct undo_list *) 0x0
$641 = 0x0
$642 = 1
$643 = (HIST_ENTRY *) 0x5555556fa7b0
$644 = 0x5555556f89a0 "0"
$645 = 0
$646 = (UNDO_LIST *) 0x5555556fa330
$647 = (struct undo_list *) 0x5555556fa3d0
$648 = 0x0
$649 = 1
$650 = (struct undo_list *) 0x5555556fa3d0
$651 = (struct undo_list *) 0x5555556f9f00
$652 = 0x5555556de940 "\360\237oUUU"
$653 = 2
$654 = (struct undo_list *) 0x5555556f9f00
$655 = (struct undo_list *) 0x0
$656 = 0x5555556fa750 " "
$657 = 2
$658 = (HIST_ENTRY *) 0x5555556fa2c0
$659 = 0x5555556f85f0 "0000"
$660 = 0
$661 = (UNDO_LIST *) 0x5555556f90e0
$662 = (struct undo_list *) 0x0
$663 = 0x0
$664 = 3
$665 = (HIST_ENTRY *) 0x5555556f9130
$666 = 0x5555556fa6d0 "0000"
$667 = 0
$668 = (UNDO_LIST *) 0x5555556f90b0
$669 = (struct undo_list *) 0x0
$670 = 0x0
#0  rl_do_undo () at ../../../bash-devel/lib/readline/undo.c:177
#1  0x00005555556504fd in rl_undo_command (count=1, key=31) at 
../../../bash-devel/lib/readline/undo.c:358
#2  0x0000555555633b75 in _rl_dispatch_subseq (key=31, map=0x55555569f200 
<emacs_standard_keymap>, got_subseq=0) at 
../../../bash-devel/lib/readline/readline.c:852
#3  0x00005555556338ec in _rl_dispatch (key=1433265360, map=0x55555569f200 
<emacs_standard_keymap>) at ../../../bash-devel/lib/readline/readline.c:798
#4  0x000055555563356f in readline_internal_char () at 
../../../bash-devel/lib/readline/readline.c:632
#5  0x00005555556335ca in readline_internal_charloop () at 
../../../bash-devel/lib/readline/readline.c:659
#6  0x00005555556335ea in readline_internal () at 
../../../bash-devel/lib/readline/readline.c:671
#7  0x0000555555633008 in readline (prompt=0x5555556767bc "") at 
../../../bash-devel/lib/readline/readline.c:377
#8  0x000055555560c4cc in edit_line (p=0x5555556767bc "", itext=0x0) at 
../../bash-devel/builtins/../../bash-devel/builtins/read.def:1107
#9  0x000055555560b2b2 in read_builtin (list=0x0) at 
../../bash-devel/builtins/../../bash-devel/builtins/read.def:566
#10 0x00005555555a3bc5 in execute_builtin (builtin=0x55555560a45d 
<read_builtin>, words=0x5555556c1030, flags=0, subshell=0) at 
../bash-devel/execute_cmd.c:4709
#11 0x00005555555a4ae9 in execute_builtin_or_function (words=0x5555556c1030, 
builtin=0x55555560a45d <read_builtin>, var=0x0, redirects=0x5555556bf720, 
fds_to_close=0x5555556c0cb0, flags=0) at ../bash-devel/execute_cmd.c:5217
#12 0x00005555555a3454 in execute_simple_command 
(simple_command=0x5555556c0b10, pipe_in=-1, pipe_out=-1, async=0, 
fds_to_close=0x5555556c0cb0) at ../bash-devel/execute_cmd.c:4478
#13 0x000055555559cd7b in execute_command_internal (command=0x5555556c0ae0, 
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x5555556c0cb0) at 
../bash-devel/execute_cmd.c:842
#14 0x000055555560324a in parse_and_execute (string=0x5555556c03b0 "EDITOR=: 
PATH= read -e < o", from_file=0x55555565f0f0 "-c", flags=4) at 
../../bash-devel/builtins/evalstring.c:456
#15 0x00005555555845af in run_one_command (command=0x7fffffffe27b "EDITOR=: 
PATH= read -e < o") at ../bash-devel/shell.c:1423
#16 0x0000555555583763 in main (argc=5, argv=0x7fffffffdfd8, 
env=0x7fffffffe008) at ../bash-devel/shell.c:739

Breakpoint 2, rl_do_undo () at ../../../bash-devel/lib/readline/undo.c:177
(... snip ...)

