[Bug 1857828] [NEW] mksh expand ASAN heap-buffer-overflow
Public bug reported: ubuntu@bashfz:~/newmksh/mksh$ mksh -c 'echo ${0@#$0}' = ==4807==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d01559 at pc 0x56649efd bp 0xffe0e668 sp 0xffe0e658 READ of size 1 at 0xf4d01559 thread T0 #0 0x56649efc (/usr/bin/mksh+0x7befc) 0xf4d01559 is located 0 bytes to the right of 9-byte region [0xf4d01550,0xf4d01559) allocated by thread T0 here: #0 0xf7aae5bd in __interceptor_realloc (/lib/i386-linux-gnu/libasan.so.5+0x1125bd) #1 0x565df15d (/usr/bin/mksh+0x1115d) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x7befc) Shadow bytes around the buggy address: 0x3e9a0250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x3e9a02a0: fa fa fa fa fa fa fa fa fa fa 00[01]fa fa 00 01 0x3e9a02b0: fa fa 00 01 fa fa 00 01 fa fa 00 fa fa fa 00 00 0x3e9a02c0: fa fa 00 05 fa fa 00 04 fa fa fd fd fa fa fd fd 0x3e9a02d0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x3e9a02e0: fa fa fd fd fa fa fd fd fa fa fa fa fa fa fa fa 0x3e9a02f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==4807==ABORTING ubuntu@bashfz:~/newmksh/mksh$ valgrind ./mksh -c 'echo ${0@#$0}' ==4808== Memcheck, a memory error detector ==4808== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==4808== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==4808== Command: ./mksh -c echo\ ${0@#$0} ==4808== ==4808== Invalid read of size 1 ==4808==at 0x118527: expand (eval.c:821) ==4808==by 0x11AABD: eval (eval.c:154) ==4808==by 0x11C630: execute (exec.c:124) ==4808==by 0x1335E1: shell (main.c:908) ==4808==by 0x10B118: main (main.c:704) ==4808== Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd ==4808==at 0x483453B: malloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808==by 0x4836C88: realloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808==by 0x10B68C: aresize (lalloc.c:154) ==4808==by 0x1420F0: setstr (var.c:491) ==4808==by 0x14300F: isglobal (var.c:272) ==4808==by 0x14305D: global (var.c:238) ==4808==by 0x11A9E5: varsub (eval.c:1378) ==4808==by 0x11A9E5: expand (eval.c:390) ==4808==by 0x11AABD: eval (eval.c:154) ==4808==by 0x11C630: execute (exec.c:124) ==4808==by 0x1335E1: shell (main.c:908) ==4808==by 0x10B118: main (main.c:704) ==4808== ==4808== Invalid read of size 1 ==4808==at 0x1173CF: expand (eval.c:869) ==4808==by 0x11AABD: eval (eval.c:154) ==4808==by 0x11C630: execute (exec.c:124) ==4808==by 0x1335E1: shell (main.c:908) ==4808==by 0x10B118: main (main.c:704) ==4808== Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd ==4808==at 0x483453B: malloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808==by 0x4836C88: realloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4808==by 0x10B68C: aresize (lalloc.c:154) ==4808==by 0x1420F0: setstr (var.c:491) ==4808==by 0x14300F: isglobal (var.c:272) ==4808==by 0x14305D: global (var.c:238) ==4808==by 0x11A9E5: varsub (eval.c:1378) ==4808==by 0x11A9E5: expand (eval.c:390) ==4808==by 0x11AABD: eval (eval.c:154) ==4808==by 0x11C630: execute (exec.c:124) ==4808==by 0x1335E1: shell (main.c:908) ==4808==by 0x10B118: main (main.c:704) ==4808== ==4808== ==4808== HEAP SUMMARY: ==4808== in use at exit: 0 bytes in 0 blocks ==4808== total heap usage: 438 allocs, 438 frees, 30,013 bytes allocated ==4808== ==4808== All heap blocks were freed -- no leaks are possible ==4808== ==4808== For counts of detected and suppressed errors, rerun with: -v ==4808== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) ** Affects: mksh Importance: Undecided Status: New -- You received this bug notification because you are a member of mksh Mailing List, which is subscribed to mksh. Matching subscriptions: mkshlist-to-mksh-bugmail https://bugs.launchpad.net/bugs/
[Bug 1857826] Re: mksh isglobal ASAN heap-buffer-overflow
