Re: [PATCH] _rl_isearch_cleanup: avoid nested execution

penguin p Sun, 17 Aug 2025 20:09:15 -0700

>
> The following change should fix this.
> ---
> Ref: https://lists.gnu.org/archive/html/bug-bash/2025-08/msg00080.html
>
>  lib/readline/isearch.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/lib/readline/isearch.c b/lib/readline/isearch.c
> index 241e2ee0..104835d9 100644
> --- a/lib/readline/isearch.c
> +++ b/lib/readline/isearch.c
> @@ -910,13 +910,15 @@ opcode_dispatch:
>  int
>  _rl_isearch_cleanup (_rl_search_cxt *cxt, int r)
>  {
> +  /* Unset RL_STATE_ISEARCH now to avoid _rl_state_sigcleanup calling us if a
> +     signal is received while _rl_isearch_fini is calling rl_clear_message */
> +  RL_UNSETSTATE(RL_STATE_ISEARCH);
> +
>    if (r >= 0)
>      _rl_isearch_fini (cxt);
>    _rl_scxt_dispose (cxt, 0);
>    _rl_iscxt = 0;
>
> -  RL_UNSETSTATE(RL_STATE_ISEARCH);
> -
>    return (r != 0);
>  }
>


I’ve applied your patch and tried again. Now it does this

```
This is workbench@ArchLinux: ~/works/bash
$ ^C
This is workbench@ArchLinux: ~/works/bash
$ ^C
This is workbench@ArchLinux: ~/works/bash
=================================================================
==1027392==ERROR: AddressSanitizer: heap-use-after-free on address 
0x7c8e067e262c at pc 0x55f22402f88c bp 0x7ffe259e3790 sp 0x7ffe259e3780
WRITE of size 4 at 0x7c8e067e262c thread T0
    #0 0x55f22402f88b in _rl_search_getchar 
/home/arch/works/bash/lib/readline/isearch.c:322
    #1 0x55f224035621 in rl_search_history 
/home/arch/works/bash/lib/readline/isearch.c:927
    #2 0x55f22402e86d in rl_reverse_search_history 
/home/arch/works/bash/lib/readline/isearch.c:135
    #3 0x55f223ffdc6a in _rl_dispatch_subseq 
/home/arch/works/bash/lib/readline/readline.c:941
    #4 0x55f223ffd812 in _rl_dispatch 
/home/arch/works/bash/lib/readline/readline.c:876
    #5 0x55f223ffccbc in readline_internal_char 
/home/arch/works/bash/lib/readline/readline.c:690
    #6 0x55f223ffd0e0 in readline_internal_charloop 
/home/arch/works/bash/lib/readline/readline.c:737
    #7 0x55f223ffd100 in readline_internal 
/home/arch/works/bash/lib/readline/readline.c:749
    #8 0x55f223ffc059 in readline 
/home/arch/works/bash/lib/readline/readline.c:387
    #9 0x55f223e30142 in yy_readline_get 
/usr/local/src/chet/src/bash/src/parse.y:1680
    #10 0x55f223e2ffa0 in yy_getc /usr/local/src/chet/src/bash/src/parse.y:1610
    #11 0x55f223e327fe in shell_getc 
/usr/local/src/chet/src/bash/src/parse.y:2551
    #12 0x55f223e36256 in read_token 
/usr/local/src/chet/src/bash/src/parse.y:3612
    #13 0x55f223e34a04 in yylex /usr/local/src/chet/src/bash/src/parse.y:3078
    #14 0x55f223e26882 in yyparse /home/arch/works/bash/y.tab.c:1912
    #15 0x55f223e25d81 in parse_command /home/arch/works/bash/eval.c:369
    #16 0x55f223e2601f in read_command /home/arch/works/bash/eval.c:414
    #17 0x55f223e24921 in reader_loop /home/arch/works/bash/eval.c:147
    #18 0x55f223e1f9a8 in main /home/arch/works/bash/shell.c:834
    #19 0x7f9e07a27674  (/usr/lib/libc.so.6+0x27674) (BuildId: 
4fe011c94a88e8aeb6f2201b9eb369f42b4a1e9e)
