date:20191229

[Bug 1857826] Re: mksh isglobal ASAN heap-buffer-overflow

2019-12-29 Thread Thorsten Glaser

** Changed in: mksh
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of mksh
Mailing List, which is subscribed to mksh.
Matching subscriptions: mkshlist-to-mksh-bugmail
https://bugs.launchpad.net/bugs/1857826

Title:
  mksh isglobal ASAN heap-buffer-overflow

Status in mksh:
  Fix Committed

Bug description:
  When compiling mksh with ASAN and running [[ -v $XX ]] ($XX being an
  undefined environment variable) mksh will crash.

  $ echo $KSH_VERSION
  @(#)MIRBSD KSH R57 2019/03/01
  $ set | grep XX=  
  
  $ [[ -v $XX ]]
  =
  ==362==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d024d5 at 
pc 0x56763b99 bp 0xff8cc988 sp 0xff8cc978
  READ of size 1 at 0xf4d024d5 thread T0
  #0 0x56763b98  (/usr/bin/mksh+0x193b98)

  0xf4d024d5 is located 0 bytes to the right of 5-byte region 
[0xf4d024d0,0xf4d024d5)
  allocated by thread T0 here:
  #0 0xf7a285bd in __interceptor_realloc 
(/lib/i386-linux-gnu/libasan.so.5+0x1125bd)
  #1 0x565e115d  (/usr/bin/mksh+0x1115d)

  SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x193b98) 
  Shadow bytes around the buggy address:
0x3e9a0440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  =>0x3e9a0490: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa
0x3e9a04a0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 01
0x3e9a04b0: fa fa 00 04 fa fa 00 01 fa fa fd fd fa fa fd fa
0x3e9a04c0: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fd
0x3e9a04d0: fa fa 00 fa fa fa fd fa fa fa fa fa fa fa fa fa
0x3e9a04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:   00
Partially addressable: 01 02 03 04 05 06 07 
Heap left redzone:   fa
Freed heap region:   fd
Stack left redzone:  f1
Stack mid redzone:   f2
Stack right redzone: f3
Stack after return:  f5
Stack use after scope:   f8
Global redzone:  f9
Global init order:   f6
Poisoned by user:f7
Container overflow:  fc
Array cookie:ac
Intra object redzone:bb
ASan internal:   fe
Left alloca redzone: ca
Right alloca redzone:cb
Shadow gap:  cc
  ==362==ABORTING

To manage notifications about this bug go to:
https://bugs.launchpad.net/mksh/+bug/1857826/+subscriptions

[Bug 1857828] Re: mksh expand ASAN heap-buffer-overflow

2019-12-29 Thread Thorsten Glaser

fix is making it to the anoncvs and github mirrors within the hour

** Changed in: mksh
   Status: Triaged => Fix Committed

-- 
You received this bug notification because you are a member of mksh
Mailing List, which is subscribed to mksh.
Matching subscriptions: mkshlist-to-mksh-bugmail
https://bugs.launchpad.net/bugs/1857828

Title:
  mksh expand ASAN heap-buffer-overflow

Status in mksh:
  Fix Committed

Bug description:
  ubuntu@bashfz:~/newmksh/mksh$ mksh -c 'echo ${0@#$0}'
  =
  ==4807==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d01559 
at pc 0x56649efd bp 0xffe0e668 sp 0xffe0e658
  READ of size 1 at 0xf4d01559 thread T0
  #0 0x56649efc  (/usr/bin/mksh+0x7befc)

  0xf4d01559 is located 0 bytes to the right of 9-byte region 
[0xf4d01550,0xf4d01559)
  allocated by thread T0 here:
  #0 0xf7aae5bd in __interceptor_realloc 
(/lib/i386-linux-gnu/libasan.so.5+0x1125bd)
  #1 0x565df15d  (/usr/bin/mksh+0x1115d)

  SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x7befc) 
  Shadow bytes around the buggy address:
0x3e9a0250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  =>0x3e9a02a0: fa fa fa fa fa fa fa fa fa fa 00[01]fa fa 00 01
0x3e9a02b0: fa fa 00 01 fa fa 00 01 fa fa 00 fa fa fa 00 00
0x3e9a02c0: fa fa 00 05 fa fa 00 04 fa fa fd fd fa fa fd fd
0x3e9a02d0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x3e9a02e0: fa fa fd fd fa fa fd fd fa fa fa fa fa fa fa fa
0x3e9a02f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:   00
Partially addressable: 01 02 03 04 05 06 07 
Heap left redzone:   fa
Freed heap region:   fd
Stack left redzone:  f1
Stack mid redzone:   f2
Stack right redzone: f3
Stack after return:  f5
Stack use after scope:   f8
Global redzone:  f9
Global init order:   f6
Poisoned by user:f7
Container overflow:  fc
Array cookie:ac
Intra object redzone:bb
ASan internal:   fe
Left alloca redzone: ca
Right alloca redzone:cb
Shadow gap:  cc
  ==4807==ABORTING

  ubuntu@bashfz:~/newmksh/mksh$ valgrind ./mksh -c 'echo ${0@#$0}'
  ==4808== Memcheck, a memory error detector
  ==4808== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
  ==4808== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
  ==4808== Command: ./mksh -c echo\ ${0@#$0}
  ==4808== 
  ==4808== Invalid read of size 1
  ==4808==at 0x118527: expand (eval.c:821)
  ==4808==by 0x11AABD: eval (eval.c:154)
  ==4808==by 0x11C630: execute (exec.c:124)
  ==4808==by 0x1335E1: shell (main.c:908)
  ==4808==by 0x10B118: main (main.c:704)
  ==4808==  Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd
  ==4808==at 0x483453B: malloc (in 
/usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so)
  ==4808==by 0x4836C88: realloc (in 
/usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so)
  ==4808==by 0x10B68C: aresize (lalloc.c:154)
  ==4808==by 0x1420F0: setstr (var.c:491)
  ==4808==by 0x14300F: isglobal (var.c:272)
  ==4808==by 0x14305D: global (var.c:238)
  ==4808==by 0x11A9E5: varsub (eval.c:1378)
  ==4808==by 0x11A9E5: expand (eval.c:390)
  ==4808==by 0x11AABD: eval (eval.c:154)
  ==4808==by 0x11C630: execute (exec.c:124)
  ==4808==by 0x1335E1: shell (main.c:908)
  ==4808==by 0x10B118: main (main.c:704)
  ==4808== 
  ==4808== Invalid read of size 1
  ==4808==at 0x1173CF: expand (eval.c:869)
  ==4808==by 0x11AABD: eval (eval.c:154)
  ==4808==by 0x11C630: execute (exec.c:124)
  ==4808==by 0x1335E1: shell (main.c:908)
  ==4808==by 0x10B118: main (main.c:704)
  ==4808==  Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd
  ==4808==at 0x483453B: malloc (in 
/usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so)
  ==4808==by 0x4836C88: realloc (in 
/usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so)
  ==4808==by 0x10B68C: aresize (lalloc.c:154)
  ==4808==by 0x1420F0: setstr (var.c:491)
  ==4808==by 0x14300F: isglobal (var.c:272)
  ==4808==by 0x14305D: global (var.c:238)
  ==4808==by 0x11A9E5: varsub (eval.c:1378)
  ==4808==by 0x11A9E5: expand (eval.c:390)
  ==4808==by 0x11AABD: eval (eval.c:154)
  ==4808==by 0x11C630: execute (exec.c:124)
  ==4808==by 0x1335E1: shell (main.c:908)
  ==4808==by 0x10B118: main (main.c:704)
  ==4808== 

  ==4808== 
  ==4808== HEAP SUMMARY:
  ==4808== in

Re: [bug] within 'eval', -e/-o errexit appears active, but is inactive

2019-12-29 Thread Thorsten Glaser

Martijn Dekker dixit:

> I noticed something strange while executing some 'eval'-ed commands: the -e/-o
> errexit appears to become active out of nowhere.
>
> $ mksh -c 'echo $-; eval '\''echo $-'\''; echo $-'
> hc
> ehc
> hc

Found to be caused by reusing bit7 of the ERREXIT flag for
nefarious purposes; fixed, but we could not get completely
rid of the flag.

> However, both pdksh and mksh render 'set -e' ineffective for eval'ed commands,
> which is a bug in itself; no other shell including ksh93 shares this 
> behaviour.
> Thus the expected output for the last command above is 'hc' and nothing else.

When run under -e of course.

Fixed, this was way harder.

Thanks,
//mirabilos
-- 
This space for rent.

https://paypal.me/mirabilos to support my work.

[Bug 1857702] Re: " +=" operator does string concatenation for integer variables

2019-12-29 Thread Thorsten Glaser

As discussed heavily on IRC, other shells can use ((…)) or let to work
like mksh, and the mksh behaviour is semantically correct. I’ve
documented this in more detail in the manual page and the mksh FAQ now
but kept the behaviour as to not break older scripts written in mksh.

