Re: Heap-buffer-overflow in read_token_word() when read element with -1 index
On 4/23/25 1:37 PM, Grisha Levit wrote: On Wed, Apr 23, 2025, 11:40 Chet Ramey wrote: On 4/23/25 11:30 AM, Александр Ушаков wrote: I encountered an issue in Bash and would like to report it. buggyfile.txt is attached to the email. Steps to reproduce $ CC=clang-19 CFLAGS="-fsanitize=address -g -O0" ./configure --without-bash-malloc $ make $ cat crash1.txt | ./bash --norc --noediting -i I get no asan errors when running that file against the current bash devel branch and bash-5.3-rc1. I think the attachment has incorrect line endings, here's what I believe is a simplified reproducer: bash --norc -in -o posix <<< $':\n"\n"$(!!' Thanks for the reproducer; that made it easy to find. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRUc...@case.eduhttp://tiswww.cwru.edu/~chet/ OpenPGP_signature.asc Description: OpenPGP digital signature
Heap-buffer-overflow in read_token_word() when read element with -1 index
Dear Bash Maintainers, I encountered an issue in Bash and would like to report it. buggyfile.txt is attached to the email. Steps to reproduce $ CC=clang-19 CFLAGS="-fsanitize=address -g -O0" ./configure --without-bash-malloc $ make $ cat crash1.txt | ./bash --norc --noediting -i Expected Behaviour Any error messages without asan ERROR. Actual Behaviour ==349030==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5021a40e at pc 0x55711a6a bp 0x7fffcfb0 sp 0x7fffcfa8 ==READ of size 1 at 0x5021a40e thread T0 #0 0x55711a69 in read_token_word /usr/local/src/chet/src/bash/src/parse.y:5210:12 #1 0x55711a69 in read_token /usr/local/src/chet/src/bash/src/parse.y:3594:12 #2 0x556ea27f in yylex /usr/local/src/chet/src/bash/src/parse.y:2890:19 #3 0x556ea27f in yyparse /home/as/projects/bash/bash-SAN/bash/y.tab.c:1854:16 #4 0x5571e3d1 in parse_comsub /usr/local/src/chet/src/bash/src/parse.y:4138:7 #5 0x5571b5aa in parse_matched_pair /usr/local/src/chet/src/bash/src/parse.y:3943:16 #6 0x5570664b in read_token_word /usr/local/src/chet/src/bash/src/parse.y:4935:11 #7 0x5570664b in read_token /usr/local/src/chet/src/bash/src/parse.y:3594:12 #8 0x556ea27f in yylex /usr/local/src/chet/src/bash/src/parse.y:2890:19 #9 0x556ea27f in yyparse /home/as/projects/bash/bash-SAN/bash/y.tab.c:1854:16 #10 0x556e95c8 in parse_command /home/as/projects/bash/bash-SAN/bash/eval.c:348:7 #11 0x556e875d in read_command /home/as/projects/bash/bash-SAN/bash/eval.c:392:12 #12 0x556e7971 in reader_loop /home/as/projects/bash/bash-SAN/bash/eval.c:139:11 #13 0x556e12dc in main /home/as/projects/bash/bash-SAN/bash/shell.c:945:3 #14 0x77cac249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #15 0x77cac304 in __libc_start_main csu/../csu/libc-start.c:360:3 #16 0x555fc9e0 in _start (/home/as/projects/bash/bash-SAN/bash/bash+0xa89e0) (BuildId: 3272a6f95dabaf748ee26df2befb4fa82755bd61) 0x5021a40e is located 2 bytes before 10-byte region [0x5021a410,0x5021a41a) allocated by thread T0 here: #0 0x5569bc7f in malloc (/home/as/projects/bash/bash-SAN/bash/bash+0x147c7f) (BuildId: 3272a6f95dabaf748ee26df2befb4fa82755bd61) #1 0x558f6b84 in xrealloc /home/as/projects/bash/bash-SAN/bash/xmalloc.c:135:47 #2 0x557081ad in read_token_word /usr/local/src/chet/src/bash/src/parse.y #3 0x557081ad in read_token /usr/local/src/chet/src/bash/src/parse.y:3594:12 #4 0x556ea27f in yylex /usr/local/src/chet/src/bash/src/parse.y:2890:19 #5 0x556ea27f in yyparse /home/as/projects/bash/bash-SAN/bash/y.tab.c:1854:16 #6 0x556e95c8 in parse_command /home/as/projects/bash/bash-SAN/bash/eval.c:348:7 #7 0x556e875d in read_command /home/as/projects/bash/bash-SAN/bash/eval.c:392:12 SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/local/src/chet/src/bash/src/parse.y:5210:12 in read_token_word Shadow bytes around the buggy address: 0x5021a180: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x5021a200: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x5021a280: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x5021a300: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x5021a380: fa fa fd fd fa fa 00 04 fa fa fd fa fa fa fd fa =>0x5021a400: fa[fa]00 02 fa fa fd fd fa fa fd fd fa fa fd fa 0x5021a480: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd 0x5021a500: fa fa fd fd fa fa 00 00 fa fa fd fa fa fa fd fa 0x5021a580: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd 0x5021a600: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x5021a680: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==349030==ABORTING Additional Notes The reason of the fault is current_delimiter(ds) incorrect macros: #define current_delimiter(ds) \ (ds.delimiter_depth ? ds.delimiters[ds.delimiter_depth - 1] : 0) Suggested Solution Add extra check in ternary operator: #define current_delimiter(ds) \ (ds.delimiter_depth && !(ds.delimiter_depth - 1 < 0) ? ds.delimiters[ds.delimiter_depth - 1] : 0) Bash Version as@astra:~/projects/bash/up/bash$ ./bashversion 5.3.0(1)-rc1 Also, the behaviour is repeating on release bash 5.2 version. System Info Linux astra 6.1.90-1-generic #astra2+ci15 SMP PREEMPT_DYNAMIC Tue Jul 23 09:49:19 MSK 2024 x86_64 GNU/Linux Debian clang version 19.1.1 (++202410011240
Re: Heap-buffer-overflow in read_token_word() when read element with -1 index
On 4/23/25 11:30 AM, Александр Ушаков wrote: I encountered an issue in Bash and would like to report it. buggyfile.txt is attached to the email. Steps to reproduce $ CC=clang-19 CFLAGS="-fsanitize=address -g -O0" ./configure --without-bash-malloc $ make $ cat crash1.txt | ./bash --norc --noediting -i I get no asan errors when running that file against the current bash devel branch and bash-5.3-rc1. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRUc...@case.eduhttp://tiswww.cwru.edu/~chet/
Re: Heap-buffer-overflow in read_token_word() when read element with -1 index
On Wed, Apr 23, 2025, 11:40 Chet Ramey wrote: > > On 4/23/25 11:30 AM, Александр Ушаков wrote: > > > I encountered an issue in Bash and would like to report it. buggyfile.txt > > is attached to the email. > > > > Steps to reproduce > > > > $ CC=clang-19 CFLAGS="-fsanitize=address -g -O0" ./configure > > --without-bash-malloc > > $ make > > $ cat crash1.txt | ./bash --norc --noediting -i > > I get no asan errors when running that file against the current bash devel > branch and bash-5.3-rc1. I think the attachment has incorrect line endings, here's what I believe is a simplified reproducer: bash --norc -in -o posix <<< $':\n"\n"$(!!'
