random.c:79

Sam James Fri, 06 Jan 2023 17:38:16 -0800

Hi folks,

I'm currently testing common Linux userland with UndefinedBehaviorSanitizer 
(UBSAN, -fsanitize=undefined).


With Bash 5.2_p15, I get the following with this script:
```
$ cat /tmp/guess_suffix
guess_suffix() {
        tmpdir="${TMPDIR}"/.ecompress$$.${RANDOM}
}
guess_suffix
```

It seems easier to trigger if I run it as an external script rather than as a 
function in an interactive
shell.

```
$ export UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1"
$ bash -x /tmp/guess_suffix
+ guess_suffix
random.c:79:21: runtime error: signed integer overflow: 31789 * 127773 cannot 
be represented in type 'int'
    #0 0x559791a301ce in intrand32 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/lib/sh/random.c:79
    #1 0x559791a301ce in brand 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/lib/sh/random.c:106
    #2 0x5597918cde5c in get_random_number 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/variables.c:1436
    #3 0x5597918cde5c in get_random 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/variables.c:1448
    #4 0x5597918d0021 in find_variable 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/variables.c:2425
    #5 0x55979194a881 in parameter_brace_expand_word 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/subst.c:7514
    #6 0x559791939783 in parameter_brace_expand 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/subst.c:9845
    #7 0x559791939783 in param_expand 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/subst.c:10538
    #8 0x559791941732 in expand_word_internal 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/subst.c:11236
    #9 0x5597919487b8 in call_expand_word_internal 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/subst.c:4325
    #10 0x5597919487b8 in expand_string_assignment 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/subst.c:4423
    #11 0x559791935c27 in expand_string_if_necessary 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/subst.c:3855
    #12 0x5597919365c3 in do_assignment_internal 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/subst.c:3587
    #13 0x55979190e40b in do_assignment_statements 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/subst.c:12898
    #14 0x559791952269 in expand_word_list_internal 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/subst.c:12978
    #15 0x559791952269 in expand_words 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/subst.c:12280
    #16 0x5597918be644 in execute_simple_command 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/execute_cmd.c:4506
    #17 0x5597918be644 in execute_command_internal 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/execute_cmd.c:866
    #18 0x5597918bce56 in execute_command_internal 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/execute_cmd.c:1033
    #19 0x5597918c5e7b in execute_function 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/execute_cmd.c:5242
    #20 0x5597918bf4d4 in execute_builtin_or_function 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/execute_cmd.c:5487
    #21 0x5597918bf4d4 in execute_simple_command 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/execute_cmd.c:4737
    #22 0x5597918bf4d4 in execute_command_internal 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/execute_cmd.c:866
    #23 0x5597918c13bb in execute_command 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/execute_cmd.c:413
    #24 0x559791879fac in reader_loop 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/eval.c:171
    #25 0x559791877463 in main 
/usr/src/debug/app-shells/bash-5.2_p15/bash-5.2/shell.c:833
    #26 0x7f3c001c5289  (/usr/lib64/libc.so.6+0x23289)
    #27 0x7f3c001c5344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344)
    #28 0x559791878590 in _start (/usr/bin/bash.self+0x13e590)
```

This is on x86_64-pc-linux-gnu with GCC 13.0.0_pre20230101.

Best,
sam

signature.asc
Description: Message signed with OpenPGP

UBSAN error in lib/sh/random.c:79

Reply via email to