You might wish to open bugs with the other shells to make behaviour
match mksh, or warn when the underlying variable is an integer.

** Changed in: mksh
   Importance: Undecided => Wishlist

** Changed in: mksh
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of mksh
Mailing List, which is subscribed to mksh.
Matching subscriptions: mkshlist-to-mksh-bugmail
https://bugs.launchpad.net/bugs/1857702

Title:
  " +=" operator does string concatenation for integer variables

Status in mksh:
  Fix Committed

Bug description:
  consider

  typeset -i x=0; x+=1; echo $x # → 1 (as in ksh/bash/zsh)

  but

  typeset -i x=1; x+=1; echo $x # → 11 (rather than 2 as in the other
  shells)

  I believe mksh should honour the integer declaration and interpret
  `+=' accordingly. currently, it does not even consistently use string
  concatentation (since the first example does not yield `01' ...).

To manage notifications about this bug go to:
https://bugs.launchpad.net/mksh/+bug/1857702/+subscriptions

[Bug 1857828] Re: mksh expand ASAN heap-buffer-overflow

2019-12-29 Thread Thorsten Glaser

** Changed in: mksh
   Importance: Undecided => High

** Changed in: mksh
   Status: New => Triaged

** Changed in: mksh
 Assignee: (unassigned) => Thorsten Glaser (mirabilos)

-- 
You received this bug notification because you are a member of mksh
Mailing List, which is subscribed to mksh.
Matching subscriptions: mkshlist-to-mksh-bugmail
https://bugs.launchpad.net/bugs/1857828

Title:
  mksh expand ASAN heap-buffer-overflow

Status in mksh:
  Triaged

Bug description:
  ubuntu@bashfz:~/newmksh/mksh$ mksh -c 'echo ${0@#$0}'
  =
  ==4807==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d01559 
at pc 0x56649efd bp 0xffe0e668 sp 0xffe0e658
  READ of size 1 at 0xf4d01559 thread T0
  #0 0x56649efc  (/usr/bin/mksh+0x7befc)

  0xf4d01559 is located 0 bytes to the right of 9-byte region 
[0xf4d01550,0xf4d01559)
  allocated by thread T0 here:
  #0 0xf7aae5bd in __interceptor_realloc 
(/lib/i386-linux-gnu/libasan.so.5+0x1125bd)
  #1 0x565df15d  (/usr/bin/mksh+0x1115d)

  SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x7befc) 
  Shadow bytes around the buggy address:
0x3e9a0250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  =>0x3e9a02a0: fa fa fa fa fa fa fa fa fa fa 00[01]fa fa 00 01
0x3e9a02b0: fa fa 00 01 fa fa 00 01 fa fa 00 fa fa fa 00 00
0x3e9a02c0: fa fa 00 05 fa fa 00 04 fa fa fd fd fa fa fd fd
0x3e9a02d0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x3e9a02e0: fa fa fd fd fa fa fd fd fa fa fa fa fa fa fa fa
0x3e9a02f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:   00
Partially addressable: 01 02 03 04 05 06 07 
Heap left redzone:   fa
Freed heap region:   fd
Stack left redzone:  f1
Stack mid redzone:   f2
Stack right redzone: f3
Stack after return:  f5
Stack use after scope:   f8
Global redzone:  f9
Global init order:   f6
Poisoned by user:f7
Container overflow:  fc
Array cookie:ac
Intra object redzone:bb
ASan internal:   fe
Left alloca redzone: ca
Right alloca redzone:cb
Shadow gap:  cc
  ==4807==ABORTING