    #20 0x7f9e07a27728 in __libc_start_main (/usr/lib/libc.so.6+0x27728) 
(BuildId: 4fe011c94a88e8aeb6f2201b9eb369f42b4a1e9e)
    #21 0x55f223e1e0f4 in _start (/home/arch/works/bash/bash+0x970f4) (BuildId: 
cabc36c73ce45591bb91e5488fe26f4482eaa77e)

0x7c8e067e262c is located 108 bytes inside of 168-byte region 
[0x7c8e067e25c0,0x7c8e067e2668)
freed by thread T0 here:
    #0 0x7f9e07f1f79d in free 
/usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:51
    #1 0x55f223f6e390 in xfree /home/arch/works/bash/xmalloc.c:153
    #2 0x55f22402e849 in _rl_scxt_dispose 
/home/arch/works/bash/lib/readline/isearch.c:127
    #3 0x55f2240354ea in _rl_isearch_cleanup 
/home/arch/works/bash/lib/readline/isearch.c:898
    #4 0x55f224048a96 in _rl_state_sigcleanup 
/home/arch/works/bash/lib/readline/signals.c:599
    #5 0x55f224048bbd in rl_free_line_state 
/home/arch/works/bash/lib/readline/signals.c:616
    #6 0x55f2240479db in _rl_handle_signal 
/home/arch/works/bash/lib/readline/signals.c:221
    #7 0x55f224047815 in _rl_signal_handler 
/home/arch/works/bash/lib/readline/signals.c:152
    #8 0x55f224052c7b in rl_read_key 
/home/arch/works/bash/lib/readline/input.c:825
    #9 0x55f22402f84d in _rl_search_getchar 
/home/arch/works/bash/lib/readline/isearch.c:322
    #10 0x55f224035621 in rl_search_history 
/home/arch/works/bash/lib/readline/isearch.c:927
    #11 0x55f22402e86d in rl_reverse_search_history 
/home/arch/works/bash/lib/readline/isearch.c:135
    #12 0x55f223ffdc6a in _rl_dispatch_subseq 
/home/arch/works/bash/lib/readline/readline.c:941
    #13 0x55f223ffd812 in _rl_dispatch 
/home/arch/works/bash/lib/readline/readline.c:876
    #14 0x55f223ffccbc in readline_internal_char 
/home/arch/works/bash/lib/readline/readline.c:690
    #15 0x55f223ffd0e0 in readline_internal_charloop 
/home/arch/works/bash/lib/readline/readline.c:737
    #16 0x55f223ffd100 in readline_internal 
/home/arch/works/bash/lib/readline/readline.c:749
    #17 0x55f223ffc059 in readline 
/home/arch/works/bash/lib/readline/readline.c:387
    #18 0x55f223e30142 in yy_readline_get 
/usr/local/src/chet/src/bash/src/parse.y:1680
    #19 0x55f223e2ffa0 in yy_getc /usr/local/src/chet/src/bash/src/parse.y:1610
    #20 0x55f223e327fe in shell_getc 
/usr/local/src/chet/src/bash/src/parse.y:2551
    #21 0x55f223e36256 in read_token 
/usr/local/src/chet/src/bash/src/parse.y:3612
    #22 0x55f223e34a04 in yylex /usr/local/src/chet/src/bash/src/parse.y:3078
    #23 0x55f223e26882 in yyparse /home/arch/works/bash/y.tab.c:1912
    #24 0x55f223e25d81 in parse_command /home/arch/works/bash/eval.c:369
    #25 0x55f223e2601f in read_command /home/arch/works/bash/eval.c:414
    #26 0x55f223e24921 in reader_loop /home/arch/works/bash/eval.c:147
    #27 0x55f223e1f9a8 in main /home/arch/works/bash/shell.c:834
    #28 0x7f9e07a27674  (/usr/lib/libc.so.6+0x27674) (BuildId: 
4fe011c94a88e8aeb6f2201b9eb369f42b4a1e9e)
    #29 0x7f9e07a27728 in __libc_start_main (/usr/lib/libc.so.6+0x27728) 
(BuildId: 4fe011c94a88e8aeb6f2201b9eb369f42b4a1e9e)

previously allocated by thread T0 here:
    #0 0x7f9e07f20cb5 in malloc 
/usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:67
