Dear Bash Maintainers,
I encountered an issue in Bash and would like to report it. buggyfile.txt is
attached to the email.
Steps to reproduce
$ CC=clang-19 CFLAGS="-fsanitize=address -g -O0" ./configure
--without-bash-malloc
$ make
$ cat buggyfile.txt | ./bash --norc
Expected Behaviour
Any error messages without asan ERROR.
Actual Behaviour
==139644==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x502000002c6f at pc 0x55555570f821 bp 0x7fffffff86b0 sp 0x7fffffff86a8
WRITE of size 1 at 0x502000002c6f thread T0
#0 0x55555570f820 in parse_matched_pair
/home/as/projects/bash/up/bash/./parse.y:4034:8
#1 0x555555709f22 in read_token_word
/home/as/projects/bash/up/bash/./parse.y:5623:11
#2 0x555555704a1d in read_token
/home/as/projects/bash/up/bash/./parse.y:3800:12
#3 0x5555556f8390 in yylex /home/as/projects/bash/up/bash/./parse.y:3067:19
#4 0x5555556ee897 in yyparse /home/as/projects/bash/up/bash/y.tab.c:1912:16
#5 0x555555710df1 in parse_comsub
/home/as/projects/bash/up/bash/./parse.y:4538:7
#6 0x5555557102d7 in parse_matched_pair
/home/as/projects/bash/up/bash/./parse.y:4162:16
#7 0x55555570f92a in parse_matched_pair
/home/as/projects/bash/up/bash/./parse.y:4038:13
#8 0x555555710a82 in parse_comsub
/home/as/projects/bash/up/bash/./parse.y:4459:10
#9 0x5555557102d7 in parse_matched_pair
/home/as/projects/bash/up/bash/./parse.y:4162:16
#10 0x55555570f92a in parse_matched_pair
/home/as/projects/bash/up/bash/./parse.y:4038:13
#11 0x555555709f22 in read_token_word
/home/as/projects/bash/up/bash/./parse.y:5623:11
#12 0x555555704a1d in read_token
/home/as/projects/bash/up/bash/./parse.y:3800:12
#13 0x5555556f8390 in yylex /home/as/projects/bash/up/bash/./parse.y:3067:19
#14 0x5555556ee897 in yyparse /home/as/projects/bash/up/bash/y.tab.c:1912:16
#15 0x5555556edd29 in parse_command
/home/as/projects/bash/up/bash/eval.c:369:7
#16 0x5555556ed53e in read_command
/home/as/projects/bash/up/bash/eval.c:414:12
#17 0x5555556ec9ec in reader_loop
/home/as/projects/bash/up/bash/eval.c:147:11
#18 0x5555556e743e in main /home/as/projects/bash/up/bash/shell.c:834:3
#19 0x7ffff7cac249 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#20 0x7ffff7cac304 in __libc_start_main csu/../csu/libc-start.c:360:3
#21 0x555555606aa0 in _start (/home/as/projects/bash/up/bash/bash+0xb2aa0)
(BuildId: 16b425f5efb062532db7a8ae08572047f3ce1b45)
0x502000002c6f is located 1 bytes before 10-byte region
[0x502000002c70,0x502000002c7a)
allocated by thread T0 here:
#0 0x5555556a5d3f in malloc (/home/as/projects/bash/up/bash/bash+0x151d3f)
(BuildId: 16b425f5efb062532db7a8ae08572047f3ce1b45)
#1 0x555555858fd7 in xrealloc /home/as/projects/bash/up/bash/xmalloc.c:123:47
#2 0x55555570f7c0 in parse_matched_pair
/home/as/projects/bash/up/bash/./parse.y:4034:8
#3 0x555555709f22 in read_token_word
/home/as/projects/bash/up/bash/./parse.y:5623:11
#4 0x555555704a1d in read_token
/home/as/projects/bash/up/bash/./parse.y:3800:12
#5 0x5555556f8390 in yylex /home/as/projects/bash/up/bash/./parse.y:3067:19
#6 0x5555556ee897 in yyparse /home/as/projects/bash/up/bash/y.tab.c:1912:16
#7 0x5555556edd29 in parse_command
/home/as/projects/bash/up/bash/eval.c:369:7
#8 0x5555556ed53e in read_command
/home/as/projects/bash/up/bash/eval.c:414:12
#9 0x5555556ec9ec in reader_loop /home/as/projects/bash/up/bash/eval.c:147:11
#10 0x5555556e743e in main /home/as/projects/bash/up/bash/shell.c:834:3
#11 0x7ffff7cac249 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/as/projects/bash/up/bash/./parse.y:4034:8 in parse_matched_pair
Shadow bytes around the buggy address:
0x502000002980: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
0x502000002a00: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
0x502000002a80: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
0x502000002b00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x502000002b80: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
=>0x502000002c00: fa fa fd fa fa fa 01 fa fa fa fd fa fa[fa]00 02
0x502000002c80: fa fa 00 00 fa fa fd fa fa fa 00 00 fa fa fd fd
0x502000002d00: fa fa 00 00 fa fa fd fa fa fa 00 00 fa fa 07 fa
0x502000002d80: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa fd fa
0x502000002e00: fa fa 07 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000002e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==139644==ABORTING
Additional Notes
The reason of the fault is push_delimiter (dstack, ch) incorrect macros:
do \
{ \
if (ds.delimiter_depth + 2 > ds.delimiter_space) \
ds.delimiters = (char *)xrealloc \
(ds.delimiters, (ds.delimiter_space += 10) * sizeof (char)); \
--> ds.delimiters[ds.delimiter_depth] = character; \ // place when write
element with -1 index of dstack array (ds.delimiter_space == -1)
ds.delimiter_depth++; \
} \
while (0)
Suggested Solution
Add extra check in conditional statement:
do \
{ \
if (ds.delimiter_depth + 2 > ds.delimiter_space) \
ds.delimiters = (char *)xrealloc \
(ds.delimiters, (ds.delimiter_space += 10) * sizeof (char)); \
if (ds.delimiter_space < 0) { continue; }\ //added extra check
ds.delimiters[ds.delimiter_depth] = character; \
ds.delimiter_depth++; \
} \
while (0)
Bash Version
as@astra:~/projects/bash/up/bash$ ./bashversion
5.3.0(1)-rc1
Also, the behaviour is repeating on release bash 5.2 version.
