[Bug 1857826] Re: mksh isglobal ASAN heap-buffer-overflow
** Changed in: mksh Status: New => Fix Committed -- You received this bug notification because you are a member of mksh Mailing List, which is subscribed to mksh. Matching subscriptions: mkshlist-to-mksh-bugmail https://bugs.launchpad.net/bugs/1857826 Title: mksh isglobal ASAN heap-buffer-overflow Status in mksh: Fix Committed Bug description: When compiling mksh with ASAN and running [[ -v $XX ]] ($XX being an undefined environment variable) mksh will crash. $ echo $KSH_VERSION @(#)MIRBSD KSH R57 2019/03/01 $ set | grep XX= $ [[ -v $XX ]] = ==362==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d024d5 at pc 0x56763b99 bp 0xff8cc988 sp 0xff8cc978 READ of size 1 at 0xf4d024d5 thread T0 #0 0x56763b98 (/usr/bin/mksh+0x193b98) 0xf4d024d5 is located 0 bytes to the right of 5-byte region [0xf4d024d0,0xf4d024d5) allocated by thread T0 here: #0 0xf7a285bd in __interceptor_realloc (/lib/i386-linux-gnu/libasan.so.5+0x1125bd) #1 0x565e115d (/usr/bin/mksh+0x1115d) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x193b98) Shadow bytes around the buggy address: 0x3e9a0440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x3e9a0490: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa 0x3e9a04a0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 01 0x3e9a04b0: fa fa 00 04 fa fa 00 01 fa fa fd fd fa fa fd fa 0x3e9a04c0: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fd 0x3e9a04d0: fa fa 00 fa fa fa fd fa fa fa fa fa fa fa fa fa 0x3e9a04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==362==ABORTING To manage notifications about this bug go to: https://bugs.launchpad.net/mksh/+bug/1857826/+subscriptions
[Bug 1857828] Re: mksh expand ASAN heap-buffer-overflow
fix is making it to the anoncvs and github mirrors within the hour ** Changed in: mksh Status: Triaged => Fix Committed -- You received this bug notification because you are a member of mksh Mailing List, which is subscribed to mksh. Matching subscriptions: mkshlist-to-mksh-bugmail https://bugs.launchpad.net/bugs/1857828 Title: mksh expand ASAN heap-buffer-overflow Status in mksh: Fix Committed Bug description: ubuntu@bashfz:~/newmksh/mksh$ mksh -c 'echo ${0@#$0}' = ==4807==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d01559 at pc 0x56649efd bp 0xffe0e668 sp 0xffe0e658 READ of size 1 at 0xf4d01559 thread T0 #0 0x56649efc (/usr/bin/mksh+0x7befc) 0xf4d01559 is located 0 bytes to the right of 9-byte region [0xf4d01550,0xf4d01559) allocated by thread T0 here: #0 0xf7aae5bd in __interceptor_realloc (/lib/i386-linux-gnu/libasan.so.5+0x1125bd) #1 0x565df15d (/usr/bin/mksh+0x1115d) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x7befc) Shadow bytes around the buggy address: 0x3e9a0250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x3e9a02a0: fa fa fa fa fa fa fa fa fa fa 00[01]fa fa 00 01 0x3e9a02b0: fa fa 00 01 fa fa 00 01 fa fa 00 fa fa fa 00 00 0x3e9a02c0: fa fa 00 05 fa fa 00 04 fa fa fd fd fa fa fd fd 0x3e9a02d0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x3e9a02e0: fa fa fd fd fa fa fd fd fa fa fa fa fa fa fa fa 0x3e9a02f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==4807==ABORTING ubuntu@bashfz:~/newmksh/mksh$ valgrind ./mksh -c 'echo ${0@#$0}' ==4808== Memcheck, a memory error detector ==4808== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==4808== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==4808== Command: ./mksh -c echo\ ${0@#$0} ==4808== ==4808== Invalid read of size 1 ==4808==at 0x118527: expand (eval.c:821) ==4808==by 0x11AABD: eval (eval.c:154) ==4808==by 0x11C630: