Created
May 1, 2023 00:37
-
-
Save fmunozs/af3268fd5a6eda8392d2773b20754b94 to your computer and use it in GitHub Desktop.
mksh segfaults - heap-use-after-free /home/user/mksh/mksh/lex.c:147:2 in getsc_r
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Debian mksh version | |
user@deb64:~/mksh/mksh$ mksh | |
$ echo $KSH_VERSION | |
@(#)MIRBSD KSH R59 2021/07/10 | |
user@deb64:~/mksh/mksh$ mksh < file | |
mksh: no closing quote | |
Segmentation fault | |
## mksh from master | |
user@deb64:~/mksh/mksh$ ./mksh | |
$ echo $KSH_VERSION | |
@(#)MIRBSD KSH R59 2023/03/14 | |
user@deb64:~/mksh/mksh$ ./mksh < file | |
E: ./mksh: no closing quote | |
================================================================= | |
==889767==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000003b90 at pc 0x00000055fd9a bp 0x7ffcefdf08f0 sp 0x7ffcefdf08e8 | |
READ of size 8 at 0x606000003b90 thread T0 | |
#0 0x55fd99 in getsc_r /home/user/mksh/mksh/lex.c:147:2 | |
#1 0x55fd99 in yylex /home/user/mksh/mksh/lex.c:231:8 | |
#2 0x591c4d in get_command /home/user/mksh/mksh/syn.c:292:14 | |
#3 0x591660 in pipeline /home/user/mksh/mksh/syn.c:117:6 | |
#4 0x5905a7 in andor /home/user/mksh/mksh/syn.c:138:6 | |
#5 0x5905a7 in c_list /home/user/mksh/mksh/syn.c:158:7 | |
#6 0x58c0d9 in yyparse /home/user/mksh/mksh/syn.c:104:12 | |
#7 0x58c0d9 in compile /home/user/mksh/mksh/syn.c:943:2 | |
#8 0x56a326 in shell /home/user/mksh/mksh/main.c:976:7 | |
#9 0x569093 in main /home/user/mksh/mksh/main.c:790:8 | |
#10 0x7f2c7c72ad09 in __libc_start_main csu/../csu/libc-start.c:308:16 | |
#11 0x420609 in _start (/home/user/mksh/mksh/mksh+0x420609) | |
0x606000003b90 is located 48 bytes inside of 56-byte region [0x606000003b60,0x606000003b98) | |
freed by thread T0 here: | |
#0 0x49a3fd in free (/home/user/mksh/mksh/mksh+0x49a3fd) | |
#1 0x4ca953 in afreeall /home/user/mksh/mksh/lalloc.c:218:3 | |
previously allocated by thread T0 here: | |
#0 0x49a999 in realloc (/home/user/mksh/mksh/mksh+0x49a999) | |
#1 0x4ca4cf in aresize /home/user/mksh/mksh/lalloc.c:175:12 | |
#2 0x591c4d in get_command /home/user/mksh/mksh/syn.c:292:14 | |
#3 0x591660 in pipeline /home/user/mksh/mksh/syn.c:117:6 | |
#4 0x4f957b in evalstr /home/user/mksh/mksh/eval.c:178:2 | |
#5 0x51725e in hereinval /home/user/mksh/mksh/exec.c:1630:9 | |
#6 0x50ee44 in herein /home/user/mksh/mksh/exec.c:1681:6 | |
SUMMARY: AddressSanitizer: heap-use-after-free /home/user/mksh/mksh/lex.c:147:2 in getsc_r | |
Shadow bytes around the buggy address: | |
0x0c0c7fff8720: fa fa fa fa 00 00 00 00 00 00 07 fa fa fa fa fa | |
0x0c0c7fff8730: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 | |
0x0c0c7fff8740: 00 00 07 fa fa fa fa fa 00 00 00 00 00 00 07 fa | |
0x0c0c7fff8750: fa fa fa fa 00 00 00 00 00 00 00 03 fa fa fa fa | |
0x0c0c7fff8760: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd | |
=>0x0c0c7fff8770: fd fd[fd]fa fa fa fa fa fa fa fa fa fa fa fa fa | |
0x0c0c7fff8780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
0x0c0c7fff8790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
0x0c0c7fff87a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
0x0c0c7fff87b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
0x0c0c7fff87c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
Shadow byte legend (one shadow byte represents 8 application bytes): | |
Addressable: 00 | |
Partially addressable: 01 02 03 04 05 06 07 | |
Heap left redzone: fa | |
Freed heap region: fd | |
Stack left redzone: f1 | |
Stack mid redzone: f2 | |
Stack right redzone: f3 | |
Stack after return: f5 | |
Stack use after scope: f8 | |
Global redzone: f9 | |
Global init order: f6 | |
Poisoned by user: f7 | |
Container overflow: fc | |
Array cookie: ac | |
Intra object redzone: bb | |
ASan internal: fe | |
Left alloca redzone: ca | |
Right alloca redzone: cb | |
Shadow gap: cc | |
==889767==ABORTING | |
user@deb64:~/mksh/mksh$ mksh | |
$ <<<`$((` | |
mksh: no closing quote | |
Segmentation fault | |
user@deb64:~/mksh/mksh$ mksh ^C | |
user@deb64:~/mksh/mksh$ ./mksh | |
$ <<<`$((` | |
E: ./mksh: no closing quote | |
================================================================= | |
==1109665==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000003c50 at pc 0x00000055fd6d bp 0x7ffdfdeb7990 sp 0x7ffdfdeb7988 | |
READ of size 8 at 0x606000003c50 thread T0 | |
#0 0x55fd6c in getsc_r /home/user/mksh/mksh/lex.c:147:2 | |
#1 0x55fd6c in yylex /home/user/mksh/mksh/lex.c:255:14 | |
#2 0x4f912d in substitute /home/user/mksh/mksh/eval.c:137:6 | |
#3 0x5642b3 in set_prompt /home/user/mksh/mksh/lex.c:1494:16 | |
#4 0x56a2df in shell /home/user/mksh/mksh/main.c:974:4 | |
#5 0x569093 in main /home/user/mksh/mksh/main.c:790:8 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
MirBSD/mksh@1484b94