➜ readline git:(devel) ✗ git status
On branch devel
Your branch is up to date with 'origin/devel'.
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
modified: examples/fileman.c
Untracked files:
(use "git add <file>..." to include in what will be committed)
examples/rl-timeout
examples/rlkeymaps
no changes added to commit (use "git add" and/or "git commit -a")
bug_1
Legend: code, data, rodata, value
Stopped reason: SIGILL
0x0000000000535571 in update_line (old=<optimized out>, old_face=<optimized out>, new=<optimized out>, new_face=<optimized out>,
current_line=<optimized out>, omax=<optimized out>, nmax=<optimized out>, inv_botlin=<optimized out>) at display.c:1865
1865 memmove (old_face+newbytes, old_face+oldbytes, strlen (old+oldbytes) + 1);
gdb-peda$ bt
#0 0x0000000000535571 in update_line (old=<optimized out>, old_face=<optimized out>, new=<optimized out>, new_face=<optimized out>,
current_line=<optimized out>, omax=<optimized out>, nmax=<optimized out>, inv_botlin=<optimized out>) at display.c:1865
#1 0x0000000000526789 in rl_redisplay () at display.c:1334
#2 0x0000000000538418 in rl_clear_message () at display.c:3081
#3 0x0000000000560757 in _rl_arg_overflow () at misc.c:85
#4 0x00000000004e1405 in rl_digit_loop1 () at vi_mode.c:1109
#5 rl_domove_read_callback (m=m@entry=0x6040000001d0) at vi_mode.c:1334
#6 0x00000000004e1b91 in rl_vi_domove (x=<optimized out>, ignore=<optimized out>) at vi_mode.c:1389
#7 rl_vi_delete_to (count=<optimized out>, key=key@entry=0x64) at vi_mode.c:1455
#8 0x00000000004cf1b1 in _rl_dispatch_subseq (key=0x64, map=0x5dece0 <vi_movement_keymap>, got_subseq=<optimized out>) at readline.c:922
#9 0x00000000004cd71b in _rl_dispatch (key=0x0, map=0xea7160 <__afl_area_initial>) at readline.c:866
#10 readline_internal_char () at readline.c:680
#11 0x00000000004cbe05 in readline_internal_charloop () at readline.c:727
#12 readline_internal () at readline.c:739
#13 readline (prompt=0x5983e0 <str> "FileMan: ") at readline.c:387
#14 0x00000000004ca806 in main (argc=argc@entry=0x1, argv=<optimized out>, argv@entry=0x7fffffffe2a8) at fileman.c:142
#15 0x00007ffff7c1f083 in __libc_start_main (main=0x4ca720 <main>, argc=0x1, argv=0x7fffffffe2a8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe298) at ../csu/libc-start.c:308
#16 0x000000000041d5ee in _start ()
bug_2
==1101385==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000008c8 at pc 0x000000553dff bp 0x7fffffffe070 sp 0x7fffffffe068
READ of size 4 at 0x6030000008c8 thread T0
[Attaching after Thread 0x7ffff7bf8800 (LWP 1101385) fork to child process 1101386]
[New inferior 2 (process 1101386)]
[Detaching after fork from parent process 1101385]
[Inferior 1 (process 1101385) detached]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
process 1101386 is executing new program: /usr/local/bin/llvm-symbolizer
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
#0 0x553dfe in rl_insert_text /root/target/AFLPLUSPLUS/readline/text.c:108:19
#1 0x55c3ba in rl_insert_comment /root/target/AFLPLUSPLUS/readline/text.c
#2 0x4cf1b0 in _rl_dispatch_subseq /root/target/AFLPLUSPLUS/readline/readline.c:922:8
#3 0x4cd71a in _rl_dispatch /root/target/AFLPLUSPLUS/readline/readline.c:866:10
#4 0x4cd71a in readline_internal_char /root/target/AFLPLUSPLUS/readline/readline.c:680:11
#5 0x4cbe04 in readline_internal_charloop /root/target/AFLPLUSPLUS/readline/readline.c:727:11
#6 0x4cbe04 in readline_internal /root/target/AFLPLUSPLUS/readline/readline.c:739:18
#7 0x4cbe04 in readline /root/target/AFLPLUSPLUS/readline/readline.c:387:11
#8 0x4ca805 in main /root/target/AFLPLUSPLUS/readline/examples/fileman.c:142:14
#9 0x7ffff7c1f082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#10 0x41d5ed in _start (/root/target/AFLPLUSPLUS/readline/examples/fileman+0x41d5ed)
0x6030000008c8 is located 24 bytes inside of 32-byte region [0x6030000008b0,0x6030000008d0)
freed by thread T0 here:
