mksh

mksh expand ASAN heap-buffer-overflow

Bug #1857828 reported by Fernando Muñoz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mksh
Fix Released
High
Thorsten Glaser

Bug Description

ubuntu@bashfz:~/newmksh/mksh$ mksh -c 'echo ${0@#$0}'
=================================================================
==4807==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d01559 at pc 0x56649efd bp 0xffe0e668 sp 0xffe0e658
READ of size 1 at 0xf4d01559 thread T0
    #0 0x56649efc (/usr/bin/mksh+0x7befc)

0xf4d01559 is located 0 bytes to the right of 9-byte region [0xf4d01550,0xf4d01559)
allocated by thread T0 here:
    #0 0xf7aae5bd in __interceptor_realloc (/lib/i386-linux-gnu/libasan.so.5+0x1125bd)
    #1 0x565df15d (/usr/bin/mksh+0x1115d)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x7befc)
Shadow bytes around the buggy address:
  0x3e9a0250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9a0260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9a0270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9a0280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9a0290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3e9a02a0: fa fa fa fa fa fa fa fa fa fa 00[01]fa fa 00 01
  0x3e9a02b0: fa fa 00 01 fa fa 00 01 fa fa 00 fa fa fa 00 00
  0x3e9a02c0: fa fa 00 05 fa fa 00 04 fa fa fd fd fa fa fd fd
  0x3e9a02d0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x3e9a02e0: fa fa fd fd fa fa fd fd fa fa fa fa fa fa fa fa
  0x3e9a02f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
  Shadow gap: cc
==4807==ABORTING

ubuntu@bashfz:~/newmksh/mksh$ valgrind ./mksh -c 'echo ${0@#$0}'
==4808== Memcheck, a memory error detector
==4808== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==4808== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==4808== Command: ./mksh -c echo\ ${0@#$0}
==4808==
==4808== Invalid read of size 1
==4808== at 0x118527: expand (eval.c:821)
==4808== by 0x11AABD: eval (eval.c:154)
==4808== by 0x11C630: execute (exec.c:124)
==4808== by 0x1335E1: shell (main.c:908)
==4808== by 0x10B118: main (main.c:704)
==4808== Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd
==4808== at 0x483453B: malloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so)
==4808== by 0x4836C88: realloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so)
==4808== by 0x10B68C: aresize (lalloc.c:154)
==4808== by 0x1420F0: setstr (var.c:491)
==4808== by 0x14300F: isglobal (var.c:272)
==4808== by 0x14305D: global (var.c:238)
==4808== by 0x11A9E5: varsub (eval.c:1378)
==4808== by 0x11A9E5: expand (eval.c:390)
==4808== by 0x11AABD: eval (eval.c:154)
==4808== by 0x11C630: execute (exec.c:124)
==4808== by 0x1335E1: shell (main.c:908)
==4808== by 0x10B118: main (main.c:704)
==4808==
==4808== Invalid read of size 1
==4808== at 0x1173CF: expand (eval.c:869)
==4808== by 0x11AABD: eval (eval.c:154)
==4808== by 0x11C630: execute (exec.c:124)
==4808== by 0x1335E1: shell (main.c:908)
==4808== by 0x10B118: main (main.c:704)
==4808== Address 0x4a36873 is 0 bytes after a block of size 11 alloc'd
==4808== at 0x483453B: malloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so)
==4808== by 0x4836C88: realloc (in /usr/lib/i386-linux-gnu/valgrind/vgpreload_memcheck-x86-linux.so)
==4808== by 0x10B68C: aresize (lalloc.c:154)
==4808== by 0x1420F0: setstr (var.c:491)
==4808== by 0x14300F: isglobal (var.c:272)
==4808== by 0x14305D: global (var.c:238)
==4808== by 0x11A9E5: varsub (eval.c:1378)
==4808== by 0x11A9E5: expand (eval.c:390)
==4808== by 0x11AABD: eval (eval.c:154)
==4808== by 0x11C630: execute (exec.c:124)
==4808== by 0x1335E1: shell (main.c:908)
==4808== by 0x10B118: main (main.c:704)
==4808==

==4808==
==4808== HEAP SUMMARY:
==4808== in use at exit: 0 bytes in 0 blocks
==4808== total heap usage: 438 allocs, 438 frees, 30,013 bytes allocated
==4808==
==4808== All heap blocks were freed -- no leaks are possible
==4808==
==4808== For counts of detected and suppressed errors, rerun with: -v
==4808== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)

Thorsten Glaser (mirabilos)
Changed in mksh:
assignee: nobody → Thorsten Glaser (mirabilos)
importance: Undecided → High
status: New → Triaged
Revision history for this message
Thorsten Glaser (mirabilos) wrote :

fix is making it to the anoncvs and github mirrors within the hour

Changed in mksh:
status: Triaged → Fix Committed
Thorsten Glaser (mirabilos)
Changed in mksh:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.