execute (exec.c:124) ==4808==by 0x1335E1: shell (main.c:908) ==4808==by 0x10B118: main (main.c:704) ==4808== Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd ==4808==at 0x483453B: malloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808==by 0x4836C88: realloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808==by 0x10B68C: aresize (lalloc.c:154) ==4808==by 0x1420F0: setstr (var.c:491) ==4808==by 0x14300F: isglobal (var.c:272) ==4808==by 0x14305D: global (var.c:238) ==4808==by 0x11A9E5: varsub (eval.c:1378) ==4808==by 0x11A9E5: expand (eval.c:390) ==4808==by 0x11AABD: eval (eval.c:154) ==4808==by 0x11C630: execute (exec.c:124) ==4808==by 0x1335E1: shell (main.c:908) ==4808==by 0x10B118: main (main.c:704) ==4808== ==4808== Invalid read of size 1 ==4808==at 0x1173CF: expand (eval.c:869) ==4808==by 0x11AABD: eval (eval.c:154) ==4808==by 0x11C630: execute (exec.c:124) ==4808==by 0x1335E1: shell (main.c:908) ==4808==by 0x10B118: main (main.c:704) ==4808== Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd ==4808==at 0x483453B: malloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808==by 0x4836C88: realloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808==by 0x10B68C: aresize (lalloc.c:154) ==4808==by 0x1420F0: setstr (var.c:491) ==4808==by 0x14300F: isglobal (var.c:272) ==4808==by 0x14305D: global (var.c:238) ==4808==by 0x11A9E5: varsub (eval.c:1378) ==4808==by 0x11A9E5: expand (eval.c:390) ==4808==by 0x11AABD: eval (eval.c:154) ==4808==by 0x11C630: execute (exec.c:124) ==4808==by 0x1335E1: shell (main.c:908) ==4808==by 0x10B118: main (main.c:704) ==4808== ==4808== ==4808== HEAP SUMMARY: ==4808== in
Re: [bug] within 'eval', -e/-o errexit appears active, but is inactive
Martijn Dekker dixit: > I noticed something strange while executing some 'eval'-ed commands: the -e/-o > errexit appears to become active out of nowhere. > > $ mksh -c 'echo $-; eval '\''echo $-'\''; echo $-' > hc > ehc > hc Found to be caused by reusing bit7 of the ERREXIT flag for nefarious purposes; fixed, but we could not get completely rid of the flag. > However, both pdksh and mksh render 'set -e' ineffective for eval'ed commands, > which is a bug in itself; no other shell including ksh93 shares this > behaviour. > Thus the expected output for the last command above is 'hc' and nothing else. When run under -e of course. Fixed, this was way harder. Thanks, //mirabilos -- This space for rent. https://paypal.me/mirabilos to support my work.
[Bug 1857702] Re: " +=" operator does string concatenation for integer variables
As discussed heavily on IRC, other shells can use ((…)) or let to work like mksh, and the mksh behaviour is semantically correct. I’ve documented this in more detail in the manual page and the mksh FAQ now but kept the behaviour as to not break older scripts written in mksh. You might wish to open bugs with the other shells to make behaviour match mksh, or warn when the underlying variable is an integer. ** Changed in: mksh Importance: Undecided => Wishlist ** Changed in: mksh Status: New => Fix Committed -- You received this bug notification because you are a member of mksh Mailing List, which is subscribed to mksh. Matching subscriptions: mkshlist-to-mksh-bugmail https://bugs.launchpad.net/bugs/1857702 Title: " +=" operator does string concatenation for integer variables Status in mksh: Fix Committed Bug description: consider typeset -i x=0; x+=1; echo $x # → 1 (as in ksh/bash/zsh) but typeset -i x=1; x+=1; echo $x # → 11 (rather than 2 as in the other shells) I believe mksh should honour the integer declaration and interpret `+=' accordingly. currently, it does not even consistently use string concatentation (since the first example does not yield `01' ...). To manage notifications about this bug go to: https://bugs.launchpad.net/mksh/+bug/1857702/+subscriptions