#0 0x4985e2 in free /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3
#1 0x5478a8 in _rl_free_undo_list /root/target/AFLPLUSPLUS/readline/undo.c:111:7
#2 0x562026 in _rl_free_saved_history_line /root/target/AFLPLUSPLUS/readline/misc.c:404:2
#3 0x4eca40 in rl_history_search_forward /root/target/AFLPLUSPLUS/readline/search.c:651:5
#4 0x4cf1b0 in _rl_dispatch_subseq /root/target/AFLPLUSPLUS/readline/readline.c:922:8
#5 0x4cfdb8 in _rl_dispatch_subseq /root/target/AFLPLUSPLUS/readline/readline.c:1068:8
#6 0x4cfdb8 in _rl_dispatch_subseq /root/target/AFLPLUSPLUS/readline/readline.c:1068:8
#7 0x4cfdb8 in _rl_dispatch_subseq /root/target/AFLPLUSPLUS/readline/readline.c:1068:8
#8 0x4cd71a in _rl_dispatch /root/target/AFLPLUSPLUS/readline/readline.c:866:10
#9 0x4cd71a in readline_internal_char /root/target/AFLPLUSPLUS/readline/readline.c:680:11
#10 0x4cbe04 in readline_internal_charloop /root/target/AFLPLUSPLUS/readline/readline.c:727:11
#11 0x4cbe04 in readline_internal /root/target/AFLPLUSPLUS/readline/readline.c:739:18
#12 0x4cbe04 in readline /root/target/AFLPLUSPLUS/readline/readline.c:387:11
#13 0x4ca805 in main /root/target/AFLPLUSPLUS/readline/examples/fileman.c:142:14
#14 0x7ffff7c1f082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
previously allocated by thread T0 here:
#0 0x49884d in malloc /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x580937 in xmalloc /root/target/AFLPLUSPLUS/readline/xmalloc.c:59:10
#2 0x5475f0 in alloc_undo_entry /root/target/AFLPLUSPLUS/readline/undo.c:75:23
#3 0x5475f0 in rl_add_undo /root/target/AFLPLUSPLUS/readline/undo.c:92:10
#4 0x553b1c in rl_insert_text /root/target/AFLPLUSPLUS/readline/text.c:113:2
#5 0x558cc7 in _rl_insert_char /root/target/AFLPLUSPLUS/readline/text.c:903:7
#6 0x559b78 in rl_insert /root/target/AFLPLUSPLUS/readline/text.c:955:42
#7 0x4cf1b0 in _rl_dispatch_subseq /root/target/AFLPLUSPLUS/readline/readline.c:922:8
#8 0x4cd71a in _rl_dispatch /root/target/AFLPLUSPLUS/readline/readline.c:866:10
#9 0x4cd71a in readline_internal_char /root/target/AFLPLUSPLUS/readline/readline.c:680:11
#10 0x4cbe04 in readline_internal_charloop /root/target/AFLPLUSPLUS/readline/readline.c:727:11
#11 0x4cbe04 in readline_internal /root/target/AFLPLUSPLUS/readline/readline.c:739:18
#12 0x4cbe04 in readline /root/target/AFLPLUSPLUS/readline/readline.c:387:11
#13 0x4ca805 in main /root/target/AFLPLUSPLUS/readline/examples/fileman.c:142:14
#14 0x7ffff7c1f082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free /root/target/AFLPLUSPLUS/readline/text.c:108:19 in rl_insert_text
Shadow bytes around the buggy address:
0x0c067fff80c0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd
0x0c067fff80d0: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa
0x0c067fff80e0: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fa
0x0c067fff80f0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
0x0c067fff8100: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
=>0x0c067fff8110: fd fd fd fa fa fa fd fd fd[fd]fa fa fd fd fd fa
0x0c067fff8120: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd
0x0c067fff8130: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
0x0c067fff8140: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fa
0x0c067fff8150: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
0x0c067fff8160: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1101385==ABORTING
[Inferior 2 (process 1101386) exited normally]
Warning: not running
bug_4
==1101869==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000f88 at pc 0x000000548b29 bp 0x7ffe73741350 sp 0x7ffe73741348
READ of size 4 at 0x603000000f88 thread T0
#0 0x548b28 in rl_do_undo /root/target/AFLPLUSPLUS/readline/undo.c:188:25
#1 0x5498d4 in rl_revert_line /root/target/AFLPLUSPLUS/readline/undo.c:339:2
#2 0x4ccc76 in readline_internal_teardown /root/target/AFLPLUSPLUS/readline/readline.c:498:7
#3 0x4cbe39 in readline_internal /root/target/AFLPLUSPLUS/readline/readline.c:740:11