Breakpoint 2, rl_do_undo () at ../../../bash-devel/lib/readline/undo.c:177
177       start = end = waiting_for_begin = 0;
$1559 = "~~~ print_rl_undo_list>"
$1560 = 0
$1561 = (UNDO_LIST *) 0x5555556fa3d0
$1562 = (struct undo_list *) 0x5555556f9f00
$1563 = 0x5555556de940 "\340\221oUUU"
$1564 = 1
$1565 = (struct undo_list *) 0x5555556f9f00
$1566 = (struct undo_list *) 0x0
$1567 = 0x5555556fa750 " "
$1568 = "~~~ print_the_history>"
$1569 = 0
$1570 = (HIST_ENTRY *) 0x5555556becd0
$1571 = 0x5555556bed70 "0000"
$1572 = 0
$1573 = (UNDO_LIST *) 0x5555556f9e50
$1574 = (struct undo_list *) 0x5555556fa6f0
$1575 = 0x0
$1576 = 1
$1577 = (struct undo_list *) 0x5555556fa6f0
$1578 = (struct undo_list *) 0x0
$1579 = 0x0
$1580 = 1
$1581 = (HIST_ENTRY *) 0x5555556f96c0
$1582 = 0x5555556f96a0 ""
$1583 = 0
$1584 = (UNDO_LIST *) 0x5555556fa3d0
$1585 = (struct undo_list *) 0x5555556f9f00
$1586 = 0x5555556de940 "\340\221oUUU"
$1587 = 1
$1588 = (struct undo_list *) 0x5555556f9f00
$1589 = (struct undo_list *) 0x0
$1590 = 0x5555556fa750 " "
$1591 = 2
$1592 = (HIST_ENTRY *) 0x5555556fa2c0
$1593 = 0x5555556f85f0 "0000"
$1594 = 0
$1595 = (UNDO_LIST *) 0x5555556f90e0
$1596 = (struct undo_list *) 0x0
$1597 = 0x0
$1598 = 3
$1599 = (HIST_ENTRY *) 0x5555556f9130
$1600 = 0x5555556fa6d0 "0000"
$1601 = 0
$1602 = (UNDO_LIST *) 0x5555556f90b0
$1603 = (struct undo_list *) 0x0
$1604 = 0x0
#0  rl_do_undo () at ../../../bash-devel/lib/readline/undo.c:177
#1  0x00005555556504aa in rl_revert_line (count=1, key=0) at 
../../../bash-devel/lib/readline/undo.c:339
#2  0x000055555563320c in readline_internal_teardown (eof=0) at 
../../../bash-devel/lib/readline/readline.c:471
#3  0x00005555556335fd in readline_internal () at 
../../../bash-devel/lib/readline/readline.c:672
#4  0x0000555555633008 in readline (prompt=0x5555556767bc "") at 
../../../bash-devel/lib/readline/readline.c:377
#5  0x000055555560c4cc in edit_line (p=0x5555556767bc "", itext=0x0) at 
../../bash-devel/builtins/../../bash-devel/builtins/read.def:1107
#6  0x000055555560b2b2 in read_builtin (list=0x0) at 
../../bash-devel/builtins/../../bash-devel/builtins/read.def:566
#7  0x00005555555a3bc5 in execute_builtin (builtin=0x55555560a45d 
<read_builtin>, words=0x5555556c1030, flags=0, subshell=0) at 
../bash-devel/execute_cmd.c:4709
#8  0x00005555555a4ae9 in execute_builtin_or_function (words=0x5555556c1030, 
builtin=0x55555560a45d <read_builtin>, var=0x0, redirects=0x5555556bf720, 
fds_to_close=0x5555556c0cb0, flags=0) at ../bash-devel/execute_cmd.c:5217
#9  0x00005555555a3454 in execute_simple_command 
(simple_command=0x5555556c0b10, pipe_in=-1, pipe_out=-1, async=0, 
fds_to_close=0x5555556c0cb0) at ../bash-devel/execute_cmd.c:4478
#10 0x000055555559cd7b in execute_command_internal (command=0x5555556c0ae0, 
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x5555556c0cb0) at 
../bash-devel/execute_cmd.c:842
#11 0x000055555560324a in parse_and_execute (string=0x5555556c03b0 "EDITOR=: 
PATH= read -e < o", from_file=0x55555565f0f0 "-c", flags=4) at 
../../bash-devel/builtins/evalstring.c:456
#12 0x00005555555845af in run_one_command (command=0x7fffffffe27b "EDITOR=: 
PATH= read -e < o") at ../bash-devel/shell.c:1423
#13 0x0000555555583763 in main (argc=5, argv=0x7fffffffdfd8, 
env=0x7fffffffe008) at ../bash-devel/shell.c:739