[Bug 1857828] Re: mksh expand ASAN heap-buffer-overflow
** Changed in: mksh Importance: Undecided => High ** Changed in: mksh Status: New => Triaged ** Changed in: mksh Assignee: (unassigned) => Thorsten Glaser (mirabilos) -- You received this bug notification because you are a member of mksh Mailing List, which is subscribed to mksh. Matching subscriptions: mkshlist-to-mksh-bugmail https://bugs.launchpad.net/bugs/1857828 Title: mksh expand ASAN heap-buffer-overflow Status in mksh: Triaged Bug description: ubuntu@bashfz:~/newmksh/mksh$ mksh -c 'echo ${0@#$0}' = ==4807==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d01559 at pc 0x56649efd bp 0xffe0e668 sp 0xffe0e658 READ of size 1 at 0xf4d01559 thread T0 #0 0x56649efc (/usr/bin/mksh+0x7befc) 0xf4d01559 is located 0 bytes to the right of 9-byte region [0xf4d01550,0xf4d01559) allocated by thread T0 here: #0 0xf7aae5bd in __interceptor_realloc (/lib/i386-linux-gnu/libasan.so.5+0x1125bd) #1 0x565df15d (/usr/bin/mksh+0x1115d) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x7befc) Shadow bytes around the buggy address: 0x3e9a0250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x3e9a02a0: fa fa fa fa fa fa fa fa fa fa 00[01]fa fa 00 01 0x3e9a02b0: fa fa 00 01 fa fa 00 01 fa fa 00 fa fa fa 00 00 0x3e9a02c0: fa fa 00 05 fa fa 00 04 fa fa fd fd fa fa fd fd 0x3e9a02d0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x3e9a02e0: fa fa fd fd fa fa fd fd fa fa fa fa fa fa fa fa 0x3e9a02f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==4807==ABORTING ubuntu@bashfz:~/newmksh/mksh$ valgrind ./mksh -c 'echo ${0@#$0}' ==4808== Memcheck, a memory error detector ==4808== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==4808== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==4808== Command: ./mksh -c echo\ ${0@#$0} ==4808== ==4808== Invalid read of size 1 ==4808==at 0x118527: expand (eval.c:821) ==4808==by 0x11AABD: eval (eval.c:154) ==4808==by 0x11C630: execute (exec.c:124) ==4808==by 0x1335E1: shell (main.c:908) ==4808==by 0x10B118: main (main.c:704) ==4808== Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd ==4808==at 0x483453B: malloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808==by 0x4836C88: realloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808==by 0x10B68C: aresize (lalloc.c:154) ==4808==by 0x1420F0: setstr (var.c:491) ==4808==by 0x14300F: isglobal (var.c:272) ==4808==by 0x14305D: global (var.c:238) ==4808==by 0x11A9E5: varsub (eval.c:1378) ==4808==by 0x11A9E5: expand (eval.c:390) ==4808==by 0x11AABD: eval (eval.c:154) ==4808==by 0x11C630: execute (exec.c:124) ==4808==by 0x1335E1: shell (main.c:908) ==4808==by 0x10B118: main (main.c:704) ==4808== ==4808== Invalid read of size 1 ==4808==at 0x1173CF: expand (eval.c:869) ==4808==by 0x11AABD: eval (eval.c:154) ==4808==by 0x11C630: execute (exec.c:124) ==4808==by 0x1335E1: shell (main.c:908) ==4808==by 0x10B118: main (main.c:704) ==4808== Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd ==4808==at 0x483453B: malloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808==by 0x4836C88: realloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808==by 0x10B68C: aresize (lalloc.c:154) ==4808==by 0x1420F0: setstr (var.c:491) ==4808==by 0x14300F: isglobal (var.c:272) ==4808==by 0x14305D: global (var.c:238) ==4808==by 0x11A9E5: varsub (eval.c:1378) ==4808==by 0x11A9E5: expand (eval.c:390) ==4808==by 0x11AABD: eval (eval.c:154) ==4808==by 0x11C630: execute (exec.c:124) ==4808==by 0x1335E1: shell (main.c:908) ==4808==by 0x10B118: main (main.c:704) ==4808==
[Bug 1857826] Re: mksh ASAN heap-buffer-overflow
