NetBSD Problem Report #52715

From www@NetBSD.org  Fri Nov 10 13:09:34 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 28A8F7A1C6
	for <gnats-bugs@gnats.NetBSD.org>; Fri, 10 Nov 2017 13:09:34 +0000 (UTC)
Message-Id: <20171110130933.0EADB7A208@mollari.NetBSD.org>
Date: Fri, 10 Nov 2017 13:09:33 +0000 (UTC)
From: coypu@sdf.org
Reply-To: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Subject: sh dies with address sanitizer
X-Send-Pr-Version: www-1.0

>Number:         52715
>Category:       bin
>Synopsis:       sh dies with address sanitizer
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kre
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Nov 10 13:10:00 +0000 2017
>Closed-Date:    Fri Nov 17 22:50:04 +0000 2017
>Last-Modified:  Fri Nov 17 22:50:04 +0000 2017
>Originator:     coypu
>Release:        netbsd-current /bin/sh
>Organization:
>Environment:
NetBSD localhost 8.0_BETA NetBSD 8.0_BETA (GENERIC.201711061200Z) amd64
>Description:
$ cd src/bin/sh
$ make USETOOLS=no CFLAGS="-g -ggdb3 -Og -fsanitize=address -fsanitize=undefined -fPIC" LDFLAGS="-lubsan -lasan"
# sysctl -w security.pax.aslr.enabled=0

## The following is as root because I wondered how badly I screwed up by 'make install'ing it, having /bin/sh as root shell.

# LD_PRELOAD=/usr/lib/libasan.so ./sh  
=================================================================
==4614==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500000fd10 at pc 0x000000453ce5 bp 0x7f7fffffe520 sp 0x7f7fffffe518
READ of size 1 at 0x61500000fd10 thread T0
    #0 0x453ce4 in outstr /usr/src/bin/sh/output.c:135
    #1 0x453d38 in out2str /usr/src/bin/sh/output.c:128
    #2 0x43cba0 in setprompt /usr/src/bin/sh/parser.c:2327
    #3 0x44c2ee in parsecmd /usr/src/bin/sh/parser.c:151
    #4 0x432c2b in cmdloop /usr/src/bin/sh/main.c:279
    #5 0x433ca5 in main /usr/src/bin/sh/main.c:242
    #6 0x403bea in ___start (/usr/src/bin/sh/sh+0x403bea)

0x61500000fd10 is located 16 bytes inside of 512-byte region [0x61500000fd00,0x61500000ff00)
freed by thread T0 here:
    #0 0x7f7ff6c15d54 in __interceptor_cfree (/usr/lib/libasan.so+0x15d54)
    #1 0x4344f4 in popstackmark /usr/src/bin/sh/memalloc.c:186
    #2 0x736f47  (/usr/src/bin/sh/sh+0x736f47)

previously allocated by thread T0 here:
    #0 0x7f7ff6c15ebc in __interceptor_malloc (/usr/lib/libasan.so+0x15ebc)
    #1 0x433f78 in ckmalloc /usr/src/bin/sh/memalloc.c:63

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/bin/sh/output.c:135 outstr
Shadow bytes around the buggy address:
  0x0c2a7fff9f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2a7fff9fa0: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fff9fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fff9fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fff9fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==4614==ABORTING

>How-To-Repeat:

>Fix:

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: bin-bug-people->kre
Responsible-Changed-By: kre@NetBSD.org
Responsible-Changed-When: Fri, 10 Nov 2017 15:15:33 +0000
Responsible-Changed-Why:
I am looking into this PR


State-Changed-From-To: open->feedback
State-Changed-By: kre@NetBSD.org
State-Changed-When: Fri, 10 Nov 2017 17:32:39 +0000
State-Changed-Why:
This should be fixed now, can you confirm?


From: "Robert Elz" <kre@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/52715 CVS commit: src/bin/sh
Date: Fri, 10 Nov 2017 17:31:12 +0000

 Module Name:	src
 Committed By:	kre
 Date:		Fri Nov 10 17:31:12 UTC 2017

 Modified Files:
 	src/bin/sh: parser.c

 Log Message:
 PR bin/52715

 Correct a (relatively harmless) use after free in prompt expansion
 processing [detected by asan.]

 Relatively harmless: as (while incorrect) the way the data is (was)
 used more or less guaranteed that the buffer contents would be
 unaltered until well after they are (were) no longer wanted (this
 is the expanded prompt string, it is just output (or copied into
 libedit internal storage) and forgotten.

 This should make no visible difference to anyone (not using asan or
 similar.)

 XXX pullup -8


 To generate a diff of this commit:
 cvs rdiff -u -r1.144 -r1.145 src/bin/sh/parser.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: PR/52715 CVS commit: src/bin/sh
Date: Fri, 10 Nov 2017 17:38:10 +0000

 It works, thanks!

 Are you interested in reports from running the testsuite? I'm trying to
 make sense of what the inputs are now

State-Changed-From-To: feedback->pending-pullups
State-Changed-By: kre@NetBSD.org
State-Changed-When: Fri, 10 Nov 2017 18:01:51 +0000
State-Changed-Why:
pullup-8 #355


From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/52715 CVS commit: [netbsd-8] src/bin/sh
Date: Fri, 17 Nov 2017 20:33:53 +0000

 Module Name:	src
 Committed By:	snj
 Date:		Fri Nov 17 20:33:53 UTC 2017

 Modified Files:
 	src/bin/sh [netbsd-8]: parser.c

 Log Message:
 Pull up following revision(s) (requested by kre in ticket #355):
 	bin/sh/parser.c: revision 1.145
 PR bin/52715
 Correct a (relatively harmless) use after free in prompt expansion
 processing [detected by asan.]
 Relatively harmless: as (while incorrect) the way the data is (was)
 used more or less guaranteed that the buffer contents would be
 unaltered until well after they are (were) no longer wanted (this
 is the expanded prompt string, it is just output (or copied into
 libedit internal storage) and forgotten.
 This should make no visible difference to anyone (not using asan or
 similar.)


 To generate a diff of this commit:
 cvs rdiff -u -r1.132.2.2 -r1.132.2.3 src/bin/sh/parser.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: pending-pullups->closed
State-Changed-By: kre@NetBSD.org
State-Changed-When: Fri, 17 Nov 2017 22:50:04 +0000
State-Changed-Why:
Pullups completed


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.