Heap-use-after-free in remove_pattern

Wed, 31 Aug 2022 17:07:25 -0700 

   Configuration Information:
   Machine: x86_64
   OS: linux-gnu
   Compiler: gcc
   Compilation CFLAGS: -g -O2 -flto=auto -ffat-lto-objects -flto=auto
   -ffat-lto-objects -fstack-protector-strong -Wformat
   -Werror=format-security -Wall
   uname output: Linux koltir-Default-string 5.15.0-46-generic #49-Ubuntu
   SMP Thu Aug 4 18:03:25 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
   Machine Type: x86_64-pc-linux-gnu

   Bash Version: 5.1
   Patch Level: 16
   Release Status: release

   Hi! I was fuzzing bash with AFL++ and found heap use after free in
   remover_pattern function.

   Description:

   ==9182==ERROR: AddressSanitizer: heap-use-after-free on address
   0x602000001af0 at pc 0x562bb4595ca5 bp 0x7ffc5bf18450 sp 0x7ffc5bf18440
   READ of size 1 at 0x602000001af0 thread T0
       #0 0x562bb4595ca4 in remove_pattern /root/bash/subst.c:4706
       #1 0x562bb45991d1 in parameter_brace_remove_pattern
   /root/bash/subst.c:5312
       #2 0x562bb45b0bdc in parameter_brace_expand /root/bash/subst.c:9336
       #3 0x562bb45b24af in param_expand /root/bash/subst.c:9764
       #4 0x562bb45b5c2b in expand_word_internal /root/bash/subst.c:10329
       #5 0x562bb45b8357 in expand_word_internal /root/bash/subst.c:10513
       #6 0x562bb45bf795 in shell_expand_word_list
   /root/bash/subst.c:11890
       #7 0x562bb45bfeb9 in expand_word_list_internal
   /root/bash/subst.c:12014
       #8 0x562bb45bc796 in expand_words /root/bash/subst.c:11357
       #9 0x562bb453c81f in execute_simple_command
   /root/bash/execute_cmd.c:4381
       #10 0x562bb4529fa8 in execute_command_internal
   /root/bash/execute_cmd.c:846
       #11 0x562bb4528646 in execute_command /root/bash/execute_cmd.c:395
       #12 0x562bb44f582f in reader_loop /root/bash/eval.c:170
       #13 0x562bb44f069a in main /root/bash/shell.c:811
       #14 0x7f4fa525ad8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
       #15 0x7f4fa525ae3f in __libc_start_main
   (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
       #16 0x562bb44ef064 in _start (/root/bash/bash+0x8f064)

   Repeat-By:
      1. Build bash with address sanitizer.
      2. Run with AFL++ crafted input (in attachment).

   Kind regards, Ivan Kapranov.

Attachment: id:000000,sig:06,src:004686,time:5595334,execs:1662092,op:MOpt_core_havoc,rep:2
Description: Binary data

Reply via email to