  ubuntu@bashfz:~/newmksh/mksh$ valgrind ./mksh -c 'echo ${0@#$0}'
  ==4808== Memcheck, a memory error detector
  ==4808== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
  ==4808== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
  ==4808== Command: ./mksh -c echo\ ${0@#$0}
  ==4808== 
  ==4808== Invalid read of size 1
  ==4808==at 0x118527: expand (eval.c:821)
  ==4808==by 0x11AABD: eval (eval.c:154)
  ==4808==by 0x11C630: execute (exec.c:124)
  ==4808==by 0x1335E1: shell (main.c:908)
  ==4808==by 0x10B118: main (main.c:704)
  ==4808==  Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd
  ==4808==at 0x483453B: malloc (in 
/usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so)
  ==4808==by 0x4836C88: realloc (in 
/usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so)
  ==4808==by 0x10B68C: aresize (lalloc.c:154)
  ==4808==by 0x1420F0: setstr (var.c:491)
  ==4808==by 0x14300F: isglobal (var.c:272)
  ==4808==by 0x14305D: global (var.c:238)
  ==4808==by 0x11A9E5: varsub (eval.c:1378)
  ==4808==by 0x11A9E5: expand (eval.c:390)
  ==4808==by 0x11AABD: eval (eval.c:154)
  ==4808==by 0x11C630: execute (exec.c:124)
  ==4808==by 0x1335E1: shell (main.c:908)
  ==4808==by 0x10B118: main (main.c:704)
  ==4808== 
  ==4808== Invalid read of size 1
  ==4808==at 0x1173CF: expand (eval.c:869)
  ==4808==by 0x11AABD: eval (eval.c:154)
  ==4808==by 0x11C630: execute (exec.c:124)
  ==4808==by 0x1335E1: shell (main.c:908)
  ==4808==by 0x10B118: main (main.c:704)
  ==4808==  Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd
  ==4808==at 0x483453B: malloc (in 
/usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so)
  ==4808==by 0x4836C88: realloc (in 
/usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so)
  ==4808==by 0x10B68C: aresize (lalloc.c:154)
  ==4808==by 0x1420F0: setstr (var.c:491)
  ==4808==by 0x14300F: isglobal (var.c:272)
  ==4808==by 0x14305D: global (var.c:238)
  ==4808==by 0x11A9E5: varsub (eval.c:1378)
  ==4808==by 0x11A9E5: expand (eval.c:390)
  ==4808==by 0x11AABD: eval (eval.c:154)
  ==4808==by 0x11C630: execute (exec.c:124)
  ==4808==by 0x1335E1: shell (main.c:908)
  ==4808==by 0x10B118: main (main.c:704)
  ==4808==

[Bug 1857826] Re: mksh ASAN heap-buffer-overflow

2019-12-29 Thread Thorsten Glaser

** Changed in: mksh
   Importance: Undecided => Medium

** Changed in: mksh
 Assignee: (unassigned) => Thorsten Glaser (mirabilos)

-- 
You received this bug notification because you are a member of mksh
Mailing List, which is subscribed to mksh.
Matching subscriptions: mkshlist-to-mksh-bugmail
https://bugs.launchpad.net/bugs/1857826

Title:
  mksh isglobal ASAN heap-buffer-overflow

Status in mksh:
  New

Bug description:
  When compiling mksh with ASAN and running [[ -v $XX ]] ($XX being an
  undefined environment variable) mksh will crash.

  $ echo $KSH_VERSION
  @(#)MIRBSD KSH R57 2019/03/01
  $ set | grep XX=  
  
  $ [[ -v $XX ]]
  =
  ==362==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d024d5 at 
pc 0x56763b99 bp 0xff8cc988 sp 0xff8cc978
  READ of size 1 at 0xf4d024d5 thread T0
  #0 0x56763b98  (/usr/bin/mksh+0x193b98)

  0xf4d024d5 is located 0 bytes to the right of 5-byte region 
[0xf4d024d0,0xf4d024d5)
  allocated by thread T0 here:
  #0 0xf7a285bd in __interceptor_realloc 
(/lib/i386-linux-gnu/libasan.so.5+0x1125bd)
  #1 0x565e115d  (/usr/bin/mksh+0x1115d)

  SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x193b98) 
  Shadow bytes around the buggy address:
0x3e9a0440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  =>0x3e9a0490: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa
0x3e9a04a0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 01
0x3e9a04b0: fa fa 00 04 fa fa 00 01 fa fa fd fd fa fa fd fa
0x3e9a04c0: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fd
0x3e9a04d0: fa fa 00 fa fa fa fd fa fa fa fa fa fa fa fa fa
0x3e9a04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:   00
Partially addressable: 01 02 03 04 05 06 07 
Heap left redzone:   fa
Freed heap region:   fd
Stack left redzone:  f1
Stack mid redzone:   f2
Stack right redzone: f3
Stack after return:  f5
Stack use after scope:   f8
Global redzone:  f9
Global init order:   f6
Poisoned by user:f7
Container overflow:  fc
Array cookie:ac
Intra object redzone:bb
ASan internal:   fe
Left alloca redzone: ca
Right alloca redzone:cb
Shadow gap:  cc
  ==362==ABORTING

To manage notifications about this bug go to:
https://bugs.launchpad.net/mksh/+bug/1857826/+subscriptions

