Re: heap-use-after-free executing_line_number() bash/execute_cmd.c:419:40

Sat, 18 Oct 2025 12:25:40 -0700 

   P.S. the behaviour is repeating on lastest
   25c6aa5b230167c6471898539c46dd2891d891a5 commit (devel branch).

   ----------------

   Кому: [email protected] ([email protected]);

   Тема: heap-use-after-free executing_line_number()
   bash/execute_cmd.c:419:40;

   12.10.2025, 17:12, "Александр Ушаков" <[email protected]>:

   Dear Bash Maintainers,



   I encountered an issue in Bash and would like to report it. crash1.txt
   is attached to the email.



   Steps to reproduce



   $ CC=clang-19 CFLAGS=" -g -fsanitize=address -O0 " ./configure
   --enable-largefile --without-bash-malloc

   $ make

   $ ./bash crash1.txt



   Expected Behaviour



   Any messages without asan ERROR.



   Actual Behaviour



   ================================================================
   ==3984395==ERROR: AddressSanitizer: heap-use-after-free on address
   0x503000002980 at pc 0x56d4bf2fc848 bp 0x7ffc54ea6a10 sp 0x7ffc54ea6a08
   READ of size 4 at 0x503000002980 thread T0
       #0 0x56d4bf2fc847 in executing_line_number
   /upstream/bash/execute_cmd.c:419:40
       #1 0x56d4bf30ff17 in execute_function
   /upstream/bash/execute_cmd.c:5314:12
       #2 0x56d4bf319e6a in execute_builtin_or_function
   /upstream/bash/execute_cmd.c:5645:14
       #3 0x56d4bf3056e9 in execute_simple_command
   /upstream/bash/execute_cmd.c:4856:13
       #4 0x56d4bf2fece3 in execute_command_internal
   /upstream/bash/execute_cmd.c:938:4
       #5 0x56d4bf2fcb16 in execute_command
   /upstream/bash/execute_cmd.c:456:12
       #6 0x56d4bf2c1e2d in reader_loop /upstream/bash/eval.c:183:8
       #7 0x56d4bf2bc3de in main /upstream/bash/shell.c:834:3
       #8 0x7153d83a2249 in __libc_start_call_main
   csu/../sysdeps/nptl/libc_start_call_main.h:58:16
       #9 0x7153d83a2304 in __libc_start_main
   csu/../csu/libc-start.c:360:3
       #10 0x56d4bf1dba70 in _start (/upstream/bash/bash+0xaca70)
   (BuildId: b9fd292ae42f98e3b23d0ac1da70f48e9a32f04d)

   0x503000002980 is located 0 bytes inside of 32-byte region
   [0x503000002980,0x5030000029a0)
   freed by thread T0 here:
       #0 0x56d4bf27aa76 in free (/upstream/bash/bash+0x14ba76) (BuildId:
   b9fd292ae42f98e3b23d0ac1da70f48e9a32f04d)
       #1 0x56d4bf2fb0d6 in dispose_command
   /upstream/bash/dispose_cmd.c:204:3
       #2 0x56d4bf2fbe24 in uw_dispose_command
   /upstream/bash/dispose_cmd.c:210:3
       #3 0x56d4bf3c6fe1 in unwind_frame_run_internal
   /upstream/bash/unwind_prot.c:286:6
       #4 0x56d4bf3c6a9e in run_unwind_frame
   /upstream/bash/unwind_prot.c:122:5
       #5 0x56d4bf441201 in parse_and_execute
   /upstream/bash/builtins/evalstring.c:425:3
       #6 0x56d4bf3c1942 in _run_trap_internal
   /upstream/bash/trap.c:1199:4
       #7 0x56d4bf3c0c00 in run_debug_trap /upstream/bash/trap.c:1287:25
       #8 0x56d4bf303949 in execute_simple_command
   /upstream/bash/execute_cmd.c:4506:12
       #9 0x56d4bf2fece3 in execute_command_internal
   /upstream/bash/execute_cmd.c:938:4
       #10 0x56d4bf2fcb16 in execute_command
   /upstream/bash/execute_cmd.c:456:12
       #11 0x56d4bf2c1e2d in reader_loop /upstream/bash/eval.c:183:8
       #12 0x56d4bf2bc3de in main /upstream/bash/shell.c:834:3
       #13 0x7153d83a2249 in __libc_start_call_main
   csu/../sysdeps/nptl/libc_start_call_main.h:58:16