System Info
Linux astra 6.1.90-1-generic #astra2+ci15 SMP PREEMPT_DYNAMIC Tue Jul 23
09:49:19 MSK 2024 x86_64 GNU/Linux
Debian clang version 19.1.1
(++20241001124028+d401987fe349-1~exp1~20241001124040.50)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/lib/llvm-19/bin
Attached file you can download from https://dropmefiles.com/ktqdN. Or just see
attaches to the message.
#!/bin/sh -
#
# bashbug - create a bug report and mail it to the bug address
#
# The bug address depends on the release status of the shell. Versions
# with status `devel', `alpha', `beta', or `rc' mail bug reports to
# [email protected] and, optionally, to [email protected].
# Other versions send mail to [email protected].
#
# Copyright (C) 1996-2021 Free Software Foundation, Inc.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# configuration section:
# these variables are filled in by the make target in Makefile
#
MACHINE="x86_64"
OS="linux-gnu"
CC="clang-19"
CFLAGS="-fsanitize=address -g -O0"
RELEASE="5.3"
PATCHLEVEL="0"
RELSTATUS="rc1"
MACHTYPE="x86_64-pc-linux-gnu"
PATH=/bin:/usr/bin:/usr/local/bin:$PATH
export PATH
# Check if TMPDIR is set, default to /tmp
: ${TMPDIR:=/tmp}
#Securely create a temporary directory for the temporary files
TEMPDIR=$TMPDIR/bbug.$$
(umask 077 && mkdir "$TEMPDIR") || {
echo "$0: could not create temporary directory" >&2
exit 1
}
TEMPFILE1=$TEMPDIR/bbug1
TEMPFILE2=$TEMPDIR/bbug2
USAGE="Usage: $0 [--help] [--version] [bug-report-email-address]"
VERSTR="GNU bashbug, version ${RELEASE}.${PATCHLEVEL}-${RELSTATUS}"
do_help= do_version=
while [ $# -gt 0 ]; do
case "$1" in
--help) shift ; do_help=y ;;
--version) shift ; do_version=y ;;
--) shift ; break ;;
-*) echo "bashbug: ${1}: invalid option" >&2
echo "$USAGE" >&2
exit 2 ;;
*) break ;;
esac
done
if [ -n "$do_version" ]; then
echo "${VERSTR}"
exit 0
fi
if [ -n "$do_help" ]; then
echo "${VERSTR}"
echo "${USAGE}"
echo
cat << HERE_EOF
Bashbug is used to send mail to the Bash maintainers
for when Bash doesn't behave like you'd like, or expect.
Bashbug will start up your editor (as defined by the shell's
EDITOR environment variable) with a preformatted bug report
template for you to fill in. The report will be mailed to the
bug-bash mailing list by default. See the manual for details.
If you invoke bashbug by accident, just quit your editor without
saving any changes to the template, and no bug report will be sent.
