Found bugs at display.c:1865 in update_line; text.c:108:19 in rl_insert

➜ readline git:(devel) ✗ git status

On branch devel

Your branch is up to date with 'origin/devel'.

Changes not staged for commit:

(use "git add <file>..." to update what will be committed)

(use "git restore <file>..." to discard changes in working directory)

modified: examples/fileman.c

Untracked files:

(use "git add <file>..." to include in what will be committed)

examples/rl-timeout

examples/rlkeymaps

no changes added to commit (use "git add" and/or "git commit -a")

bug_1

Legend: code, data, rodata, value

Stopped reason: SIGILL

0x0000000000535571 in update_line (old=<optimized out>, old_face=<optimized out>, new=<optimized out>, new_face=<optimized out>,

current_line=<optimized out>, omax=<optimized out>, nmax=<optimized out>, inv_botlin=<optimized out>) at display.c:1865

1865 memmove (old_face+newbytes, old_face+oldbytes, strlen (old+oldbytes) + 1);

gdb-peda$ bt

#0 0x0000000000535571 in update_line (old=<optimized out>, old_face=<optimized out>, new=<optimized out>, new_face=<optimized out>,

current_line=<optimized out>, omax=<optimized out>, nmax=<optimized out>, inv_botlin=<optimized out>) at display.c:1865

#1 0x0000000000526789 in rl_redisplay () at display.c:1334

#2 0x0000000000538418 in rl_clear_message () at display.c:3081

#3 0x0000000000560757 in _rl_arg_overflow () at misc.c:85

#4 0x00000000004e1405 in rl_digit_loop1 () at vi_mode.c:1109

#5 rl_domove_read_callback (m=m@entry=0x6040000001d0) at vi_mode.c:1334

#6 0x00000000004e1b91 in rl_vi_domove (x=<optimized out>, ignore=<optimized out>) at vi_mode.c:1389

#7 rl_vi_delete_to (count=<optimized out>, key=key@entry=0x64) at vi_mode.c:1455

#8 0x00000000004cf1b1 in _rl_dispatch_subseq (key=0x64, map=0x5dece0 <vi_movement_keymap>, got_subseq=<optimized out>) at readline.c:922

#9 0x00000000004cd71b in _rl_dispatch (key=0x0, map=0xea7160 <__afl_area_initial>) at readline.c:866

#10 readline_internal_char () at readline.c:680

#11 0x00000000004cbe05 in readline_internal_charloop () at readline.c:727

#12 readline_internal () at readline.c:739

#13 readline (prompt=0x5983e0 <str> "FileMan: ") at readline.c:387

#14 0x00000000004ca806 in main (argc=argc@entry=0x1, argv=<optimized out>, argv@entry=0x7fffffffe2a8) at fileman.c:142

#15 0x00007ffff7c1f083 in __libc_start_main (main=0x4ca720 <main>, argc=0x1, argv=0x7fffffffe2a8, init=<optimized out>, fini=<optimized out>,

rtld_fini=<optimized out>, stack_end=0x7fffffffe298) at ../csu/libc-start.c:308

#16 0x000000000041d5ee in _start ()

bug_2

==1101385==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000008c8 at pc 0x000000553dff bp 0x7fffffffe070 sp 0x7fffffffe068

READ of size 4 at 0x6030000008c8 thread T0

[Attaching after Thread 0x7ffff7bf8800 (LWP 1101385) fork to child process 1101386]

[New inferior 2 (process 1101386)]

[Detaching after fork from parent process 1101385]

[Inferior 1 (process 1101385) detached]

[Thread debugging using libthread_db enabled]

Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

process 1101386 is executing new program: /usr/local/bin/llvm-symbolizer

[Thread debugging using libthread_db enabled]

Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

#0 0x553dfe in rl_insert_text /root/target/AFLPLUSPLUS/readline/text.c:108:19

#1 0x55c3ba in rl_insert_comment /root/target/AFLPLUSPLUS/readline/text.c

#2 0x4cf1b0 in _rl_dispatch_subseq /root/target/AFLPLUSPLUS/readline/readline.c:922:8

#3 0x4cd71a in _rl_dispatch /root/target/AFLPLUSPLUS/readline/readline.c:866:10

#4 0x4cd71a in readline_internal_char /root/target/AFLPLUSPLUS/readline/readline.c:680:11

#5 0x4cbe04 in readline_internal_charloop /root/target/AFLPLUSPLUS/readline/readline.c:727:11

#6 0x4cbe04 in readline_internal /root/target/AFLPLUSPLUS/readline/readline.c:739:18

#7 0x4cbe04 in readline /root/target/AFLPLUSPLUS/readline/readline.c:387:11

#8 0x4ca805 in main /root/target/AFLPLUSPLUS/readline/examples/fileman.c:142:14

#9 0x7ffff7c1f082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

#10 0x41d5ed in _start (/root/target/AFLPLUSPLUS/readline/examples/fileman+0x41d5ed)

0x6030000008c8 is located 24 bytes inside of 32-byte region [0x6030000008b0,0x6030000008d0)

freed by thread T0 here:

#0 0x4985e2 in free /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3

#1 0x5478a8 in _rl_free_undo_list /root/target/AFLPLUSPLUS/readline/undo.c:111:7

#2 0x562026 in _rl_free_saved_history_line /root/target/AFLPLUSPLUS/readline/misc.c:404:2

