On Thu, Sep 4, 2025 at 12:05 PM Chet Ramey <[email protected]> wrote:
>
> Well, definitely a few. Thanks for the report. If you find other places
> where signals cause data to be freed, please report them as well.
Sure, a couple variations on the recent reports:
- SIGINT after writing the readstr prompt (before any string input).
strace -e fd=2 -e write --inject=write:signal=INT:when=1 -Z \
-E PS1= -E INPUTRC=/ -E ASAN_OPTIONS=detect_leaks=0 \
./bash --norc -in <<< $'\exundo'
write(2, "!", 1) = ? ERESTARTSYS
--- SIGINT {si_signo=SIGINT, si_code=SI_KERNEL} ---
text.c:2067:12: runtime error: member access within null pointer
of type '_rl_readstr_cxt' (aka 'struct __rl_readstr_context')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior text.c:2067:12
text.c:2067:12: runtime error: load of null pointer of type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior text.c:2067:12
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
- RL_CHECK_SIGNALS from rl_read_key().
I'm not sure why this specific input triggers the issue, but it happens
when the input is the bracketed paste prefix (except that it can be
terminated by any character, not only by `~'), followed by one more key,
followed by an empty read.
strace -e fd=0 -e read --inject=read:signal=INT:when=9 \
-E PS1= -E INPUTRC=/ -E ASAN_OPTIONS=detect_leaks=0 \
./bash --norc -in <<< $'\cR\e[200X'
read(0, "\22", 1) = 1
(reverse-i-search)`': read(0, "\33", 1) = 1
read(0, "[", 1) = 1
read(0, "2", 1) = 1
read(0, "0", 1) = 1
read(0, "0", 1) = 1
read(0, "X", 1) = 1
read(0, "\n", 1) = 1
read(0, "", 1) = 0
--- SIGINT {si_signo=SIGINT, si_code=SI_KERNEL} ---
--- SIGINT {si_signo=SIGINT, si_code=SI_USER, si_pid=123, si_uid=1000} ---
=================================================================
==123==ERROR: AddressSanitizer: heap-use-after-free ...
READ of size 4 at 0xf2861f7e0320 thread T0
# 0 0xb8b02ee63170 in _rl_isearch_dispatch isearch.c:718:16
# 1 0xb8b02ee57770 in rl_search_history isearch.c:937:11
# 2 0xb8b02ee57428 in rl_reverse_search_history isearch.c:135:11
freed by thread T0 here:
# 2 0xb8b02ee573b8 in _rl_scxt_dispose isearch.c:127:3
# 3 0xb8b02ee6c748 in _rl_isearch_cleanup isearch.c:907:3
# 4 0xb8b02eea0384 in _rl_state_sigcleanup signals.c:599:5
# 5 0xb8b02eea04c8 in rl_free_line_state signals.c:616:5
# 6 0xb8b02ee9e894 in _rl_handle_signal signals.c:221:7
# 7 0xb8b02ee9e5a8 in _rl_signal_handler signals.c:152:5
# 8 0xb8b02eeb8f84 in rl_read_key input.c:834:8
# 9 0xb8b02eeac5c8 in _rl_bracketed_text kill.c:719:15
#10 0xb8b02ee62fb0 in _rl_isearch_dispatch isearch.c:710:15
#11 0xb8b02ee57770 in rl_search_history isearch.c:937:11
#12 0xb8b02ee57428 in rl_reverse_search_history isearch.c:135:11