** Summary changed: - mksh ASAN heap-buffer-overflow + mksh isglobal ASAN heap-buffer-overflow -- You received this bug notification because you are a member of mksh Mailing List, which is subscribed to mksh. Matching subscriptions: mkshlist-to-mksh-bugmail https://bugs.launchpad.net/bugs/1857826 Title: mksh isglobal ASAN heap-buffer-overflow Status in mksh: New Bug description: When compiling mksh with ASAN and running [[ -v $XX ]] ($XX being an undefined environment variable) mksh will crash. $ echo $KSH_VERSION @(#)MIRBSD KSH R57 2019/03/01 $ set | grep XX= $ [[ -v $XX ]] = ==362==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d024d5 at pc 0x56763b99 bp 0xff8cc988 sp 0xff8cc978 READ of size 1 at 0xf4d024d5 thread T0 #0 0x56763b98 (/usr/bin/mksh+0x193b98) 0xf4d024d5 is located 0 bytes to the right of 5-byte region [0xf4d024d0,0xf4d024d5) allocated by thread T0 here: #0 0xf7a285bd in __interceptor_realloc (/lib/i386-linux-gnu/libasan.so.5+0x1125bd) #1 0x565e115d (/usr/bin/mksh+0x1115d) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x193b98) Shadow bytes around the buggy address: 0x3e9a0440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x3e9a0490: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa 0x3e9a04a0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 01 0x3e9a04b0: fa fa 00 04 fa fa 00 01 fa fa fd fd fa fa fd fa 0x3e9a04c0: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fd 0x3e9a04d0: fa fa 00 fa fa fa fd fa fa fa fa fa fa fa fa fa 0x3e9a04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==362==ABORTING To manage notifications about this bug go to: https://bugs.launchpad.net/mksh/+bug/1857826/+subscriptions
[Bug 1857826] Re: mksh ASAN heap-buffer-overflow
I just did a fresh compile from the github repo with debug and ran it under valgrind: $ echo $KSH_VERSION @(#)MIRBSD KSH R57 2019/12/11 ubuntu@bashfz:~/newmksh/mksh$ valgrind ./mksh ~/test/out2/ crashes/0 ==4765== Memcheck, a memory error detector ==4765== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==4765== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==4765== Command: ./mksh /home/ubuntu/test/out2/crashes/0 ==4765== ==4765== Invalid read of size 1 ==4765==at 0x142D96: isglobal (var.c:283) ==4765==by 0x12527A: test_eval.part.5 (funcs.c:2827) ==4765==by 0x12708D: test_primary (funcs.c:3134) ==4765==by 0x12708D: test_nexpr (funcs.c:3098) ==4765==by 0x12716E: test_aexpr (funcs.c:3086) ==4765==by 0x1271DE: test_oexpr (funcs.c:3074) ==4765==by 0x12724D: test_parse (funcs.c:3061) ==4765==by 0x11D527: execute (exec.c:313) ==4765==by 0x1335E1: shell (main.c:908) ==4765==by 0x10B118: main (main.c:704) ==4765== Address 0x4a3ab55 is 0 bytes after a block of size 5 alloc'd ==4765==at 0x4836C17: realloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so) ==4765==by 0x10B68C: aresize (lalloc.c:154) ==4765==by 0x1176DB: expand (eval.c:1003) ==4765==by 0x11ABDD: evalstr (eval.c:169) ==4765==by 0x11AE09: dbteste_getopnd (exec.c:1869) ==4765==by 0x12707A: test_primary (funcs.c:3128) ==4765==by 0x12707A: test_nexpr (funcs.c:3098) ==4765==by 0x12716E: test_aexpr (funcs.c:3086) ==4765==by 0x1271DE: test_oexpr (funcs.c:3074) ==4765==by 0x12724D: test_parse (funcs.c:3061) ==4765==by 0x11D527: execute (exec.c:313) ==4765==by 0x1335E1: shell (main.c:908) ==4765==by 0x10B118: main (main.c:704) ==4765== ==4765== ==4765== HEAP SUMMARY: ==4765== in use at exit: 0 bytes in 0 blocks ==4765== total heap usage: 435 allocs, 435 frees, 46,706 bytes allocated ==4765== ==4765== All heap blocks were freed -- no leaks are possible ==4765== ==4765== For counts of detected and suppressed errors, rerun with: -v ==4765== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) -- You received this bug notification because you are a member of mksh Mailing List, which is subscribed to mksh. Matching subscriptions: mkshlist-to-mksh-bugmail https://bugs.launchpad.net/bugs/1857826 Title: mksh ASAN heap-buffer-overflow Status in mksh: New Bug description: When compiling mksh with ASAN and running [[ -v $XX ]] ($XX being an undefined environment variable) mksh will crash. $ echo $KSH_VERSION @(#)MIRBSD KSH R57 2019/03/01 $ set | grep XX= $ [[ -v $XX ]] = ==362==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d024d5 at pc 0x56763b99 bp 0xff8cc988 sp 0xff8cc978 READ of size 1 at 0xf4d024d5 thread T0 #0 0x56763b98 (/usr/bin/mksh+0x193b98) 0xf4d024d5 is located 0 bytes to the right of 5-byte region [0xf4d024d0,0xf4d024d5) allocated by thread T0 here: #0 0xf7a285bd in __interceptor_realloc (/lib/i386-linux-gnu/libasan.so.5+0x1125bd) #1 0x565e115d (/usr/bin/mksh+0x1115d) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x193b98) Shadow bytes around the buggy address: 0x3e9a0440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x3e9a0490: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa 0x3e9a04a0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 01 0x3e9a04b0: fa fa 00 04 fa fa 00 01 fa fa fd fd fa fa fd fa 0x3e9a04c0: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fd 0x3e9a04d0: fa fa 00 fa fa fa fd fa fa fa fa fa fa fa fa fa 0x3e9a04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==362==ABORTING To manage notifications about this bug go to: https://bugs.launchpad.net/mksh/+bug/1857826/+subscriptions
[Bug 1857826] [NEW] mksh ASAN heap-buffer-overflow
Public bug reported: When compiling mksh with ASAN and running [[ -v $XX ]] ($XX being an undefined environment variable) mksh will crash. $ echo $KSH_VERSION @(#)MIRBSD KSH R57 2019/03/01 $ set | grep XX= $ [[ -v $XX ]] = ==362==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d024d5 at pc 0x56763b99 bp 0xff8cc988 sp 0xff8cc978 READ of size 1 at 0xf4d024d5 thread T0 #0 0x56763b98 (/usr/bin/mksh+0x193b98) 0xf4d024d5 is located 0 bytes to the right of 5-byte region [0xf4d024d0,0xf4d024d5) allocated by thread T0 here: #0 0xf7a285bd in __interceptor_realloc (/lib/i386-linux-gnu/libasan.so.5+0x1125bd) #1 0x565e115d (/usr/bin/mksh+0x1115d) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x193b98) Shadow bytes around the buggy address: 0x3e9a0440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x3e9a0490: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa 0x3e9a04a0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 01 0x3e9a04b0: fa fa 00 04 fa fa 00 01 fa fa fd fd fa fa fd fa 0x3e9a04c0: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fd 0x3e9a04d0: fa fa 00 fa fa fa fd fa fa fa fa fa fa fa fa fa 0x3e9a04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==362==ABORTING ** Affects: mksh Importance: Undecided Status: New ** Tags: crash fuzzing -- You received this bug notification because you are a member of mksh Mailing List, which is subscribed to mksh. Matching subscriptions: mkshlist-to-mksh-bugmail https://bugs.launchpad.net/bugs/1857826 Title: mksh ASAN heap-buffer-overflow Status in mksh: New Bug description: When compiling mksh with ASAN and running [[ -v $XX ]] ($XX being an undefined environment variable) mksh will crash. $ echo $KSH_VERSION @(#)MIRBSD KSH R57 2019/03/01 $ set | grep XX= $ [[ -v $XX ]] = ==362==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d024d5 at pc 0x56763b99 bp 0xff8cc988 sp 0xff8cc978 READ of size 1 at 0xf4d024d5 thread T0 #0 0x56763b98 (/usr/bin/mksh+0x193b98) 0xf4d024d5 is located 0 bytes to the right of 5-byte region [0xf4d024d0,0xf4d024d5) allocated by thread T0 here: #0 0xf7a285bd in __interceptor_realloc (/lib/i386-linux-gnu/libasan.so.5+0x1125bd) #1 0x565e115d (/usr/bin/mksh+0x1115d) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x193b98) Shadow bytes around the buggy address: 0x3e9a0440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x3e9a0490: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa 0x3e9a04a0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 01 0x3e9a04b0: fa fa 00 04 fa fa 00 01 fa fa fd fd fa fa fd fa 0x3e9a04c0: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fd 0x3e9a04d0: fa fa 00 fa fa fa fd fa fa fa fa fa fa fa fa fa 0x3e9a04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==362==ABORTING To mana