SourceAv in rewind_input_string when trying to compare with rvalue

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SourceAv in rewind_input_string when trying to compare with rvalue

From:	Александр Ушаков
Subject:	SourceAv in rewind_input_string when trying to compare with rvalue
Date:	Fri, 25 Apr 2025 23:06:54 +0300
User-agent:	SOGoMail 5.11.0-rp19

Dear Bash Maintainers,
I encountered an issue in Bash and would like to report it. crash2.txt is 
attached to the email. 

Steps to reproduce

$ CC=clang-19 CFLAGS="-fsanitize=address -g -O0" ./configure 
--without-bash-malloc
$ make
$ cat crash2.txt | ./bash 

Expected Behaviour

Any error messages without asan ERROR.

Actual Behaviour

==2054281==ERROR: AddressSanitizer: SEGV on unknown address 0x00009fff7fff (pc 
0x5555556f8b1c bp 0x7fffffff7df0 sp 0x7fffffff7de0 T0)
==2054281==The signal is caused by a READ memory access.
   #0 0x5555556f8b1c in rewind_input_string 
/home/as/projects/bash/up/bash/./parse.y:1816:7
   #1 0x5555558711b3 in parse_string 
/home/as/projects/bash/up/bash/builtins/evalstring.c:729:6
   #2 0x5555556fe39d in xparse_dolparen 
/home/as/projects/bash/up/bash/./parse.y:4738:8
   #3 0x555555789ee2 in extract_command_subst 
/home/as/projects/bash/up/bash/subst.c:1271:13
   #4 0x55555578b175 in extract_delimited_string 
/home/as/projects/bash/up/bash/subst.c:1429:15
   #5 0x55555578b51a in extract_delimited_string 
/home/as/projects/bash/up/bash/subst.c:1449:8
   #6 0x55555578b51a in extract_delimited_string 
/home/as/projects/bash/up/bash/subst.c:1449:8
   #7 0x55555578b5ec in extract_delimited_string 
/home/as/projects/bash/up/bash/subst.c:1459:8
   #8 0x5555557945b2 in skip_matched_pair 
/home/as/projects/bash/up/bash/subst.c:2158:13
   #9 0x5555557930db in skipsubscript 
/home/as/projects/bash/up/bash/subst.c:2186:11
   #10 0x5555557157e4 in assignment 
/home/as/projects/bash/up/bash/general.c:509:11
   #11 0x555555711b33 in token_is_assignment 
/home/as/projects/bash/up/bash/./parse.y:5269:7
   #12 0x55555570a27e in read_token_word 
/home/as/projects/bash/up/bash/./parse.y:5638:15
   #13 0x555555704a1d in read_token 
/home/as/projects/bash/up/bash/./parse.y:3801:12
   #14 0x5555556f8390 in yylex /home/as/projects/bash/up/bash/./parse.y:3068:19
   #15 0x5555556ee897 in yyparse /home/as/projects/bash/up/bash/y.tab.c:1912:16
   #16 0x555555710e41 in parse_comsub 
/home/as/projects/bash/up/bash/./parse.y:4539:7
   #17 0x555555710322 in parse_matched_pair 
/home/as/projects/bash/up/bash/./parse.y:4163:16
   #18 0x555555709f64 in read_token_word 
/home/as/projects/bash/up/bash/./parse.y:5624:11
   #19 0x555555704a1d in read_token 
/home/as/projects/bash/up/bash/./parse.y:3801:12
   #20 0x5555556f8390 in yylex /home/as/projects/bash/up/bash/./parse.y:3068:19
   #21 0x5555556ee897 in yyparse /home/as/projects/bash/up/bash/y.tab.c:1912:16
   #22 0x5555556edd29 in parse_command 
/home/as/projects/bash/up/bash/eval.c:369:7
   #23 0x5555556ed53e in read_command 
/home/as/projects/bash/up/bash/eval.c:414:12
   #24 0x5555556ec9ec in reader_loop 
/home/as/projects/bash/up/bash/eval.c:147:11
   #25 0x5555556e743e in main /home/as/projects/bash/up/bash/shell.c:834:3
   #26 0x7ffff7cac249 in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
   #27 0x7ffff7cac304 in __libc_start_main csu/../csu/libc-start.c:360:3
   #28 0x555555606aa0 in _start (/home/as/projects/bash/up/bash/bash+0xb2aa0) 
(BuildId: de2fc7db85184fa111505879caea6faa2d9470c4)
==2054281==Register values:
rax = 0x000000001fffffff  rbx = 0x00007fffffff7fe0  rcx = 0x00005555563c5820  
rdx = 0x000000000000013b  
rdi = 0x00007ffff78dc050  rsi = 0x00007ffff78dc0d0  rbp = 0x00007fffffff7df0  
rsp = 0x00007fffffff7de0  
r8 = 0x0000000000000020   r9 = 0x0000524000054000  r10 = 0x00007fffffffff01  
r11 = 0x22901ec408173e01  
r12 = 0x0000000000000000  r13 = 0x00007fffffffde98  r14 = 0x0000555555a1afd0  
r15 = 0x00007ffff7ffd020  
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/as/projects/bash/up/bash/./parse.y:1816:7 
in rewind_input_string
==2054281==ABORTING

Additional Notes

The reason of the fault is trying to dereference string field which is nullptr:
 
void
rewind_input_string ()
{
     int xchars;
     /* number of unconsumed characters in the input -- XXX need to take 
newlines
    into account, e.g., $(...\n) */
    xchars = shell_input_line_len - shell_input_line_index;
-->if (bash_input.location.string[-1] == '\n')
         xchars++;

Suggested Solution

Add extra check in conditional statement:

if (!bash_input.location.string && bash_input.location.string[-1] == '\n')


Bash Version

as@astra:~/projects/bash/up/bash$ ./bashversion 
5.3.0(1)-rc1

Also, the behaviour is repeating on release bash 5.2 version.

System Info

Linux astra 6.1.90-1-generic #astra2+ci15 SMP PREEMPT_DYNAMIC Tue Jul 23 
09:49:19 MSK 2024 x86_64 GNU/Linux
Debian clang version 19.1.1 
(++20241001124028+d401987fe349-1~exp1~20241001124040.50) 
Target: x86_64-pc-linux-gnu 
Thread model: posix 
InstalledDir: /usr/lib/llvm-19/bin

Attached file you can download from https://dropmefiles.com/deEbb. Or just see 
attaches to the message.

crash2.txt
Description: Text document

[Prev in Thread]

Current Thread

[Next in Thread]

SourceAv in rewind_input_string when trying to compare with rvalue, Александр Ушаков <=

Prev by Date: Re: Bug in Bash Autocompletion: Hidden File, ...Hiding-From-You, Autocompleted Without Dot Prefix
Next by Date: SourceAv in xparse_dolparen when trying to compare with rvalue
Previous by thread: Bug in Bash Autocompletion: Hidden File, ...Hiding-From-You, Autocompleted Without Dot Prefix
Next by thread: SourceAv in xparse_dolparen when trying to compare with rvalue
Index(es):
- Date
- Thread