Breakpoint 2, rl_do_undo () at ../../../bash-devel/lib/readline/undo.c:177
177       start = end = waiting_for_begin = 0;
$1605 = "~~~ print_rl_undo_list>"
$1606 = 0
$1607 = (UNDO_LIST *) 0x5555556f9f00
$1608 = (struct undo_list *) 0x0
$1609 = 0x5555556fa750 " "
$1610 = "~~~ print_the_history>"
$1611 = 0
$1612 = (HIST_ENTRY *) 0x5555556becd0
$1613 = 0x5555556bed70 "0000"
$1614 = 0
$1615 = (UNDO_LIST *) 0x5555556f9e50
$1616 = (struct undo_list *) 0x5555556fa6f0
$1617 = 0x0
$1618 = 1
$1619 = (struct undo_list *) 0x5555556fa6f0
$1620 = (struct undo_list *) 0x0
$1621 = 0x0
$1622 = 1
$1623 = (HIST_ENTRY *) 0x5555556de940
$1624 = 0x5555556fa7b0 "\340\221oUUU"
$1625 = 0
$1626 = (UNDO_LIST *) 0x5555556f9f00
$1627 = (struct undo_list *) 0x0
$1628 = 0x5555556fa750 " "
$1629 = 2
$1630 = (HIST_ENTRY *) 0x5555556fa2c0
$1631 = 0x5555556f85f0 "0000"
$1632 = 0
$1633 = (UNDO_LIST *) 0x5555556f90e0
$1634 = (struct undo_list *) 0x0
$1635 = 0x0
$1636 = 3
$1637 = (HIST_ENTRY *) 0x5555556f9130
$1638 = 0x5555556fa6d0 "0000"
$1639 = 0
$1640 = (UNDO_LIST *) 0x5555556f90b0
$1641 = (struct undo_list *) 0x0
$1642 = 0x0
#0  rl_do_undo () at ../../../bash-devel/lib/readline/undo.c:177
#1  0x00005555556504aa in rl_revert_line (count=1, key=0) at 
../../../bash-devel/lib/readline/undo.c:339
#2  0x000055555563320c in readline_internal_teardown (eof=0) at 
../../../bash-devel/lib/readline/readline.c:471
#3  0x00005555556335fd in readline_internal () at 
../../../bash-devel/lib/readline/readline.c:672
#4  0x0000555555633008 in readline (prompt=0x5555556767bc "") at 
../../../bash-devel/lib/readline/readline.c:377
#5  0x000055555560c4cc in edit_line (p=0x5555556767bc "", itext=0x0) at 
../../bash-devel/builtins/../../bash-devel/builtins/read.def:1107
#6  0x000055555560b2b2 in read_builtin (list=0x0) at 
../../bash-devel/builtins/../../bash-devel/builtins/read.def:566
#7  0x00005555555a3bc5 in execute_builtin (builtin=0x55555560a45d 
<read_builtin>, words=0x5555556c1030, flags=0, subshell=0) at 
../bash-devel/execute_cmd.c:4709
#8  0x00005555555a4ae9 in execute_builtin_or_function (words=0x5555556c1030, 
builtin=0x55555560a45d <read_builtin>, var=0x0, redirects=0x5555556bf720, 
fds_to_close=0x5555556c0cb0, flags=0) at ../bash-devel/execute_cmd.c:5217
#9  0x00005555555a3454 in execute_simple_command 
(simple_command=0x5555556c0b10, pipe_in=-1, pipe_out=-1, async=0, 
fds_to_close=0x5555556c0cb0) at ../bash-devel/execute_cmd.c:4478
#10 0x000055555559cd7b in execute_command_internal (command=0x5555556c0ae0, 
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x5555556c0cb0) at 
../bash-devel/execute_cmd.c:842
#11 0x000055555560324a in parse_and_execute (string=0x5555556c03b0 "EDITOR=: 
PATH= read -e < o", from_file=0x55555565f0f0 "-c", flags=4) at 
../../bash-devel/builtins/evalstring.c:456
#12 0x00005555555845af in run_one_command (command=0x7fffffffe27b "EDITOR=: 
PATH= read -e < o") at ../bash-devel/shell.c:1423
#13 0x0000555555583763 in main (argc=5, argv=0x7fffffffdfd8, 
env=0x7fffffffe008) at ../bash-devel/shell.c:739

