bin/52715: sh dies with address sanitizer

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/52715: sh dies with address sanitizer
From: coypu%sdf.org@localhost
Date: Fri, 10 Nov 2017 13:10:01 +0000 (UTC)

>Number:         52715
>Category:       bin
>Synopsis:       sh dies with address sanitizer
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Nov 10 13:10:00 +0000 2017
>Originator:     coypu
>Release:        netbsd-current /bin/sh
>Organization:
>Environment:
NetBSD localhost 8.0_BETA NetBSD 8.0_BETA (GENERIC.201711061200Z) amd64
>Description:
$ cd src/bin/sh
$ make USETOOLS=no CFLAGS="-g -ggdb3 -Og -fsanitize=address -fsanitize=undefined -fPIC" LDFLAGS="-lubsan -lasan"
# sysctl -w security.pax.aslr.enabled=0

## The following is as root because I wondered how badly I screwed up by 'make install'ing it, having /bin/sh as root shell.

# LD_PRELOAD=/usr/lib/libasan.so ./sh  
=================================================================
==4614==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500000fd10 at pc 0x000000453ce5 bp 0x7f7fffffe520 sp 0x7f7fffffe518
READ of size 1 at 0x61500000fd10 thread T0
    #0 0x453ce4 in outstr /usr/src/bin/sh/output.c:135
    #1 0x453d38 in out2str /usr/src/bin/sh/output.c:128
    #2 0x43cba0 in setprompt /usr/src/bin/sh/parser.c:2327
    #3 0x44c2ee in parsecmd /usr/src/bin/sh/parser.c:151
    #4 0x432c2b in cmdloop /usr/src/bin/sh/main.c:279
    #5 0x433ca5 in main /usr/src/bin/sh/main.c:242
    #6 0x403bea in ___start (/usr/src/bin/sh/sh+0x403bea)

0x61500000fd10 is located 16 bytes inside of 512-byte region [0x61500000fd00,0x61500000ff00)
freed by thread T0 here:
    #0 0x7f7ff6c15d54 in __interceptor_cfree (/usr/lib/libasan.so+0x15d54)
    #1 0x4344f4 in popstackmark /usr/src/bin/sh/memalloc.c:186
    #2 0x736f47  (/usr/src/bin/sh/sh+0x736f47)

previously allocated by thread T0 here:
    #0 0x7f7ff6c15ebc in __interceptor_malloc (/usr/lib/libasan.so+0x15ebc)
    #1 0x433f78 in ckmalloc /usr/src/bin/sh/memalloc.c:63

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/bin/sh/output.c:135 outstr
Shadow bytes around the buggy address:
  0x0c2a7fff9f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2a7fff9fa0: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fff9fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fff9fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fff9fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==4614==ABORTING

>How-To-Repeat:

>Fix:

Prev by Date: Re: kern/52709: Panic in filt_genfsread building lang/go package
Next by Date: bin/52716: nvi dies with address sanitizer
Previous by Thread: kern/52714: NetBSD-8_BETA on Dell R740 crashes to BIOS on boot
Next by Thread: bin/52716: nvi dies with address sanitizer
Indexes:

Home | Main Index | Thread Index | Old Index