** Changed in: mksh Importance: Undecided => Medium ** Changed in: mksh Assignee: (unassigned) => Thorsten Glaser (mirabilos) -- You received this bug notification because you are a member of mksh Mailing List, which is subscribed to mksh. Matching subscriptions: mkshlist-to-mksh-bugmail https://bugs.launchpad.net/bugs/1857826 Title: mksh isglobal ASAN heap-buffer-overflow Status in mksh: New Bug description: When compiling mksh with ASAN and running [[ -v $XX ]] ($XX being an undefined environment variable) mksh will crash. $ echo $KSH_VERSION @(#)MIRBSD KSH R57 2019/03/01 $ set | grep XX= $ [[ -v $XX ]] = ==362==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d024d5 at pc 0x56763b99 bp 0xff8cc988 sp 0xff8cc978 READ of size 1 at 0xf4d024d5 thread T0 #0 0x56763b98 (/usr/bin/mksh+0x193b98) 0xf4d024d5 is located 0 bytes to the right of 5-byte region [0xf4d024d0,0xf4d024d5) allocated by thread T0 here: #0 0xf7a285bd in __interceptor_realloc (/lib/i386-linux-gnu/libasan.so.5+0x1125bd) #1 0x565e115d (/usr/bin/mksh+0x1115d) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x193b98) Shadow bytes around the buggy address: 0x3e9a0440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x3e9a0490: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa 0x3e9a04a0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 01 0x3e9a04b0: fa fa 00 04 fa fa 00 01 fa fa fd fd fa fa fd fa 0x3e9a04c0: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fd 0x3e9a04d0: fa fa 00 fa fa fa fd fa fa fa fa fa fa fa fa fa 0x3e9a04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==362==ABORTING To manage notifications about this bug go to: https://bugs.launchpad.net/mksh/+bug/1857826/+subscriptions
[Bug 1857826] Re: mksh isglobal ASAN heap-buffer-overflow
** Summary changed: - mksh ASAN heap-buffer-overflow + mksh isglobal ASAN heap-buffer-overflow -- You received this bug notification because you are a member of mksh Mailing List, which is subscribed to mksh. Matching subscriptions: mkshlist-to-mksh-bugmail https://bugs.launchpad.net/bugs/1857826 Title: mksh isglobal ASAN heap-buffer-overflow Status in mksh: New Bug description: When compiling mksh with ASAN and running [[ -v $XX ]] ($XX being an undefined environment variable) mksh will crash. $ echo $KSH_VERSION @(#)MIRBSD KSH R57 2019/03/01 $ set | grep XX= $ [[ -v $XX ]] = ==362==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d024d5 at pc 0x56763b99 bp 0xff8cc988 sp 0xff8cc978 READ of size 1 at 0xf4d024d5 thread T0 #0 0x56763b98 (/usr/bin/mksh+0x193b98) 0xf4d024d5 is located 0 bytes to the right of 5-byte region [0xf4d024d0,0xf4d024d5) allocated by thread T0 here: #0 0xf7a285bd in __interceptor_realloc (/lib/i386-linux-gnu/libasan.so.5+0x1125bd) #1 0x565e115d (/usr/bin/mksh+0x1115d) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x193b98) Shadow bytes around the buggy address: 0x3e9a0440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x3e9a0490: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa 0x3e9a04a0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 01 0x3e9a04b0: fa fa 00 04 fa fa 00 01 fa fa fd fd fa fa fd fa 0x3e9a04c0: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fd 0x3e9a04d0: fa fa 00 fa fa fa fd fa fa fa fa fa fa fa fa fa 0x3e9a04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==362==ABORTING To manage notifications about this bug go to: https://bugs.launchpad.net/mksh/+bug/1857826/+subscriptions
[Bug 1857828] [NEW] mksh expand ASAN heap-buffer-overflow