#4 0x4cbe39 in readline /root/target/AFLPLUSPLUS/readline/readline.c:387:11
#5 0x4ca805 in main /root/target/AFLPLUSPLUS/readline/examples/fileman.c:142:14
#6 0x7f6582f3d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#7 0x41d5ed in _start (/root/target/AFLPLUSPLUS/readline/examples/fileman+0x41d5ed)
0x603000000f88 is located 24 bytes inside of 32-byte region [0x603000000f70,0x603000000f90)
freed by thread T0 here:
#0 0x4985e2 in free /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3
#1 0x5478a8 in _rl_free_undo_list /root/target/AFLPLUSPLUS/readline/undo.c:111:7
#2 0x562026 in _rl_free_saved_history_line /root/target/AFLPLUSPLUS/readline/misc.c:404:2
#3 0x4eca40 in rl_history_search_forward /root/target/AFLPLUSPLUS/readline/search.c:651:5
#4 0x4cf1b0 in _rl_dispatch_subseq /root/target/AFLPLUSPLUS/readline/readline.c:922:8
#5 0x4cfdb8 in _rl_dispatch_subseq /root/target/AFLPLUSPLUS/readline/readline.c:1068:8
#6 0x4cfdb8 in _rl_dispatch_subseq /root/target/AFLPLUSPLUS/readline/readline.c:1068:8
#7 0x4cfdb8 in _rl_dispatch_subseq /root/target/AFLPLUSPLUS/readline/readline.c:1068:8
#8 0x4cd71a in _rl_dispatch /root/target/AFLPLUSPLUS/readline/readline.c:866:10
#9 0x4cd71a in readline_internal_char /root/target/AFLPLUSPLUS/readline/readline.c:680:11
#10 0x4cbe04 in readline_internal_charloop /root/target/AFLPLUSPLUS/readline/readline.c:727:11
#11 0x4cbe04 in readline_internal /root/target/AFLPLUSPLUS/readline/readline.c:739:18
#12 0x4cbe04 in readline /root/target/AFLPLUSPLUS/readline/readline.c:387:11
#13 0x4ca805 in main /root/target/AFLPLUSPLUS/readline/examples/fileman.c:142:14
#14 0x7f6582f3d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
previously allocated by thread T0 here:
#0 0x49884d in malloc /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x580937 in xmalloc /root/target/AFLPLUSPLUS/readline/xmalloc.c:59:10
#2 0x5475f0 in alloc_undo_entry /root/target/AFLPLUSPLUS/readline/undo.c:75:23
#3 0x5475f0 in rl_add_undo /root/target/AFLPLUSPLUS/readline/undo.c:92:10
#4 0x554222 in rl_delete_text /root/target/AFLPLUSPLUS/readline/text.c:152:5
#5 0x54293e in rl_kill_text /root/target/AFLPLUSPLUS/readline/kill.c:177:3
#6 0x54293e in rl_kill_line /root/target/AFLPLUSPLUS/readline/kill.c:254:2
#7 0x4cf1b0 in _rl_dispatch_subseq /root/target/AFLPLUSPLUS/readline/readline.c:922:8
#8 0x4cd71a in _rl_dispatch /root/target/AFLPLUSPLUS/readline/readline.c:866:10
#9 0x4cd71a in readline_internal_char /root/target/AFLPLUSPLUS/readline/readline.c:680:11
#10 0x4cbe04 in readline_internal_charloop /root/target/AFLPLUSPLUS/readline/readline.c:727:11
#11 0x4cbe04 in readline_internal /root/target/AFLPLUSPLUS/readline/readline.c:739:18
#12 0x4cbe04 in readline /root/target/AFLPLUSPLUS/readline/readline.c:387:11
#13 0x4ca805 in main /root/target/AFLPLUSPLUS/readline/examples/fileman.c:142:14
#14 0x7f6582f3d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free /root/target/AFLPLUSPLUS/readline/undo.c:188:25 in rl_do_undo
Shadow bytes around the buggy address:
0x0c067fff81a0: 00 00 05 fa fa fa fd fd fd fd fa fa fd fd fd fa
0x0c067fff81b0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c067fff81c0: fd fd fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
0x0c067fff81d0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fd
0x0c067fff81e0: fa fa 00 00 00 07 fa fa fd fd fd fd fa fa fd fd
=>0x0c067fff81f0: fd[fd]fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
0x0c067fff8200: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 00 00
0x0c067fff8210: fa fa 00 00 00 00 fa fa fd fd fd fd fa fa fd fd
0x0c067fff8220: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa
0x0c067fff8230: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 00 00
0x0c067fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1101869==ABORTING
bug_6
➜ uniq /root/target/AFLPLUSPLUS/readline/examples/fileman < bug_6
FileMan: -%�TSme@��Nas
-%�TSme@��Nas: No such command for FileMan.
