Re: bin/52348: sh (alias.c:271) invokes undefined behaviour

[coypu%sdf.org@localhost]

The following reply was made to PR bin/52348; it has been noted by GNATS.

From: coypu%sdf.org@localhost
To: gnats-bugs%NetBSD.org@localhost
Cc: kre%NetBSD.org@localhost
Subject: Re: bin/52348: sh (alias.c:271) invokes undefined behaviour
Date: Thu, 29 Jun 2017 05:33:05 +0000

 On Thu, Jun 29, 2017 at 05:00:01AM +0000, Robert Elz wrote:
 >  Can you tell me what the actual input was that causes this problem?
 
 Found something else by writing down an example.
 It shows the original, too.
 I think it doesn't like the negative index use
 
 I'm trying to test on a real environment to get better coverage, so I'm
 doing normally ill-advised things like installing it to my real /bin.
 
 $ cd /usr/src/*/sh
 $ make USETOOLS=no CFLAGS="-fPIC -fsanitize=address -fsanitize=undefined" LDFLAGS="-lubsan -lasan" -j5
 $ su
 ### very dangerous step!
 ### doing 'su' again isn't possible as LD_PRELOAD is needed
 ### to run sh (and will be ignored by su).
 # make install USETOOLS=no LD_PRELOAD=/usr/lib/libasan.so
 
 $ export LD_PRELOAD=/usr/lib/libasan.so
 $ make distclean; make
 
 ...
 #    create  sh/token.h
 AWK=/usr/src/obj/tooldir.NetBSD-8.99.1-amd64/bin/nbawk  MKTEMP=/usr/src/obj/tooldir.NetBSD-8.99.1-amd64/bin/nbmktemp  SED=/usr/src/obj/tooldir.NetBSD-8.99.1-amd64/bin/nbsed /bin/sh mktokens
 alias.c:271:15: runtime error: left shift of negative value -126
 mktokens: /usr/src/obj/tooldir.NetBSD-8.99.1-amd64/bin/nbawk: not found
 =================================================================
 ==27210==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000237f at pc 0x00000040c9fd bp 0x7f7fffffdb80 sp 0x7f7fffffdb78
 READ of size 1 at 0x61900000237f thread T0
     #0 0x40c9fc in exvwarning error.c
     #1 0x40ce6c in exverror error.c
     #2 0x40d0d8 in exerror (/bin/sh+0x40d0d8)
     #3 0x41ac18 in shellexec (/bin/sh+0x41ac18)
     #4 0x418e3d in evalcommand (/bin/sh+0x418e3d)
     #5 0x40f2e0 in evaltree (/bin/sh+0x40f2e0)
     #6 0x4460f5 in cmdloop (/bin/sh+0x4460f5)
     #7 0x445c60 in main (/bin/sh+0x445c60)
     #8 0x40401a in ___start (/bin/sh+0x40401a)
 
 0x61900000237f is located 1 bytes to the left of 1024-byte region [0x619000002380,0x619000002780)
 freed by thread T0 here:
     #0 0x7f7ff6c15914 in __interceptor_cfree (/usr/lib/libasan.so+0x15914)
     #1 0x469827 in freestdout (/bin/sh+0x469827)
     #2 0x418519 in evalcommand (/bin/sh+0x418519)
     #3 0x40f2e0 in evaltree (/bin/sh+0x40f2e0)
     #4 0x4460f5 in cmdloop (/bin/sh+0x4460f5)
     #5 0x445c60 in main (/bin/sh+0x445c60)
     #6 0x40401a in ___start (/bin/sh+0x40401a)
 
 previously allocated by thread T0 here:
     #0 0x7f7ff6c15a7c in __interceptor_malloc (/usr/lib/libasan.so+0x15a7c)
     #1 0x446844 in ckmalloc (/bin/sh+0x446844)
     #2 0x468aa2 in emptyoutbuf (/bin/sh+0x468aa2)
     #3 0x40bcf3 in echocmd (/bin/sh+0x40bcf3)
     #4 0x41823b in evalcommand (/bin/sh+0x41823b)
     #5 0x40f2e0 in evaltree (/bin/sh+0x40f2e0)
     #6 0x4460f5 in cmdloop (/bin/sh+0x4460f5)
     #7 0x445c60 in main (/bin/sh+0x445c60)
     #8 0x40401a in ___start (/bin/sh+0x40401a)
 
 SUMMARY: AddressSanitizer: heap-buffer-overflow error.c:0 exvwarning
 Shadow bytes around the buggy address:
   0x0c327fff8410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c327fff8420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c327fff8430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c327fff8440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c327fff8450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 =>0x0c327fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
   0x0c327fff8470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x0c327fff8480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x0c327fff8490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x0c327fff84a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x0c327fff84b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07 
   Heap left redzone:       fa
   Heap right redzone:      fb
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack partial redzone:   f4
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
 ==27210==ABORTING
 ==25994==AddressSanitizer: while reporting a bug found another one. Ignoring.
 ==13051==AddressSanitizer: while reporting a bug found another one. Ignoring.
 ==28262==AddressSanitizer: while reporting a bug found another one. Ignoring.
 #    create  sh/nodenames.h
 AWK=/usr/src/obj/tooldir.NetBSD-8.99.1-amd64/bin/nbawk  MKTEMP=/usr/src/obj/tooldir.NetBSD-8.99.1-amd64/bin/nbmktemp  SED=/usr/src/obj/tooldir.NetBSD-8.99.1-amd64/bin/nbsed /bin/sh mknodenames.sh nodes.h > nodenames.h
 #    create  sh/optinit.h
 AWK=/usr/src/obj/tooldir.NetBSD-8.99.1-amd64/bin/nbawk  MKTEMP=/usr/src/obj/tooldir.NetBSD-8.99.1-amd64/bin/nbmktemp  SED=/usr/src/obj/tooldir.NetBSD-8.99.1-amd64/bin/nbsed /bin/sh mkoptions.sh option.list optinit.h /usr/src/bin/sh
 alias.c:271:15: runtime error: left shift of negative value -126
 mkoptions.sh: /usr/src/obj/tooldir.NetBSD-8.99.1-amd64/bin/nbmktemp: not found
 mkoptions.sh: /usr/src/obj/tooldir.NetBSD-8.99.1-amd64/bin/nbmktemp: not found
 mkoptions.sh: cannot create : directory nonexistent
 *** Error code 2