[Bug 1857826] Re: mksh isglobal ASAN heap-buffer-overflow

2019-12-29 Thread Fernando Muñoz

** Summary changed:

- mksh ASAN heap-buffer-overflow
+ mksh isglobal ASAN heap-buffer-overflow

-- 
You received this bug notification because you are a member of mksh
Mailing List, which is subscribed to mksh.
Matching subscriptions: mkshlist-to-mksh-bugmail
https://bugs.launchpad.net/bugs/1857826

Title:
  mksh isglobal ASAN heap-buffer-overflow

Status in mksh:
  New

Bug description:
  When compiling mksh with ASAN and running [[ -v $XX ]] ($XX being an
  undefined environment variable) mksh will crash.

  $ echo $KSH_VERSION
  @(#)MIRBSD KSH R57 2019/03/01
  $ set | grep XX=  
  
  $ [[ -v $XX ]]
  =
  ==362==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d024d5 at 
pc 0x56763b99 bp 0xff8cc988 sp 0xff8cc978
  READ of size 1 at 0xf4d024d5 thread T0
  #0 0x56763b98  (/usr/bin/mksh+0x193b98)

  0xf4d024d5 is located 0 bytes to the right of 5-byte region 
[0xf4d024d0,0xf4d024d5)
  allocated by thread T0 here:
  #0 0xf7a285bd in __interceptor_realloc 
(/lib/i386-linux-gnu/libasan.so.5+0x1125bd)
  #1 0x565e115d  (/usr/bin/mksh+0x1115d)

  SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x193b98) 
  Shadow bytes around the buggy address:
0x3e9a0440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  =>0x3e9a0490: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa
0x3e9a04a0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 01
0x3e9a04b0: fa fa 00 04 fa fa 00 01 fa fa fd fd fa fa fd fa
0x3e9a04c0: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fd
0x3e9a04d0: fa fa 00 fa fa fa fd fa fa fa fa fa fa fa fa fa
0x3e9a04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:   00
Partially addressable: 01 02 03 04 05 06 07 
Heap left redzone:   fa
Freed heap region:   fd
Stack left redzone:  f1
Stack mid redzone:   f2
Stack right redzone: f3
Stack after return:  f5
Stack use after scope:   f8
Global redzone:  f9
Global init order:   f6
Poisoned by user:f7
Container overflow:  fc
Array cookie:ac
Intra object redzone:bb
ASan internal:   fe
Left alloca redzone: ca
Right alloca redzone:cb
Shadow gap:  cc
  ==362==ABORTING

To manage notifications about this bug go to:
https://bugs.launchpad.net/mksh/+bug/1857826/+subscriptions

[Bug 1857828] [NEW] mksh expand ASAN heap-buffer-overflow

2019-12-29 Thread Fernando Muñoz

Public bug reported:

ubuntu@bashfz:~/newmksh/mksh$ mksh -c 'echo ${0@#$0}'
=
==4807==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d01559 at 
pc 0x56649efd bp 0xffe0e668 sp 0xffe0e658
READ of size 1 at 0xf4d01559 thread T0
#0 0x56649efc  (/usr/bin/mksh+0x7befc)

0xf4d01559 is located 0 bytes to the right of 9-byte region 
[0xf4d01550,0xf4d01559)
allocated by thread T0 here:
#0 0xf7aae5bd in __interceptor_realloc 
(/lib/i386-linux-gnu/libasan.so.5+0x1125bd)
#1 0x565df15d  (/usr/bin/mksh+0x1115d)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x7befc) 
Shadow bytes around the buggy address:
  0x3e9a0250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9a0260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9a0270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9a0280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9a0290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3e9a02a0: fa fa fa fa fa fa fa fa fa fa 00[01]fa fa 00 01
  0x3e9a02b0: fa fa 00 01 fa fa 00 01 fa fa 00 fa fa fa 00 00
  0x3e9a02c0: fa fa 00 05 fa fa 00 04 fa fa fd fd fa fa fd fd
  0x3e9a02d0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x3e9a02e0: fa fa fd fd fa fa fd fd fa fa fa fa fa fa fa fa
  0x3e9a02f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:   fa
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
  Left alloca redzone: ca
  Right alloca redzone:cb
  Shadow gap:  cc
==4807==ABORTING

