[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Heap-use-after-free in remove_pattern
From: |
Ivan Kapranov |
Subject: |
Heap-use-after-free in remove_pattern |
Date: |
Thu, 01 Sep 2022 03:06:57 +0300 |
Configuration Information:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -g -O2 -flto=auto -ffat-lto-objects -flto=auto
-ffat-lto-objects -fstack-protector-strong -Wformat
-Werror=format-security -Wall
uname output: Linux koltir-Default-string 5.15.0-46-generic #49-Ubuntu
SMP Thu Aug 4 18:03:25 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Machine Type: x86_64-pc-linux-gnu
Bash Version: 5.1
Patch Level: 16
Release Status: release
Hi! I was fuzzing bash with AFL++ and found heap use after free in
remover_pattern function.
Description:
==9182==ERROR: AddressSanitizer: heap-use-after-free on address
0x602000001af0 at pc 0x562bb4595ca5 bp 0x7ffc5bf18450 sp 0x7ffc5bf18440
READ of size 1 at 0x602000001af0 thread T0
#0 0x562bb4595ca4 in remove_pattern /root/bash/subst.c:4706
#1 0x562bb45991d1 in parameter_brace_remove_pattern
/root/bash/subst.c:5312
#2 0x562bb45b0bdc in parameter_brace_expand /root/bash/subst.c:9336
#3 0x562bb45b24af in param_expand /root/bash/subst.c:9764
#4 0x562bb45b5c2b in expand_word_internal /root/bash/subst.c:10329
#5 0x562bb45b8357 in expand_word_internal /root/bash/subst.c:10513
#6 0x562bb45bf795 in shell_expand_word_list
/root/bash/subst.c:11890
#7 0x562bb45bfeb9 in expand_word_list_internal
/root/bash/subst.c:12014
#8 0x562bb45bc796 in expand_words /root/bash/subst.c:11357
#9 0x562bb453c81f in execute_simple_command
/root/bash/execute_cmd.c:4381
#10 0x562bb4529fa8 in execute_command_internal
/root/bash/execute_cmd.c:846
#11 0x562bb4528646 in execute_command /root/bash/execute_cmd.c:395
#12 0x562bb44f582f in reader_loop /root/bash/eval.c:170
#13 0x562bb44f069a in main /root/bash/shell.c:811
#14 0x7f4fa525ad8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
#15 0x7f4fa525ae3f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
#16 0x562bb44ef064 in _start (/root/bash/bash+0x8f064)
Repeat-By:
1. Build bash with address sanitizer.
2. Run with AFL++ crafted input (in attachment).
Kind regards, Ivan Kapranov.
id:000000,sig:06,src:004686,time:5595334,execs:1662092,op:MOpt_core_havoc,rep:2
Description: Binary data
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Heap-use-after-free in remove_pattern,
Ivan Kapranov <=