#3 0x4eca40 in rl_history_search_forward /root/target/AFLPLUSPLUS/readline/search.c:651:5

#4 0x4cf1b0 in _rl_dispatch_subseq /root/target/AFLPLUSPLUS/readline/readline.c:922:8

#5 0x4cfdb8 in _rl_dispatch_subseq /root/target/AFLPLUSPLUS/readline/readline.c:1068:8

#6 0x4cfdb8 in _rl_dispatch_subseq /root/target/AFLPLUSPLUS/readline/readline.c:1068:8

#7 0x4cfdb8 in _rl_dispatch_subseq /root/target/AFLPLUSPLUS/readline/readline.c:1068:8

#8 0x4cd71a in _rl_dispatch /root/target/AFLPLUSPLUS/readline/readline.c:866:10

#9 0x4cd71a in readline_internal_char /root/target/AFLPLUSPLUS/readline/readline.c:680:11

#10 0x4cbe04 in readline_internal_charloop /root/target/AFLPLUSPLUS/readline/readline.c:727:11

#11 0x4cbe04 in readline_internal /root/target/AFLPLUSPLUS/readline/readline.c:739:18

#12 0x4cbe04 in readline /root/target/AFLPLUSPLUS/readline/readline.c:387:11

#13 0x4ca805 in main /root/target/AFLPLUSPLUS/readline/examples/fileman.c:142:14

#14 0x7ffff7c1f082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:

#0 0x49884d in malloc /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3

#1 0x580937 in xmalloc /root/target/AFLPLUSPLUS/readline/xmalloc.c:59:10

#2 0x5475f0 in alloc_undo_entry /root/target/AFLPLUSPLUS/readline/undo.c:75:23

#3 0x5475f0 in rl_add_undo /root/target/AFLPLUSPLUS/readline/undo.c:92:10

#4 0x553b1c in rl_insert_text /root/target/AFLPLUSPLUS/readline/text.c:113:2

#5 0x558cc7 in _rl_insert_char /root/target/AFLPLUSPLUS/readline/text.c:903:7

#6 0x559b78 in rl_insert /root/target/AFLPLUSPLUS/readline/text.c:955:42

#7 0x4cf1b0 in _rl_dispatch_subseq /root/target/AFLPLUSPLUS/readline/readline.c:922:8

#8 0x4cd71a in _rl_dispatch /root/target/AFLPLUSPLUS/readline/readline.c:866:10

#9 0x4cd71a in readline_internal_char /root/target/AFLPLUSPLUS/readline/readline.c:680:11

#10 0x4cbe04 in readline_internal_charloop /root/target/AFLPLUSPLUS/readline/readline.c:727:11

#11 0x4cbe04 in readline_internal /root/target/AFLPLUSPLUS/readline/readline.c:739:18

#12 0x4cbe04 in readline /root/target/AFLPLUSPLUS/readline/readline.c:387:11

#13 0x4ca805 in main /root/target/AFLPLUSPLUS/readline/examples/fileman.c:142:14

#14 0x7ffff7c1f082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /root/target/AFLPLUSPLUS/readline/text.c:108:19 in rl_insert_text

Shadow bytes around the buggy address:

0x0c067fff80c0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd

0x0c067fff80d0: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa

0x0c067fff80e0: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fa

0x0c067fff80f0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd

0x0c067fff8100: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa

=>0x0c067fff8110: fd fd fd fa fa fa fd fd fd[fd]fa fa fd fd fd fa

0x0c067fff8120: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd

0x0c067fff8130: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa

0x0c067fff8140: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fa

0x0c067fff8150: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd

0x0c067fff8160: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable: 00

Partially addressable: 01 02 03 04 05 06 07

Heap left redzone: fa

Freed heap region: fd

Stack left redzone: f1

Stack mid redzone: f2

Stack right redzone: f3

Stack after return: f5

Stack use after scope: f8

Global redzone: f9

Global init order: f6

Poisoned by user: f7

Container overflow: fc

Array cookie: ac

Intra object redzone: bb

ASan internal: fe

Left alloca redzone: ca

Right alloca redzone: cb

Shadow gap: cc

==1101385==ABORTING

[Inferior 2 (process 1101386) exited normally]

Warning: not running

bug_4

==1101869==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000f88 at pc 0x000000548b29 bp 0x7ffe73741350 sp 0x7ffe73741348

READ of size 4 at 0x603000000f88 thread T0

#0 0x548b28 in rl_do_undo /root/target/AFLPLUSPLUS/readline/undo.c:188:25

#1 0x5498d4 in rl_revert_line /root/target/AFLPLUSPLUS/readline/undo.c:339:2

#2 0x4ccc76 in readline_internal_teardown /root/target/AFLPLUSPLUS/readline/readline.c:498:7

#3 0x4cbe39 in readline_internal /root/target/AFLPLUSPLUS/readline/readline.c:740:11

#4 0x4cbe39 in readline /root/target/AFLPLUSPLUS/readline/readline.c:387:11

#5 0x4ca805 in main /root/target/AFLPLUSPLUS/readline/examples/fileman.c:142:14

#6 0x7f6582f3d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

#7 0x41d5ed in _start (/root/target/AFLPLUSPLUS/readline/examples/fileman+0x41d5ed)

0x603000000f88 is located 24 bytes inside of 32-byte region [0x603000000f70,0x603000000f90)