Public bug reported: ubuntu@bashfz:~/newmksh/mksh$ mksh -c 'echo ${0@#$0}' = ==4807==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d01559 at pc 0x56649efd bp 0xffe0e668 sp 0xffe0e658 READ of size 1 at 0xf4d01559 thread T0 #0 0x56649efc (/usr/bin/mksh+0x7befc) 0xf4d01559 is located 0 bytes to the right of 9-byte region [0xf4d01550,0xf4d01559) allocated by thread T0 here: #0 0xf7aae5bd in __interceptor_realloc (/lib/i386-linux-gnu/libasan.so.5+0x1125bd) #1 0x565df15d (/usr/bin/mksh+0x1115d) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x7befc) Shadow bytes around the buggy address: 0x3e9a0250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x3e9a02a0: fa fa fa fa fa fa fa fa fa fa 00[01]fa fa 00 01 0x3e9a02b0: fa fa 00 01 fa fa 00 01 fa fa 00 fa fa fa 00 00 0x3e9a02c0: fa fa 00 05 fa fa 00 04 fa fa fd fd fa fa fd fd 0x3e9a02d0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x3e9a02e0: fa fa fd fd fa fa fd fd fa fa fa fa fa fa fa fa 0x3e9a02f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==4807==ABORTING ubuntu@bashfz:~/newmksh/mksh$ valgrind ./mksh -c 'echo ${0@#$0}' ==4808== Memcheck, a memory error detector ==4808== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==4808== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==4808== Command: ./mksh -c echo\ ${0@#$0} ==4808== ==4808== Invalid read of size 1 ==4808==at 0x118527: expand (eval.c:821) ==4808==by 0x11AABD: eval (eval.c:154) ==4808==by 0x11C630: execute (exec.c:124) ==4808==by 0x1335E1: shell (main.c:908) ==4808==by 0x10B118: main (main.c:704) ==4808== Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd ==4808==at 0x483453B: malloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808==by 0x4836C88: realloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808==by 0x10B68C: aresize (lalloc.c:154) ==4808==by 0x1420F0: setstr (var.c:491) ==4808==by 0x14300F: isglobal (var.c:272) ==4808==by 0x14305D: global (var.c:238) ==4808==by 0x11A9E5: varsub (eval.c:1378) ==4808==by 0x11A9E5: expand (eval.c:390) ==4808==by 0x11AABD: eval (eval.c:154) ==4808==by 0x11C630: execute (exec.c:124) ==4808==by 0x1335E1: shell (main.c:908) ==4808==by 0x10B118: main (main.c:704) ==4808== ==4808== Invalid read of size 1 ==4808==at 0x1173CF: expand (eval.c:869) ==4808==by 0x11AABD: eval (eval.c:154) ==4808==by 0x11C630: execute (exec.c:124) ==4808==by 0x1335E1: shell (main.c:908) ==4808==by 0x10B118: main (main.c:704) ==4808== Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd ==4808==at 0x483453B: malloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808==by 0x4836C88: realloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808==by 0x10B68C: aresize (lalloc.c:154) ==4808==by 0x1420F0: setstr (var.c:491) ==4808==by 0x14300F: isglobal (var.c:272) ==4808==by 0x14305D: global (var.c:238) ==4808==by 0x11A9E5: varsub (eval.c:1378) ==4808==by 0x11A9E5: expand (eval.c:390) ==4808==by 0x11AABD: eval (eval.c:154) ==4808==by 0x11C630: execute (exec.c:124) ==4808==by 0x1335E1: shell (main.c:908) ==4808==by 0x10B118: main (main.c:704) ==4808== ==4808== ==4808== HEAP SUMMARY: ==4808== in use at exit: 0 bytes in 0 blocks ==4808== total heap usage: 438 allocs, 438 frees, 30,013 bytes allocated ==4808== ==4808== All heap blocks were freed -- no leaks are possible ==4808== ==4808== For counts of detected and suppressed errors, rerun with: -v ==4808== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) ** Affects: mksh Importance: Undecided Status: New -- You received this bug notification because you are a member of mksh Mailing List, which is subscribed to mksh. Matching subscriptions: mkshlist-to-mksh-bugmail
