heap-use-after-free in GNU Bash 4.4.0
Hi, we recently found an invalid memory access parsing and executing fuzzed bash code in GNU Bash 4.4.0 (bash-20160826 snapshot, found in http://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=79eedac429c5112ae65a430674de5e4be1cd5444 ). We tested this issue on Ubuntu 14.04.5 (x86_64) but other configurations could be affected. To reproduce it, compilation with Address Sanitizer is required: $ ./configure --without-bash-malloc CFLAGS=-fsanitize=address -g -ggdb LDFLAGS=-fsanitize=address $ make Technical details about the issue are: ==25874== ERROR: AddressSanitizer: heap-use-after-free on address 0x6004b9f0 at pc 0x437f17 bp 0x7fff4b7aaa80 sp 0x7fff4b7aaa78 READ of size 1 at 0x6004b9f0 thread T0 And gdb backtrace is as follows: [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGABRT, Aborted. 0x7468fc37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #0 0x7468fc37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x74693028 in __GI_abort () at abort.c:89 #2 0x74e66829 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0 #3 0x74e5d3ec in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0 #4 0x74e64012 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0 #5 0x74e63121 in __asan_report_error () from /usr/lib/x86_64-linux-gnu/libasan.so.0 #6 0x74e5d6a4 in __asan_report_load1 () from /usr/lib/x86_64-linux-gnu/libasan.so.0 #7 0x00437f17 in parse_comsub (qc=0, open=40, close=41, lenp=0x7fffd7f0, flags=8) at ./parse.y:3926 #8 0x0043d057 in read_token_word (character=62) at ./parse.y:4854 #9 0x00434e4d in read_token (command=0) at ./parse.y:3296 #10 0x00432e7f in yylex () at ./parse.y:2675 #11 0x00425a45 in yyparse () at y.tab.c:1832 #12 0x00424e6b in parse_command () at eval.c:261 #13 0x00424f72 in read_command () at eval.c:305 #14 0x00424b20 in reader_loop () at eval.c:149 #15 0x00420681 in main (argc=2, argv=0x7fffed28, env=0x7fffed40) at shell.c:792 This issue was found using QuickFuzz, the file to reproduce it is attached. Regards. -799646324984424118.iftlnsqdux.sh Description: Bourne shell script
Re: heap-use-after-free in GNU Bash 4.4.0
By the way, we actually found more than 10 (potentially) different errors (judging by their backtrace), but I didn't want to spam the list. What would be the best way to report them? Regards On Sat, Sep 10, 2016 at 7:52 PM, Chet Ramey wrote: > On 9/9/16 9:35 AM, Franco Costantini wrote: > > Hi, > > > > we recently found an invalid memory access parsing and executing fuzzed > > bash code in GNU Bash 4.4.0 (bash-20160826 snapshot, found in > > http://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id= > 79eedac429c5112ae65a430674de5e4be1cd5444). > > Thanks for the report. > > Chet > -- > ``The lyf so short, the craft so long to lerne.'' - Chaucer > ``Ars longa, vita brevis'' - Hippocrates > Chet Ramey, UTech, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~ > chet/ >