ubuntu@bashfz:~/newmksh/mksh$ valgrind ./mksh -c 'echo ${0@#$0}'
==4808== Memcheck, a memory error detector
==4808== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==4808== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==4808== Command: ./mksh -c echo\ ${0@#$0}
==4808== 
==4808== Invalid read of size 1
==4808==at 0x118527: expand (eval.c:821)
==4808==by 0x11AABD: eval (eval.c:154)
==4808==by 0x11C630: execute (exec.c:124)
==4808==by 0x1335E1: shell (main.c:908)
==4808==by 0x10B118: main (main.c:704)
==4808==  Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd
==4808==at 0x483453B: malloc (in 
/usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so)
==4808==by 0x4836C88: realloc (in 
/usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so)
==4808==by 0x10B68C: aresize (lalloc.c:154)
==4808==by 0x1420F0: setstr (var.c:491)
==4808==by 0x14300F: isglobal (var.c:272)
==4808==by 0x14305D: global (var.c:238)
==4808==by 0x11A9E5: varsub (eval.c:1378)
==4808==by 0x11A9E5: expand (eval.c:390)
==4808==by 0x11AABD: eval (eval.c:154)
==4808==by 0x11C630: execute (exec.c:124)
==4808==by 0x1335E1: shell (main.c:908)
==4808==by 0x10B118: main (main.c:704)
==4808== 
==4808== Invalid read of size 1
==4808==at 0x1173CF: expand (eval.c:869)
==4808==by 0x11AABD: eval (eval.c:154)
==4808==by 0x11C630: execute (exec.c:124)
==4808==by 0x1335E1: shell (main.c:908)
==4808==by 0x10B118: main (main.c:704)
==4808==  Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd
==4808==at 0x483453B: malloc (in 
/usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so)
==4808==by 0x4836C88: realloc (in 
/usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so)
==4808==by 0x10B68C: aresize (lalloc.c:154)
==4808==by 0x1420F0: setstr (var.c:491)
==4808==by 0x14300F: isglobal (var.c:272)
==4808==by 0x14305D: global (var.c:238)
==4808==by 0x11A9E5: varsub (eval.c:1378)
==4808==by 0x11A9E5: expand (eval.c:390)
==4808==by 0x11AABD: eval (eval.c:154)
==4808==by 0x11C630: execute (exec.c:124)
==4808==by 0x1335E1: shell (main.c:908)
==4808==by 0x10B118: main (main.c:704)
==4808== 

==4808== 
==4808== HEAP SUMMARY:
==4808== in use at exit: 0 bytes in 0 blocks
==4808==   total heap usage: 438 allocs, 438 frees, 30,013 bytes allocated
==4808== 
==4808== All heap blocks were freed -- no leaks are possible
==4808== 
==4808== For counts of detected and suppressed errors, rerun with: -v
==4808== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)

** Affects: mksh
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of mksh
Mailing List, which is subscribed to mksh.
Matching subscriptions: mkshlist-to-mksh-bugmail

[Bug 1857826] Re: mksh ASAN heap-buffer-overflow

2019-12-29 Thread Fernando Muñoz

I just did a fresh compile from the github repo with debug and ran it
under valgrind:

$ echo $KSH_VERSION
@(#)MIRBSD KSH R57 2019/12/11

ubuntu@bashfz:~/newmksh/mksh$ valgrind ./mksh ~/test/out2/
crashes/0 
==4765== Memcheck, a memory error detector
==4765== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==4765== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==4765== Command: ./mksh /home/ubuntu/test/out2/crashes/0
==4765== 
==4765== Invalid read of size 1
==4765==at 0x142D96: isglobal (var.c:283)
==4765==by 0x12527A: test_eval.part.5 (funcs.c:2827)
==4765==by 0x12708D: test_primary (funcs.c:3134)
==4765==by 0x12708D: test_nexpr (funcs.c:3098)
==4765==by 0x12716E: test_aexpr (funcs.c:3086)
==4765==by 0x1271DE: test_oexpr (funcs.c:3074)
==4765==by 0x12724D: test_parse (funcs.c:3061)
==4765==by 0x11D527: execute (exec.c:313)
==4765==by 0x1335E1: shell (main.c:908)
==4765==by 0x10B118: main (main.c:704)
==4765==  Address 0x4a3ab55 is 0 bytes after a block of size 5 alloc'd
==4765==at 0x4836C17: realloc (in 
/usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so)
==4765==by 0x10B68C: aresize (lalloc.c:154)
==4765==by 0x1176DB: expand (eval.c:1003)
==4765==by 0x11ABDD: evalstr (eval.c:169)
==4765==by 0x11AE09: dbteste_getopnd (exec.c:1869)
==4765==by 0x12707A: test_primary (funcs.c:3128)
==4765==by 0x12707A: test_nexpr (funcs.c:3098)
==4765==by 0x12716E: test_aexpr (funcs.c:3086)
==4765==by 0x1271DE: test_oexpr (funcs.c:3074)
==4765==by 0x12724D: test_parse (funcs.c:3061)
==4765==by 0x11D527: execute (exec.c:313)
==4765==by 0x1335E1: shell (main.c:908)
==4765==by 0x10B118: main (main.c:704)
==4765== 
==4765== 
==4765== HEAP SUMMARY:
==4765== in use at exit: 0 bytes in 0 blocks
==4765==   total heap usage: 435 allocs, 435 frees, 46,706 bytes allocated
==4765== 
==4765== All heap blocks were freed -- no leaks are possible
==4765== 
==4765== For counts of detected and suppressed errors, rerun with: -v
==4765== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