   previously allocated by thread T0 here:
       #0 0x56d4bf27ad0f in malloc (/upstream/bash/bash+0x14bd0f)
   (BuildId: b9fd292ae42f98e3b23d0ac1da70f48e9a32f04d)
       #1 0x56d4bf42ac04 in xmalloc /upstream/bash/xmalloc.c:104:10
       #2 0x56d4bf2f0567 in make_bare_simple_command
   /upstream/bash/make_cmd.c:457:24
       #3 0x56d4bf2f0788 in make_simple_command
   /upstream/bash/make_cmd.c:482:17
       #4 0x56d4bf2c5ccc in yyparse
   /usr/local/src/chet/src/bash/src/parse.y:832:45
       #5 0x56d4bf2c2cc9 in parse_command /upstream/bash/eval.c:369:7
       #6 0x56d4bf441303 in parse_and_execute
   /upstream/bash/builtins/evalstring.c:451:11
       #7 0x56d4bf3c1942 in _run_trap_internal
   /upstream/bash/trap.c:1199:4
       #8 0x56d4bf3c0c00 in run_debug_trap /upstream/bash/trap.c:1287:25
       #9 0x56d4bf303949 in execute_simple_command
   /upstream/bash/execute_cmd.c:4506:12
       #10 0x56d4bf2fece3 in execute_command_internal
   /upstream/bash/execute_cmd.c:938:4
       #11 0x56d4bf2fcb16 in execute_command
   /upstream/bash/execute_cmd.c:456:12
       #12 0x56d4bf2c1e2d in reader_loop /upstream/bash/eval.c:183:8
       #13 0x56d4bf2bc3de in main /upstream/bash/shell.c:834:3
       #14 0x7153d83a2249 in __libc_start_call_main
   csu/../sysdeps/nptl/libc_start_call_main.h:58:16

   SUMMARY: AddressSanitizer: heap-use-after-free
   /upstream/bash/execute_cmd.c:419:40 in executing_line_number
   Shadow bytes around the buggy address:
     0x503000002700: fa fa fd fd fd fd fa fa fd fd fd fd fa fa 00 00
     0x503000002780: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
     0x503000002800: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
     0x503000002880: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
     0x503000002900: 00 00 fa fa 00 00 00 00 fa fa fd fd fd fa fa fa
   =>0x503000002980:[fd]fd fd fd fa fa fd fd fd fa fa fa fd fd fd fd
     0x503000002a00: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
     0x503000002a80: 00 00 fa fa 00 00 00 00 fa fa fd fd fd fa fa fa
     0x503000002b00: fd fd fd fa fa fa 00 00 00 00 fa fa 00 00 00 00
     0x503000002b80: fa fa 00 00 00 00 fa fa fd fd fd fd fa fa fd fd
     0x503000002c00: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa
   Shadow byte legend (one shadow byte represents 8 application bytes):
     Addressable:           00
     Partially addressable: 01 02 03 04 05 06 07
     Heap left redzone:       fa
     Freed heap region:       fd
     Stack left redzone:      f1
     Stack mid redzone:       f2
     Stack right redzone:     f3
     Stack after return:      f5
     Stack use after scope:   f8
     Global redzone:          f9
     Global init order:       f6
     Poisoned by user:        f7
     Container overflow:      fc
     Array cookie:            ac
     Intra object redzone:    bb
     ASan internal:           fe
     Left alloca redzone:     ca
     Right alloca redzone:    cb
   ==3984395==ABORTING

   Additional Notes



   The attached file isn't corrupted.



   Bash Version



   commit

   a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b

   [1]root@fb1d7dcac77a:/upstream/bash# ./bash --version

   GNU bash, version 5.3.3(1)-release (x86_64-pc-linux-gnu)

   Copyright (C) 2025 Free Software Foundation, Inc.

   License GPLv3+: GNU GPL version 3 or later
   <[2]http://gnu.org/licenses/gpl.html>



   Also, the behaviour is repeating on release bash 5.2 version.



   System Info



   Linux astra 6.1.90-1-generic #astra2+ci15 SMP PREEMPT_DYNAMIC Tue Jul
   23 09:49:19 MSK 2024 x86_64 GNU/Linux

   Debian clang version 19.1.4 (1~deb12u1)

   Target: x86_64-pc-linux-gnu

   Thread model: posix

   InstalledDir: /usr/lib/llvm-19/bin



   Crash1.txt:
   pr0nt0de0000trap(){ "$$("
   }
   0(){ ""
   }
   0(){ ""
   for((;;))do ""
   done
   }
   0(){ ""
   }
   trap 'pr0nt0de0000trap' DEBUG
   0

References

   1. mailto:root@fb1d7dcac77a
   2. http://gnu.org/licenses/gpl.html
  • heap-use-after... anushakov--- via Bug reports for the GNU Bourne Again SHell
    • Re: heap-... Chet Ramey
    • Re: heap-... anushakov--- via Bug reports for the GNU Bourne Again SHell

Reply via email to