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7df4535 in __GI_abort () at abort.c:79
#2  0x00007ffff7e4b718 in __libc_message (action=action@entry=do_abort, 
fmt=fmt@entry=0x7ffff7f5629a "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff7e51e3a in malloc_printerr (str=str@entry=0x7ffff7f57c00 
"munmap_chunk(): invalid pointer") at malloc.c:5382
#4  0x00007ffff7e523a4 in munmap_chunk (p=<optimized out>) at malloc.c:2830
#5  0x00005555555fb264 in xfree (string=0x5555556fa750) at 
../bash-devel/xmalloc.c:150
#6  0x000055555565017e in rl_do_undo () at 
../../../bash-devel/lib/readline/undo.c:201
#7  0x00005555556504aa in rl_revert_line (count=1, key=0) at 
../../../bash-devel/lib/readline/undo.c:339
#8  0x000055555563320c in readline_internal_teardown (eof=0) at 
../../../bash-devel/lib/readline/readline.c:471
#9  0x00005555556335fd in readline_internal () at 
../../../bash-devel/lib/readline/readline.c:672
#10 0x0000555555633008 in readline (prompt=0x5555556767bc "") at 
../../../bash-devel/lib/readline/readline.c:377
#11 0x000055555560c4cc in edit_line (p=0x5555556767bc "", itext=0x0) at 
../../bash-devel/builtins/../../bash-devel/builtins/read.def:1107
#12 0x000055555560b2b2 in read_builtin (list=0x0) at 
../../bash-devel/builtins/../../bash-devel/builtins/read.def:566
#13 0x00005555555a3bc5 in execute_builtin (builtin=0x55555560a45d 
<read_builtin>, words=0x5555556c1030, flags=0, subshell=0) at 
../bash-devel/execute_cmd.c:4709
#14 0x00005555555a4ae9 in execute_builtin_or_function (words=0x5555556c1030, 
builtin=0x55555560a45d <read_builtin>, var=0x0, redirects=0x5555556bf720, 
fds_to_close=0x5555556c0cb0, flags=0) at ../bash-devel/execute_cmd.c:5217
#15 0x00005555555a3454 in execute_simple_command 
(simple_command=0x5555556c0b10, pipe_in=-1, pipe_out=-1, async=0, 
fds_to_close=0x5555556c0cb0) at ../bash-devel/execute_cmd.c:4478
#16 0x000055555559cd7b in execute_command_internal (command=0x5555556c0ae0, 
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x5555556c0cb0) at 
../bash-devel/execute_cmd.c:842
#17 0x000055555560324a in parse_and_execute (string=0x5555556c03b0 "EDITOR=: 
PATH= read -e < o", from_file=0x55555565f0f0 "-c", flags=4) at 
../../bash-devel/builtins/evalstring.c:456
#18 0x00005555555845af in run_one_command (command=0x7fffffffe27b "EDITOR=: 
PATH= read -e < o") at ../bash-devel/shell.c:1423
#19 0x0000555555583763 in main (argc=5, argv=0x7fffffffdfd8, 
env=0x7fffffffe008) at ../bash-devel/shell.c:739
-------------------------------------------------------------------------------


dualbus@system76-pc:~/src/dualbus/bash-fuzzing/tmp/tmp$ cat trace_rl_undo.gdb
set pagination off
set logging redirect on
set logging file gdb.txt
set logging overwrite on
set logging on
start

define print_rl_undo_list
    print "~~~ print_rl_undo_list>"
    set $ptr = rl_undo_list
    set $i = 0
    while $ptr
        print $i
        print $ptr
        print $ptr->next
        print $ptr->text
        set $ptr = $ptr->next
        set $i = $i + 1
    end
end

define print_the_history
    print "~~~ print_the_history>"
    set $i = 0
    while the_history && the_history[$i]
        print $i
        print the_history[$i]
        print the_history[$i]->line
        set $ptr = (UNDO_LIST *)the_history[$i]->data
        set $j = 0
        while $ptr
            print $j
            print $ptr
            print $ptr->next
            print $ptr->text
            set $ptr = $ptr->next
            set $j = $j + 1
        end
        set $i = $i + 1
    end
end

break rl_do_undo
command
    print_rl_undo_list
    print_the_history
    backtrace
    continue
end

run
backtrace
set logging off
-------------------------------------------------------------------------------

