NetBSD Problem Report #52715
From www@NetBSD.org Fri Nov 10 13:09:34 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 28A8F7A1C6
for <gnats-bugs@gnats.NetBSD.org>; Fri, 10 Nov 2017 13:09:34 +0000 (UTC)
Message-Id: <20171110130933.0EADB7A208@mollari.NetBSD.org>
Date: Fri, 10 Nov 2017 13:09:33 +0000 (UTC)
From: coypu@sdf.org
Reply-To: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Subject: sh dies with address sanitizer
X-Send-Pr-Version: www-1.0
>Number: 52715
>Category: bin
>Synopsis: sh dies with address sanitizer
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: kre
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Nov 10 13:10:00 +0000 2017
>Closed-Date: Fri Nov 17 22:50:04 +0000 2017
>Last-Modified: Fri Nov 17 22:50:04 +0000 2017
>Originator: coypu
>Release: netbsd-current /bin/sh
>Organization:
>Environment:
NetBSD localhost 8.0_BETA NetBSD 8.0_BETA (GENERIC.201711061200Z) amd64
>Description:
$ cd src/bin/sh
$ make USETOOLS=no CFLAGS="-g -ggdb3 -Og -fsanitize=address -fsanitize=undefined -fPIC" LDFLAGS="-lubsan -lasan"
# sysctl -w security.pax.aslr.enabled=0
## The following is as root because I wondered how badly I screwed up by 'make install'ing it, having /bin/sh as root shell.
# LD_PRELOAD=/usr/lib/libasan.so ./sh
=================================================================
==4614==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500000fd10 at pc 0x000000453ce5 bp 0x7f7fffffe520 sp 0x7f7fffffe518
READ of size 1 at 0x61500000fd10 thread T0
#0 0x453ce4 in outstr /usr/src/bin/sh/output.c:135
#1 0x453d38 in out2str /usr/src/bin/sh/output.c:128
#2 0x43cba0 in setprompt /usr/src/bin/sh/parser.c:2327
#3 0x44c2ee in parsecmd /usr/src/bin/sh/parser.c:151
#4 0x432c2b in cmdloop /usr/src/bin/sh/main.c:279
#5 0x433ca5 in main /usr/src/bin/sh/main.c:242
#6 0x403bea in ___start (/usr/src/bin/sh/sh+0x403bea)
0x61500000fd10 is located 16 bytes inside of 512-byte region [0x61500000fd00,0x61500000ff00)
freed by thread T0 here:
#0 0x7f7ff6c15d54 in __interceptor_cfree (/usr/lib/libasan.so+0x15d54)
#1 0x4344f4 in popstackmark /usr/src/bin/sh/memalloc.c:186
#2 0x736f47 (/usr/src/bin/sh/sh+0x736f47)
previously allocated by thread T0 here:
#0 0x7f7ff6c15ebc in __interceptor_malloc (/usr/lib/libasan.so+0x15ebc)
#1 0x433f78 in ckmalloc /usr/src/bin/sh/memalloc.c:63
SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/bin/sh/output.c:135 outstr
Shadow bytes around the buggy address:
0x0c2a7fff9f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff9f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2a7fff9fa0: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fff9fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fff9fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fff9fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==4614==ABORTING
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: bin-bug-people->kre
Responsible-Changed-By: kre@NetBSD.org
Responsible-Changed-When: Fri, 10 Nov 2017 15:15:33 +0000
Responsible-Changed-Why:
I am looking into this PR
State-Changed-From-To: open->feedback
State-Changed-By: kre@NetBSD.org
State-Changed-When: Fri, 10 Nov 2017 17:32:39 +0000
State-Changed-Why:
This should be fixed now, can you confirm?
From: "Robert Elz" <kre@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52715 CVS commit: src/bin/sh
Date: Fri, 10 Nov 2017 17:31:12 +0000
Module Name: src
Committed By: kre
Date: Fri Nov 10 17:31:12 UTC 2017
Modified Files:
src/bin/sh: parser.c
Log Message:
PR bin/52715
Correct a (relatively harmless) use after free in prompt expansion
processing [detected by asan.]
Relatively harmless: as (while incorrect) the way the data is (was)
used more or less guaranteed that the buffer contents would be
unaltered until well after they are (were) no longer wanted (this
is the expanded prompt string, it is just output (or copied into
libedit internal storage) and forgotten.
This should make no visible difference to anyone (not using asan or
similar.)
XXX pullup -8
To generate a diff of this commit:
cvs rdiff -u -r1.144 -r1.145 src/bin/sh/parser.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: PR/52715 CVS commit: src/bin/sh
Date: Fri, 10 Nov 2017 17:38:10 +0000
It works, thanks!
Are you interested in reports from running the testsuite? I'm trying to
make sense of what the inputs are now
State-Changed-From-To: feedback->pending-pullups
State-Changed-By: kre@NetBSD.org
State-Changed-When: Fri, 10 Nov 2017 18:01:51 +0000
State-Changed-Why:
pullup-8 #355
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52715 CVS commit: [netbsd-8] src/bin/sh
Date: Fri, 17 Nov 2017 20:33:53 +0000
Module Name: src
Committed By: snj
Date: Fri Nov 17 20:33:53 UTC 2017
Modified Files:
src/bin/sh [netbsd-8]: parser.c
Log Message:
Pull up following revision(s) (requested by kre in ticket #355):
bin/sh/parser.c: revision 1.145
PR bin/52715
Correct a (relatively harmless) use after free in prompt expansion
processing [detected by asan.]
Relatively harmless: as (while incorrect) the way the data is (was)
used more or less guaranteed that the buffer contents would be
unaltered until well after they are (were) no longer wanted (this
is the expanded prompt string, it is just output (or copied into
libedit internal storage) and forgotten.
This should make no visible difference to anyone (not using asan or
similar.)
To generate a diff of this commit:
cvs rdiff -u -r1.132.2.2 -r1.132.2.3 src/bin/sh/parser.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: kre@NetBSD.org
State-Changed-When: Fri, 17 Nov 2017 22:50:04 +0000
State-Changed-Why:
Pullups completed
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.