-- 
You received this bug notification because you are a member of mksh
Mailing List, which is subscribed to mksh.
Matching subscriptions: mkshlist-to-mksh-bugmail
https://bugs.launchpad.net/bugs/1857826

Title:
  mksh ASAN heap-buffer-overflow

Status in mksh:
  New

Bug description:
  When compiling mksh with ASAN and running [[ -v $XX ]] ($XX being an
  undefined environment variable) mksh will crash.

  $ echo $KSH_VERSION
  @(#)MIRBSD KSH R57 2019/03/01
  $ set | grep XX=  
  
  $ [[ -v $XX ]]
  =
  ==362==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d024d5 at 
pc 0x56763b99 bp 0xff8cc988 sp 0xff8cc978
  READ of size 1 at 0xf4d024d5 thread T0
  #0 0x56763b98  (/usr/bin/mksh+0x193b98)

  0xf4d024d5 is located 0 bytes to the right of 5-byte region 
[0xf4d024d0,0xf4d024d5)
  allocated by thread T0 here:
  #0 0xf7a285bd in __interceptor_realloc 
(/lib/i386-linux-gnu/libasan.so.5+0x1125bd)
  #1 0x565e115d  (/usr/bin/mksh+0x1115d)

  SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x193b98) 
  Shadow bytes around the buggy address:
0x3e9a0440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  =>0x3e9a0490: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa
0x3e9a04a0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 01
0x3e9a04b0: fa fa 00 04 fa fa 00 01 fa fa fd fd fa fa fd fa
0x3e9a04c0: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fd
0x3e9a04d0: fa fa 00 fa fa fa fd fa fa fa fa fa fa fa fa fa
0x3e9a04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:   00
Partially addressable: 01 02 03 04 05 06 07 
Heap left redzone:   fa
Freed heap region:   fd
Stack left redzone:  f1
Stack mid redzone:   f2
Stack right redzone: f3
Stack after return:  f5
Stack use after scope:   f8
Global redzone:  f9
Global init order:   f6
Poisoned by user:f7
Container overflow:  fc
Array cookie:ac
Intra object redzone:bb
ASan internal:   fe
Left alloca redzone: ca
Right alloca redzone:cb
Shadow gap:  cc
  ==362==ABORTING

To manage notifications about this bug go to:
https://bugs.launchpad.net/mksh/+bug/1857826/+subscriptions

Re: [Bug 1857826] [NEW] mksh ASAN heap-buffer-overflow

2019-12-29 Thread Martijn Dekker


Op 29-12-19 om 19:20 schreef Fernando Muñoz:

When compiling mksh with ASAN and running [[ -v $XX ]] ($XX being an
undefined environment variable) mksh will crash.


Of course it shouldn't crash, but it's worth noting that the correct 
form is [[ -v XX ]] without the dollar sign (signifying the expansion of 
the variable, not the variable itself).


With the expansion of a nonexistent variable, you're effectively testing 
[[ -v '' ]] which I would guess is probably what triggers the crash.


- M.

--
modernish -- harness the shell
https://github.com/modernish/modernish

[Bug 1857826] [NEW] mksh ASAN heap-buffer-overflow

2019-12-29 Thread Fernando Muñoz

Public bug reported:

When compiling mksh with ASAN and running [[ -v $XX ]] ($XX being an
undefined environment variable) mksh will crash.