[Bug 1857826] Re: mksh ASAN heap-buffer-overflow
I just did a fresh compile from the github repo with debug and ran it under valgrind: $ echo $KSH_VERSION @(#)MIRBSD KSH R57 2019/12/11 ubuntu@bashfz:~/newmksh/mksh$ valgrind ./mksh ~/test/out2/ crashes/0 ==4765== Memcheck, a memory error detector ==4765== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==4765== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==4765== Command: ./mksh /home/ubuntu/test/out2/crashes/0 ==4765== ==4765== Invalid read of size 1 ==4765==at 0x142D96: isglobal (var.c:283) ==4765==by 0x12527A: test_eval.part.5 (funcs.c:2827) ==4765==by 0x12708D: test_primary (funcs.c:3134) ==4765==by 0x12708D: test_nexpr (funcs.c:3098) ==4765==by 0x12716E: test_aexpr (funcs.c:3086) ==4765==by 0x1271DE: test_oexpr (funcs.c:3074) ==4765==by 0x12724D: test_parse (funcs.c:3061) ==4765==by 0x11D527: execute (exec.c:313) ==4765==by 0x1335E1: shell (main.c:908) ==4765==by 0x10B118: main (main.c:704) ==4765== Address 0x4a3ab55 is 0 bytes after a block of size 5 alloc'd ==4765==at 0x4836C17: realloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4765==by 0x10B68C: aresize (lalloc.c:154) ==4765==by 0x1176DB: expand (eval.c:1003) ==4765==by 0x11ABDD: evalstr (eval.c:169) ==4765==by 0x11AE09: dbteste_getopnd (exec.c:1869) ==4765==by 0x12707A: test_primary (funcs.c:3128) ==4765==by 0x12707A: test_nexpr (funcs.c:3098) ==4765==by 0x12716E: test_aexpr (funcs.c:3086) ==4765==by 0x1271DE: test_oexpr (funcs.c:3074) ==4765==by 0x12724D: test_parse (funcs.c:3061) ==4765==by 0x11D527: execute (exec.c:313) ==4765==by 0x1335E1: shell (main.c:908) ==4765==by 0x10B118: main (main.c:704) ==4765== ==4765== ==4765== HEAP SUMMARY: ==4765== in use at exit: 0 bytes in 0 blocks ==4765== total heap usage: 435 allocs, 435 frees, 46,706 bytes allocated ==4765== ==4765== All heap blocks were freed -- no leaks are possible ==4765== ==4765== For counts of detected and suppressed errors, rerun with: -v ==4765== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) -- You received this bug notification because you are a member of mksh Mailing List, which is subscribed to mksh. Matching subscriptions: mkshlist-to-mksh-bugmail https://bugs.launchpad.net/bugs/1857826 Title: mksh ASAN heap-buffer-overflow Status in mksh: New Bug description: When compiling mksh with ASAN and running [[ -v $XX ]] ($XX being an undefined environment variable) mksh will crash. $ echo $KSH_VERSION @(#)MIRBSD KSH R57 2019/03/01 $ set | grep XX= $ [[ -v $XX ]] = ==362==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d024d5 at pc 0x56763b99 bp 0xff8cc988 sp 0xff8cc978 READ of size 1 at 0xf4d024d5 thread T0 #0 0x56763b98 (/usr/bin/mksh+0x193b98) 0xf4d024d5 is located 0 bytes to the right of 5-byte region [0xf4d024d0,0xf4d024d5) allocated by thread T0 here: #0 0xf7a285bd in __interceptor_realloc (/lib/i386-linux-gnu/libasan.so.5+0x1125bd) #1 0x565e115d (/usr/bin/mksh+0x1115d) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x193b98) Shadow bytes around the buggy address: 0x3e9a0440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x3e9a0490: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa 0x3e9a04a0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 01 0x3e9a04b0: fa fa 00 04 fa fa 00 01 fa fa fd fd fa fa fd fa 0x3e9a04c0: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fd 0x3e9a04d0: fa fa 00 fa fa fa fd fa fa fa fa fa fa fa fa fa 0x3e9a04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==362==ABORTING To manage notifications about this bug go to: https://bugs.launchpad.net/mksh/+bug/1857826/+subscriptions