Same, using ASAN:

debian@debian-fuzz:~/tmp$ ~/build-devel-asan/bash --noprofile --norc -c 
'EDITOR=: PATH= read -e < o'
0
0
/tmp/bash-fc.DOMKK5: line 1: 0: No such file or directory
000
000
/tmp/bash-fc.cide1P: line 1: 000: No such file or directory
0000readline: maximum macro execution nesting level exceeded

=================================================================
==18166==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000004468 
at pc 0x561dcf2e01c8 bp 0x7ffe4b6174e0 sp 0x7ffe4b6174d8
READ of size 4 at 0x603000004468 thread T0
    #0 0x561dcf2e01c7 in rl_do_undo ../../../bash-devel/lib/readline/undo.c:188
    #1 0x561dcf2e0c0a in rl_revert_line 
../../../bash-devel/lib/readline/undo.c:339
    #2 0x561dcf296132 in readline_internal_teardown 
../../../bash-devel/lib/readline/readline.c:471
    #3 0x561dcf296740 in readline_internal 
../../../bash-devel/lib/readline/readline.c:672
    #4 0x561dcf295de4 in readline 
../../../bash-devel/lib/readline/readline.c:377
    #5 0x561dcf24bc58 in edit_line 
../../bash-devel/builtins/../../bash-devel/builtins/read.def:1107
    #6 0x561dcf2480b6 in read_builtin 
../../bash-devel/builtins/../../bash-devel/builtins/read.def:566
    #7 0x561dcf147da4 in execute_builtin ../bash-devel/execute_cmd.c:4709
    #8 0x561dcf149abd in execute_builtin_or_function 
../bash-devel/execute_cmd.c:5217
    #9 0x561dcf1471bd in execute_simple_command ../bash-devel/execute_cmd.c:4478
    #10 0x561dcf1341df in execute_command_internal 
../bash-devel/execute_cmd.c:842
    #11 0x561dcf232971 in parse_and_execute 
../../bash-devel/builtins/evalstring.c:456
    #12 0x561dcf0faf33 in run_one_command ../bash-devel/shell.c:1423
    #13 0x561dcf0f9490 in main ../bash-devel/shell.c:739
    #14 0x7f9a5174909a in __libc_start_main ../csu/libc-start.c:308
    #15 0x561dcf0f8039 in _start (/home/debian/build-devel-asan/bash+0x89039)