HERE_EOF
exit 0
fi
# Figure out how to echo a string without a trailing newline
N=`echo 'hi there\c'`
case "$N" in
*c) n=-n c= ;;
*) n= c='\c' ;;
esac
BASHTESTERS="[email protected]"
case "$RELSTATUS" in
alpha*|beta*|devel*|rc*) [email protected] ;;
*) [email protected] ;;
esac
case "$RELSTATUS" in
alpha*|beta*|devel*|rc*)
echo "$0: This is a testing release. Would you like your bug
report"
echo "$0: to be sent to the bash-testers mailing list?"
echo $n "$0: Send to bash-testers? $c"
read ans
case "$ans" in
y*|Y*) BUGBASH="${BUGBASH},${BASHTESTERS}" ;;
esac ;;
esac
BUGADDR="${1-$BUGBASH}"
if [ -z "$DEFEDITOR" ] && [ -z "$EDITOR" ]; then
if [ -x /usr/bin/editor ]; then
DEFEDITOR=editor
elif [ -x /usr/local/bin/ce ]; then
DEFEDITOR=ce
elif [ -x /usr/local/bin/emacs ]; then
DEFEDITOR=emacs
elif [ -x /usr/contrib/bin/emacs ]; then
DEFEDITOR=emacs
elif [ -x /usr/bin/emacs ]; then
DEFEDITOR=emacs
elif [ -x /usr/bin/xemacs ]; then
DEFEDITOR=xemacs
elif [ -x /usr/bin/vim ]; then
DEFEDITOR=vim
elif [ -x /usr/bin/gvim ]; then
DEFEDITOR=gvim
elif [ -x /usr/bin/nano ]; then
DEFEDITOR=nano
elif [ -x /usr/contrib/bin/jove ]; then
DEFEDITOR=jove
elif [ -x /usr/local/bin/jove ]; then
DEFEDITOR=jove
elif [ -x /usr/bin/vi ]; then
DEFEDITOR=vi
else
echo "$0: No default editor found: attempting to use vi" >&2
DEFEDITOR=vi
fi
fi
: ${EDITOR=$DEFEDITOR}
: ${USER=${LOGNAME-`whoami`}}
trap 'rm -rf "$TEMPDIR"; exit 1' 1 2 3 13 15
trap 'rm -rf "$TEMPDIR"' 0
UN=
if (uname) >/dev/null 2>&1; then
UN=`uname -a`
fi
if [ -f /usr/lib/sendmail ] ; then
RMAIL="/usr/lib/sendmail"
SMARGS="-i -t"
elif [ -f /usr/sbin/sendmail ] ; then
RMAIL="/usr/sbin/sendmail"
SMARGS="-i -t"
else
RMAIL=rmail
SMARGS="$BUGADDR"
fi
INITIAL_SUBJECT='[50 character or so descriptive subject here (for reference)]'
cat > "$TEMPFILE1" <<EOF
From: ${USER}
To: ${BUGADDR}
Subject: ${INITIAL_SUBJECT}
Configuration Information [Automatically generated, do not change]:
Machine: $MACHINE
OS: $OS
Compiler: $CC
Compilation CFLAGS: $CFLAGS
uname output: $UN
Machine Type: $MACHTYPE
Bash Version: $RELEASE
Patch Level: $PATCHLEVEL
Release Status: $RELSTATUS
Description:
[Detailed description of the problem, suggestion, or complaint.]
Repeat-By:
[Describe the sequence of events that causes the problem
to occur.]
Fix:
[Description of how to fix the problem. If you don't know a
fix for the problem, don't include this section.]
EOF
cp "$TEMPFILE1" "$TEMPFILE2"
chmod u+w "$TEMPFILE1"
trap '' 2 # ignore interrupts while in editor
edstat=1
while [ $edstat -ne 0 ]; do
$EDITOR "$TEMPFILE1"
edstat=$?
if [ $edstat -ne 0 ]; then
echo "$0: editor \`$EDITOR' exited with nonzero status."
echo "$0: Perhaps it was interrupted."
echo "$0: Type \`y' to give up, and lose your bug report;"
echo "$0: type \`n' to re-enter the editor."
echo $n "$0: Do you want to give up? $c"
read ans
case "$ans" in
[Yy]*) exit 1 ;;
esac
continue
fi
# find the subject from the temp file and see if it's been changed
CURR_SUB=`grep '^Subject: ' "$TEMPFILE1" | sed 's|^Subject:[ ]*||' |
sed 1q`
case "$CURR_SUB" in
"${INITIAL_SUBJECT}")
echo
echo "$0: You have not changed the subject from the default."
echo "$0: Please use a more descriptive subject header."
echo "$0: Type \`y' to give up, and lose your bug report;"
echo "$0: type \`n' to re-enter the editor."
echo $n "$0: Do you want to give up? $c"
read ans
case "$ans" in
[Yy]*) exit 1 ;;
esac
echo "$0: The editor will be restarted in five seconds."
sleep 5
edstat=1
;;
esac
done
trap 'rm -rf "$TEMPDIR"; exit 1' 2 # restore trap on SIGINT
if cmp -s "$TEMPFILE1" "$TEMPFILE2"
then
echo "File not changed, no bug report submitted."
exit
fi
echo $n "Send bug report to ${BUGADDR}? [y/n] $c"
read ans
case "$ans" in
[Nn]*) exit 0 ;;
esac
${RMAIL} $SMARGS < "$TEMPFILE1" || {
cat "$TEMPFILE1" >> $HOME/dead.bashbug
echo "$0: mail to ${BUGADDR} failed: report saved in
$HOME/dead.bashbug" >&2
echo "$0: please send it manually to ${BUGADDR}" >&2
}
exit 0