Re: [Bug 1857826] [NEW] mksh ASAN heap-buffer-overflow
Op 29-12-19 om 19:20 schreef Fernando Muñoz: When compiling mksh with ASAN and running [[ -v $XX ]] ($XX being an undefined environment variable) mksh will crash. Of course it shouldn't crash, but it's worth noting that the correct form is [[ -v XX ]] without the dollar sign (signifying the expansion of the variable, not the variable itself). With the expansion of a nonexistent variable, you're effectively testing [[ -v '' ]] which I would guess is probably what triggers the crash. - M. -- modernish -- harness the shell https://github.com/modernish/modernish
[Bug 1857826] [NEW] mksh ASAN heap-buffer-overflow
Public bug reported: When compiling mksh with ASAN and running [[ -v $XX ]] ($XX being an undefined environment variable) mksh will crash. $ echo $KSH_VERSION @(#)MIRBSD KSH R57 2019/03/01 $ set | grep XX= $ [[ -v $XX ]] = ==362==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d024d5 at pc 0x56763b99 bp 0xff8cc988 sp 0xff8cc978 READ of size 1 at 0xf4d024d5 thread T0 #0 0x56763b98 (/usr/bin/mksh+0x193b98) 0xf4d024d5 is located 0 bytes to the right of 5-byte region [0xf4d024d0,0xf4d024d5) allocated by thread T0 here: #0 0xf7a285bd in __interceptor_realloc (/lib/i386-linux-gnu/libasan.so.5+0x1125bd) #1 0x565e115d (/usr/bin/mksh+0x1115d) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x193b98) Shadow bytes around the buggy address: 0x3e9a0440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x3e9a0490: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa 0x3e9a04a0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 01 0x3e9a04b0: fa fa 00 04 fa fa 00 01 fa fa fd fd fa fa fd fa 0x3e9a04c0: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fd 0x3e9a04d0: fa fa 00 fa fa fa fd fa fa fa fa fa fa fa fa fa 0x3e9a04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==362==ABORTING ** Affects: mksh Importance: Undecided Status: New ** Tags: crash fuzzing -- You received this bug notification because you are a member of mksh Mailing List, which is subscribed to mksh. Matching subscriptions: mkshlist-to-mksh-bugmail https://bugs.launchpad.net/bugs/1857826 Title: mksh ASAN heap-buffer-overflow Status in mksh: New Bug description: When compiling mksh with ASAN and running [[ -v $XX ]] ($XX being an undefined environment variable) mksh will crash. $ echo $KSH_VERSION @(#)MIRBSD KSH R57 2019/03/01 $ set | grep XX= $ [[ -v $XX ]] = ==362==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d024d5 at pc 0x56763b99 bp 0xff8cc988 sp 0xff8cc978 READ of size 1 at 0xf4d024d5 thread T0 #0 0x56763b98 (/usr/bin/mksh+0x193b98) 0xf4d024d5 is located 0 bytes to the right of 5-byte region [0xf4d024d0,0xf4d024d5) allocated by thread T0 here: #0 0xf7a285bd in __interceptor_realloc (/lib/i386-linux-gnu/libasan.so.5+0x1125bd) #1 0x565e115d (/usr/bin/mksh+0x1115d) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x193b98) Shadow bytes around the buggy address: 0x3e9a0440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x3e9a0490: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa 0x3e9a04a0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 01 0x3e9a04b0: fa fa 00 04 fa fa 00 01 fa fa fd fd fa fa fd fa 0x3e9a04c0: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fd 0x3e9a04d0: fa fa 00 fa fa fa fd fa fa fa fa fa fa fa fa fa 0x3e9a04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==362==ABORTING To