0x603000004468 is located 24 bytes inside of 32-byte region 
[0x603000004450,0x603000004470)
freed by thread T0 here:
    #0 0x7f9a51a01b50 in free (/lib/x86_64-linux-gnu/libasan.so.5+0xe8b50)
    #1 0x561dcf21f9a1 in xfree ../bash-devel/xmalloc.c:150
    #2 0x561dcf2e09b5 in rl_do_undo ../../../bash-devel/lib/readline/undo.c:267
    #3 0x561dcf2e0d10 in rl_undo_command 
../../../bash-devel/lib/readline/undo.c:358
    #4 0x561dcf297263 in _rl_dispatch_subseq 
../../../bash-devel/lib/readline/readline.c:852
    #5 0x561dcf296e3e in _rl_dispatch 
../../../bash-devel/lib/readline/readline.c:798
    #6 0x561dcf296678 in readline_internal_char 
../../../bash-devel/lib/readline/readline.c:632
    #7 0x561dcf29670d in readline_internal_charloop 
../../../bash-devel/lib/readline/readline.c:659
    #8 0x561dcf29672d in readline_internal 
../../../bash-devel/lib/readline/readline.c:671
    #9 0x561dcf295de4 in readline 
../../../bash-devel/lib/readline/readline.c:377
    #10 0x561dcf24bc58 in edit_line 
../../bash-devel/builtins/../../bash-devel/builtins/read.def:1107
    #11 0x561dcf2480b6 in read_builtin 
../../bash-devel/builtins/../../bash-devel/builtins/read.def:566
    #12 0x561dcf147da4 in execute_builtin ../bash-devel/execute_cmd.c:4709
    #13 0x561dcf149abd in execute_builtin_or_function 
../bash-devel/execute_cmd.c:5217
    #14 0x561dcf1471bd in execute_simple_command 
../bash-devel/execute_cmd.c:4478
    #15 0x561dcf1341df in execute_command_internal 
../bash-devel/execute_cmd.c:842
    #16 0x561dcf232971 in parse_and_execute 
../../bash-devel/builtins/evalstring.c:456
    #17 0x561dcf0faf33 in run_one_command ../bash-devel/shell.c:1423
    #18 0x561dcf0f9490 in main ../bash-devel/shell.c:739
    #19 0x7f9a5174909a in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7f9a51a01ed0 in __interceptor_malloc 
(/lib/x86_64-linux-gnu/libasan.so.5+0xe8ed0)
    #1 0x561dcf21f8e0 in xmalloc ../bash-devel/xmalloc.c:114
    #2 0x561dcf2dfbfe in alloc_undo_entry 
../../../bash-devel/lib/readline/undo.c:77
    #3 0x561dcf2dfd4d in rl_add_undo ../../../bash-devel/lib/readline/undo.c:94
    #4 0x561dcf2e750b in rl_delete_text 
../../../bash-devel/lib/readline/text.c:151
    #5 0x561dcf2dd3ff in rl_kill_text 
../../../bash-devel/lib/readline/kill.c:177
    #6 0x561dcf2de699 in rl_unix_line_discard 
../../../bash-devel/lib/readline/kill.c:388
    #7 0x561dcf297263 in _rl_dispatch_subseq 
../../../bash-devel/lib/readline/readline.c:852
    #8 0x561dcf296e3e in _rl_dispatch 
../../../bash-devel/lib/readline/readline.c:798
    #9 0x561dcf296678 in readline_internal_char 
../../../bash-devel/lib/readline/readline.c:632
    #10 0x561dcf29670d in readline_internal_charloop 
../../../bash-devel/lib/readline/readline.c:659
    #11 0x561dcf29672d in readline_internal 
../../../bash-devel/lib/readline/readline.c:671
    #12 0x561dcf295de4 in readline 
../../../bash-devel/lib/readline/readline.c:377
    #13 0x561dcf24bc58 in edit_line 
../../bash-devel/builtins/../../bash-devel/builtins/read.def:1107
    #14 0x561dcf2480b6 in read_builtin 
../../bash-devel/builtins/../../bash-devel/builtins/read.def:566
    #15 0x561dcf147da4 in execute_builtin ../bash-devel/execute_cmd.c:4709
    #16 0x561dcf149abd in execute_builtin_or_function 
../bash-devel/execute_cmd.c:5217
    #17 0x561dcf1471bd in execute_simple_command 
../bash-devel/execute_cmd.c:4478
    #18 0x561dcf1341df in execute_command_internal 
../bash-devel/execute_cmd.c:842
    #19 0x561dcf232971 in parse_and_execute 
../../bash-devel/builtins/evalstring.c:456
    #20 0x561dcf0faf33 in run_one_command ../bash-devel/shell.c:1423
    #21 0x561dcf0f9490 in main ../bash-devel/shell.c:739
    #22 0x7f9a5174909a in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free 
../../../bash-devel/lib/readline/undo.c:188 in rl_do_undo
Shadow bytes around the buggy address:
  0x0c067fff8830: 00 00 05 fa fa fa 00 00 02 fa fa fa 00 00 01 fa
  0x0c067fff8840: fa fa 00 00 07 fa fa fa 00 00 00 03 fa fa 00 00
  0x0c067fff8850: 01 fa fa fa 00 00 00 07 fa fa 00 00 00 05 fa fa
  0x0c067fff8860: 00 00 00 04 fa fa 00 00 06 fa fa fa 00 00 03 fa
  0x0c067fff8870: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
=>0x0c067fff8880: fd fa fa fa fd fd fd fa fa fa fd fd fd[fd]fa fa
  0x0c067fff8890: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c067fff88a0: fa fa 00 00 00 01 fa fa fd fd fd fa fa fa fd fd
  0x0c067fff88b0: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x0c067fff88c0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff88d0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18166==ABORTING
-------------------------------------------------------------------------------

AddressSanitizer: heap-use-after-free on (...) in rl_do_undo ../../../bash-devel/lib/readline/undo.c:188

Reply via email to