FileMan: -%�TSme@��Nas
-%�TSme@��Nas: No such command for FileMan.
FileMan: -%�TSme@��Nas[6~l�����
-%�TSme@�
FileMan: =================================================================
==1101976==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000688 at pc 0x0000004dbfc2 bp 0x7ffdf2198570 sp 0x7ffdf2198568
READ of size 4 at 0x603000000688 thread T0
#0 0x4dbfc1 in _rl_vi_save_insert /root/target/AFLPLUSPLUS/readline/vi_mode.c:845:22
#1 0x4dbb51 in _rl_vi_done_inserting /root/target/AFLPLUSPLUS/readline/vi_mode.c:886:2
#2 0x55ac07 in rl_newline /root/target/AFLPLUSPLUS/readline/text.c:1116:7
#3 0x4cf1b0 in _rl_dispatch_subseq /root/target/AFLPLUSPLUS/readline/readline.c:922:8
#4 0x4cd71a in _rl_dispatch /root/target/AFLPLUSPLUS/readline/readline.c:866:10
#5 0x4cd71a in readline_internal_char /root/target/AFLPLUSPLUS/readline/readline.c:680:11
#6 0x4cbe04 in readline_internal_charloop /root/target/AFLPLUSPLUS/readline/readline.c:727:11
#7 0x4cbe04 in readline_internal /root/target/AFLPLUSPLUS/readline/readline.c:739:18
#8 0x4cbe04 in readline /root/target/AFLPLUSPLUS/readline/readline.c:387:11
#9 0x4ca805 in main /root/target/AFLPLUSPLUS/readline/examples/fileman.c:142:14
#10 0x7f3d3e3c9082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#11 0x41d5ed in _start (/root/target/AFLPLUSPLUS/readline/examples/fileman+0x41d5ed)
bug_7
==1102019==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000002ce8 at pc 0x000000536665 bp 0x7ffe321b5710 sp 0x7ffe321b5708
READ of size 4 at 0x619000002ce8 thread T0
#0 0x536664 in _rl_move_cursor_relative /root/target/AFLPLUSPLUS/readline/display.c:2829:58
#1 0x53972b in _rl_update_final /root/target/AFLPLUSPLUS/readline/display.c:3350:7
#2 0x55ad0a in rl_newline /root/target/AFLPLUSPLUS/readline/text.c:1128:5
#3 0x4cf1b0 in _rl_dispatch_subseq /root/target/AFLPLUSPLUS/readline/readline.c:922:8
#4 0x4cd71a in _rl_dispatch /root/target/AFLPLUSPLUS/readline/readline.c:866:10
#5 0x4cd71a in readline_internal_char /root/target/AFLPLUSPLUS/readline/readline.c:680:11
#6 0x4cbe04 in readline_internal_charloop /root/target/AFLPLUSPLUS/readline/readline.c:727:11
#7 0x4cbe04 in readline_internal /root/target/AFLPLUSPLUS/readline/readline.c:739:18
#8 0x4cbe04 in readline /root/target/AFLPLUSPLUS/readline/readline.c:387:11
#9 0x4ca805 in main /root/target/AFLPLUSPLUS/readline/examples/fileman.c:142:14
#10 0x7efd1d126082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#11 0x41d5ed in _start (/root/target/AFLPLUSPLUS/readline/examples/fileman+0x41d5ed)