Hi, With Address Sanitizer I discovered another out of bounds read issue in bash. This is different from the issue I recently reported here and for which Chet already provided a patch: https://lists.gnu.org/archive/html/bug-bash/2015-06/msg00089.html
To reproduce: a) compile bash with CFLAGS="-fsanitize=address -g" b) type in a=/ a c) go back with the cursor behind the backslash and press tab This is the stack trace from address sanitizer: ==28776==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001014af at pc 0x4c7c0f bp 0x7ffe122a3490 sp 0x7ffe122a3480 READ of size 1 at 0x6020001014af thread T0 #0 0x4c7c0e in bind_compfunc_variables /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:986 #1 0x4ca913 in gen_shell_function_matches /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:1133 #2 0x4ca913 in gen_compspec_completions /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:1411 #3 0x4cc221 in gen_progcomp_completions /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:1581 #4 0x4cc5a1 in programmable_completions /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:1633 #5 0x4bd184 in attempt_shell_completion /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/bashline.c:1517 #6 0x7f79530ed482 (/lib64/libreadline.so.6+0x3a482) #7 0x7f79530ed8bc in rl_complete_internal (/lib64/libreadline.so.6+0x3a8bc) #8 0x7f79530d8c0d in _rl_dispatch_subseq (/lib64/libreadline.so.6+0x25c0d) #9 0x7f79530d948c in readline_internal_char (/lib64/libreadline.so.6+0x2648c) #10 0x7f79530da354 in readline (/lib64/libreadline.so.6+0x27354) #11 0x410457 in yy_readline_get parse.y:1448 #12 0x414dad in yy_getc parse.y:1382 #13 0x414dad in shell_getc parse.y:2283 #14 0x419c19 in read_token parse.y:3050 #15 0x41f721 in yylex parse.y:2637 #16 0x41f721 in yyparse /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/y.tab.c:2037 #17 0x40f2ab in parse_command /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/eval.c:238 #18 0x40f4b1 in read_command /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/eval.c:282 #19 0x40f99e in reader_loop /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/eval.c:145 #20 0x40ba04 in main /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/shell.c:756 #21 0x7f7952820aa4 in __libc_start_main (/lib64/libc.so.6+0x21aa4) #22 0x40db2d (/bin/bash+0x40db2d) 0x6020001014af is located 1 bytes to the left of 2-byte region [0x6020001014b0,0x6020001014b2) allocated by thread T0 here: #0 0x7f79533a77c7 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x577c7) #1 0x4cd72a in xmalloc /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/xmalloc.c:112 SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/app-shells/bash-4.3_p33-r2/work/bash-4.3/pcomplete.c:986 bind_compfunc_variables Shadow bytes around the buggy address: 0x0c0480018240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480018250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480018260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480018270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 02 fa 0x0c0480018280: fa fa 00 02 fa fa 00 02 fa fa 02 fa fa fa fd fa =>0x0c0480018290: fa fa fd fd fa[fa]02 fa fa fa 02 fa fa fa fd fa 0x0c04800182a0: fa fa 02 fa fa fa 06 fa fa fa fd fa fa fa fd fa 0x0c04800182b0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c04800182c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c04800182d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c04800182e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==28776==ABORTING -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
pgpSN2bDnjEmD.pgp
Description: OpenPGP digital signature