$ echo $KSH_VERSION
@(#)MIRBSD KSH R57 2019/03/01
$ set | grep XX=
$ [[ -v $XX ]]
=
==362==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d024d5 at 
pc 0x56763b99 bp 0xff8cc988 sp 0xff8cc978
READ of size 1 at 0xf4d024d5 thread T0
#0 0x56763b98  (/usr/bin/mksh+0x193b98)

0xf4d024d5 is located 0 bytes to the right of 5-byte region 
[0xf4d024d0,0xf4d024d5)
allocated by thread T0 here:
#0 0xf7a285bd in __interceptor_realloc 
(/lib/i386-linux-gnu/libasan.so.5+0x1125bd)
#1 0x565e115d  (/usr/bin/mksh+0x1115d)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x193b98) 
Shadow bytes around the buggy address:
  0x3e9a0440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9a0450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9a0460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9a0470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9a0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3e9a0490: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa
  0x3e9a04a0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 01
  0x3e9a04b0: fa fa 00 04 fa fa 00 01 fa fa fd fd fa fa fd fa
  0x3e9a04c0: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fd
  0x3e9a04d0: fa fa 00 fa fa fa fd fa fa fa fa fa fa fa fa fa
  0x3e9a04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:   fa
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
  Left alloca redzone: ca
  Right alloca redzone:cb
  Shadow gap:  cc
==362==ABORTING

** Affects: mksh
 Importance: Undecided
 Status: New


** Tags: crash fuzzing

-- 
You received this bug notification because you are a member of mksh
Mailing List, which is subscribed to mksh.
Matching subscriptions: mkshlist-to-mksh-bugmail
https://bugs.launchpad.net/bugs/1857826

Title:
  mksh ASAN heap-buffer-overflow

Status in mksh:
  New

Bug description:
  When compiling mksh with ASAN and running [[ -v $XX ]] ($XX being an
  undefined environment variable) mksh will crash.

  $ echo $KSH_VERSION
  @(#)MIRBSD KSH R57 2019/03/01
  $ set | grep XX=  
  
  $ [[ -v $XX ]]
  =
  ==362==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d024d5 at 
pc 0x56763b99 bp 0xff8cc988 sp 0xff8cc978
  READ of size 1 at 0xf4d024d5 thread T0
  #0 0x56763b98  (/usr/bin/mksh+0x193b98)

  0xf4d024d5 is located 0 bytes to the right of 5-byte region 
[0xf4d024d0,0xf4d024d5)
  allocated by thread T0 here:
  #0 0xf7a285bd in __interceptor_realloc 
(/lib/i386-linux-gnu/libasan.so.5+0x1125bd)
  #1 0x565e115d  (/usr/bin/mksh+0x1115d)

  SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x193b98) 
  Shadow bytes around the buggy address:
0x3e9a0440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9a0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  =>0x3e9a0490: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa
0x3e9a04a0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 01
0x3e9a04b0: fa fa 00 04 fa fa 00 01 fa fa fd fd fa fa fd fa
0x3e9a04c0: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fd
0x3e9a04d0: fa fa 00 fa fa fa fd fa fa fa fa fa fa fa fa fa
0x3e9a04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:   00
Partially addressable: 01 02 03 04 05 06 07 
Heap left redzone:   fa
Freed heap region:   fd
Stack left redzone:  f1
Stack mid redzone:   f2
Stack right redzone: f3
Stack after return:  f5
Stack use after scope:   f8
Global redzone:  f9
Global init order:   f6
Poisoned by user:f7
Container overflow:  fc
Array cookie:ac
Intra object redzone:bb
ASan internal:   fe
Left alloca redzone: ca
Right alloca redzone:cb
Shadow gap:  cc
  ==362==ABORTING

To

[Bug 1857826] Re: mksh isglobal ASAN heap-buffer-overflow

[Bug 1857828] Re: mksh expand ASAN heap-buffer-overflow

Re: [bug] within 'eval', -e/-o errexit appears active, but is inactive

[Bug 1857702] Re: " +=" operator does string concatenation for integer variables

[Bug 1857828] Re: mksh expand ASAN heap-buffer-overflow

[Bug 1857826] Re: mksh ASAN heap-buffer-overflow

[Bug 1857826] Re: mksh isglobal ASAN heap-buffer-overflow

[Bug 1857828] [NEW] mksh expand ASAN heap-buffer-overflow

[Bug 1857826] Re: mksh ASAN heap-buffer-overflow

Re: [Bug 1857826] [NEW] mksh ASAN heap-buffer-overflow

[Bug 1857826] [NEW] mksh ASAN heap-buffer-overflow

11 matches

Site Navigation

Mail list logo

Footer information