[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
double free SIGSEGV and SELinux AVC denial
|
From: |
Wiley Young |
|
Subject: |
double free SIGSEGV and SELinux AVC denial |
|
Date: |
Sat, 3 Jun 2023 16:33:29 -0700 |
Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O2 -flto=auto -ffat-lto-objects -fexceptions -g
-grecord-gcc-switches -pipe -Wall -Werror=format-security
-Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
-fno-omit-frame-pointer -mno-omit-leaf-frame-pointer
uname output: Linux localhost-live 6.2.9-300.fc38.x86_64 #1 SMP
PREEMPT_DYNAMIC Thu Mar 30 22:32:58 UTC 2023 x86_64 GNU/Linux
Machine Type: x86_64-redhat-linux-gnu
Bash Version: 5.2
Patch Level: 15
Release Status: release
Description:
While trying to capture line numbers in an array, there was a
reproducible double free with an accompanying AVC denial. Uncommenting line
25 somehow eliminates the double free.
[liveuser@localhost-live]$ cat ./test-script.sh
#!/usr/bin/env -iS bash -x
ec='exit-code,'
: 'First duplicate definition of function:test'
function test(){
shopt -s expand_aliases
: "$ec shopt: $?"
alias M_='m=("${l[@]}")'
: "$ec alias: $?"
wait -f
: "$ec wait: $?"
type -a M_
: "$ec type: $?"
M_
: "$ec alias:M_: $?"
}
: "$ec definition of function:test $?"
: 'Viewing definitions of string "test"'
declare -p test
: "$ec declare: $?"
type -a test
: "$ec type: $?"
: 'Executing function:test'
test
: "$ec function:test $?"
#M_ # line 25
#: "$ec alias:M_: $?"
: 'Second duplicate definition of function:test'
function test(){
shopt -s expand_aliases
: "$ec shopt: $?"
alias M_='m=("${l[@]}")'
: "$ec alias: $?"
wait -f
: "$ec wait: $?"
type -a M_
: "$ec type: $?"
M_
: "$ec alias:M_: $?"
}
: "$ec duplicate re-definition of function:test $?"
[liveuser@localhost-live]$
[liveuser@localhost-live]$ ./test-script.sh
+ ec=exit-code,
+ : 'First duplicate definition of function:test'
+ : 'exit-code, definition of function:test 0'
+ : 'Viewing definitions of string "test"'
+ declare -p test
./test-script.sh: line 18: declare: test: not found
+ : 'exit-code, declare: 1'
+ type -a test
test is a function
test ()
{
shopt -s expand_aliases;
: "$ec shopt: $?";
alias M_='m=("${l[@]}")';
: "$ec alias: $?";
wait -f;
: "$ec wait: $?";
type -a M_;
: "$ec type: $?";
M_;
: "$ec alias:M_: $?"
}
test is a shell builtin
test is /usr/bin/test
+ : 'exit-code, type: 0'
+ : 'Executing function:test'
+ test
+ shopt -s expand_aliases
+ : 'exit-code, shopt: 0'
+ alias 'M_=m=("${l[@]}")'
+ : 'exit-code, alias: 0'
+ wait -f
+ : 'exit-code, wait: 0'
+ type -a M_
M_ is aliased to `m=("${l[@]}")'
+ : 'exit-code, type: 0'
+ M_
./test-script.sh: line 13: M_: command not found
+ : 'exit-code, alias:M_: 127'
+ : 'exit-code, function:test 0'
+ : 'Second duplicate definition of function:test'
free(): double free detected in tcache 2
Aborted (core dumped)
[liveuser@localhost-live]$
- double free SIGSEGV and SELinux AVC denial,
Wiley Young <=