Ticket #43395

AddressSanitizer: heap-use-after-free in parse_double_bracket_operand_regex

Open Date: 2021-12-12 22:05 Last Update: 2021-12-14 00:22

Reporter:
Owner:
Type:
Status:
Closed
Component:
MileStone:
(None)
Priority:
5 - Medium
Severity:
5 - Medium
Resolution:
Fixed
File:
None
Vote
Score: 0
No votes
0.0% (0/0)
0.0% (0/0)

Details

Reproduced by compiling yash with AddressSanitizer and run this script.

[[($ =~($(

AddressSanitizer output:

freed by thread T0 here:
    #0 0x525022 in free (/home/ubuntu/repos/yash/parser_fuzzer+0x525022)
    #1 0x588cc6 in wordunitfree /home/ubuntu/repos/yash/parser.c:202:5
    #2 0x588917 in wordfree /home/ubuntu/repos/yash/parser.c:209:2
    #3 0x58cf6f in next_token /home/ubuntu/repos/yash/parser.c:1022:5
    #4 0x592891 in extract_command_in_paren /home/ubuntu/repos/yash/parser.c:1558:2
    #5 0x5919fd in parse_cmdsubst_in_paren /home/ubuntu/repos/yash/parser.c:1524:22
    #6 0x58f63b in parse_special_word_unit /home/ubuntu/repos/yash/parser.c:1276:13
    #7 0x598d9f in parse_double_bracket_operand_regex /home/ubuntu/repos/yash/parser.c:2981:20

MAKE_WORDUNIT_STRING on parser.c:2980 reads a token and saves it to lastp, but invoking parse_special_word_unit on parser.c:2981 which eventually calls next_token will free lastp, as shown in the above stack trace. So writing to lastp on parser.c:2984 is detected by AddressSanitizer as heap-use-after-free:

==27393==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000580 at pc 0x000000599119 bp 0x7ffd83c3df90 sp 0x7ffd83c3df88
WRITE of size 8 at 0x603000000580 thread T0
    #0 0x599118 in parse_double_bracket_operand_regex /home/ubuntu/repos/yash/parser.c:2984:14

Line numbers are from commit dbdfea29bf002abd3f134e1bfd942aa2a28ab7ab.

Ticket History (3/5 Histories)

2021-12-12 22:05 Updated by: l2dy
  • New Ticket "AddressSanitizer: heap-use-after-free in parse_double_bracket_operand_regex" created
2021-12-12 22:17 Updated by: l2dy
Comment

Commit dbdfea29bf002abd3f134e1bfd942aa2a28ab7ab is r4177 on OSDN.

2021-12-13 01:09 Updated by: magicant
  • Owner Update from (None) to magicant
  • Component Update from (None) to shell-main
Comment

Thank you for reporting the bug.


Related problem: [[ x =~ ($(echo x)) ]] does not parse.

2021-12-13 23:13 Updated by: l2dy
  • Details Updated
2021-12-14 00:22 Updated by: magicant
  • Status Update from Open to Closed
  • Resolution Update from None to Fixed
Comment

Fixed in r4178

Attachment File List

No attachments

Edit

You are not logged in. I you are not logged in, your comment will be treated as an anonymous post. » Login