    #1 0x55f223f6e15c in xmalloc /home/arch/works/bash/xmalloc.c:104
    #2 0x55f22402e0b9 in _rl_scxt_alloc 
/home/arch/works/bash/lib/readline/isearch.c:84
    #3 0x55f22402eac6 in _rl_isearch_init 
/home/arch/works/bash/lib/readline/isearch.c:212
    #4 0x55f22403554d in rl_search_history 
/home/arch/works/bash/lib/readline/isearch.c:915
    #5 0x55f22402e86d in rl_reverse_search_history 
/home/arch/works/bash/lib/readline/isearch.c:135
    #6 0x55f223ffdc6a in _rl_dispatch_subseq 
/home/arch/works/bash/lib/readline/readline.c:941
    #7 0x55f223ffd812 in _rl_dispatch 
/home/arch/works/bash/lib/readline/readline.c:876
    #8 0x55f223ffccbc in readline_internal_char 
/home/arch/works/bash/lib/readline/readline.c:690
    #9 0x55f223ffd0e0 in readline_internal_charloop 
/home/arch/works/bash/lib/readline/readline.c:737
    #10 0x55f223ffd100 in readline_internal 
/home/arch/works/bash/lib/readline/readline.c:749
    #11 0x55f223ffc059 in readline 
/home/arch/works/bash/lib/readline/readline.c:387
    #12 0x55f223e30142 in yy_readline_get 
/usr/local/src/chet/src/bash/src/parse.y:1680
    #13 0x55f223e2ffa0 in yy_getc /usr/local/src/chet/src/bash/src/parse.y:1610
    #14 0x55f223e327fe in shell_getc 
/usr/local/src/chet/src/bash/src/parse.y:2551
    #15 0x55f223e36256 in read_token 
/usr/local/src/chet/src/bash/src/parse.y:3612
    #16 0x55f223e34a04 in yylex /usr/local/src/chet/src/bash/src/parse.y:3078
    #17 0x55f223e26882 in yyparse /home/arch/works/bash/y.tab.c:1912
    #18 0x55f223e25d81 in parse_command /home/arch/works/bash/eval.c:369
    #19 0x55f223e2601f in read_command /home/arch/works/bash/eval.c:414
    #20 0x55f223e24921 in reader_loop /home/arch/works/bash/eval.c:147
    #21 0x55f223e1f9a8 in main /home/arch/works/bash/shell.c:834
    #22 0x7f9e07a27674  (/usr/lib/libc.so.6+0x27674) (BuildId: 
4fe011c94a88e8aeb6f2201b9eb369f42b4a1e9e)
    #23 0x7f9e07a27728 in __libc_start_main (/usr/lib/libc.so.6+0x27728) 
(BuildId: 4fe011c94a88e8aeb6f2201b9eb369f42b4a1e9e)
    #24 0x55f223e1e0f4 in _start (/home/arch/works/bash/bash+0x970f4) (BuildId: 
cabc36c73ce45591bb91e5488fe26f4482eaa77e)

SUMMARY: AddressSanitizer: heap-use-after-free 
/home/arch/works/bash/lib/readline/isearch.c:322 in _rl_search_getchar
Shadow bytes around the buggy address:
  0x7c8e067e2380: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x7c8e067e2400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x7c8e067e2480: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x7c8e067e2500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x7c8e067e2580: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x7c8e067e2600: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fa fa fa
  0x7c8e067e2680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7c8e067e2700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7c8e067e2780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7c8e067e2800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7c8e067e2880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1027392==ABORTING

```

Re: [PATCH] _rl_isearch_cleanup: avoid nested execution

Reply via email to