heap-use-after-free in executing_line_number

Grisha Levit Thu, 25 Jan 2024 00:24:31 -0800

If currently_executing_command was a subshell, it can end up freed by
the time executing_line_number checks it.


$ bash-asan -c '${ (:); }/'
=================================================================
ERROR: AddressSanitizer: heap-use-after-free on address 0x000106208a40
at pc 0x000102c8bf38 bp 0x00016d236a10 sp 0x00016d236a08
READ of size 4 at 0x000106208a40 thread T0
    #0 0x102c8bf34 in executing_line_number execute_cmd.c:399
    #1 0x102d34eb0 in error_prolog error.c:80
    #2 0x102d35348 in internal_error error.c:211
    #3 0x102cbaf78 in shell_execve execute_cmd.c:6034
    #4 0x102cd7078 in execute_disk_command execute_cmd.c:5819
    #5 0x102ca1ad4 in execute_simple_command execute_cmd.c:4848
    #6 0x102c90a34 in execute_command_internal execute_cmd.c:898

0x000106208a40 is located 0 bytes inside of 32-byte region
[0x000106208a40,0x000106208a60)
freed by thread T0 here:
    #1 0x102c870f0 in dispose_command dispose_cmd.c:204
    #2 0x1030209d0 in parse_and_execute evalstring.c:557
    #3 0x102e0c7b4 in function_substitute subst.c:7016
    #4 0x102e2f4b8 in param_expand subst.c:10654
    #5 0x102df0ae0 in expand_word_internal subst.c:11358
    #6 0x102e7e03c in shell_expand_word_list subst.c:12914
    #7 0x102e1bfd4 in expand_word_list_internal subst.c:13109
    #8 0x102e1bd80 in expand_words subst.c:12387
    #9 0x102c9e234 in execute_simple_command execute_cmd.c:4535
    #10 0x102c90a34 in execute_command_internal execute_cmd.c:898

previously allocated by thread T0 here:
    #1 0x102fe51b8 in xmalloc xmalloc.c:107
    #2 0x102c60b38 in make_command make_cmd.c:168
    #3 0x102c6c2b8 in make_subshell_command make_cmd.c:785
    #4 0x102bf1924 in yyparse parse.y:1055
    #5 0x102bd85f4 in parse_command eval.c:356
    #6 0x10301e900 in parse_and_execute evalstring.c:444
    #7 0x102e0c7b4 in function_substitute subst.c:7016
    #8 0x102e2f4b8 in param_expand subst.c:10654
    #9 0x102df0ae0 in expand_word_internal subst.c:11358
    #10 0x102e7e03c in shell_expand_word_list subst.c:12914
    #11 0x102e1bfd4 in expand_word_list_internal subst.c:13109
    #12 0x102e1bd80 in expand_words subst.c:12387
    #13 0x102c9e234 in execute_simple_command execute_cmd.c:4535
    #14 0x102c90a34 in execute_command_internal execute_cmd.c:898

SUMMARY: AddressSanitizer: heap-use-after-free execute_cmd.c:399 in
executing_line_number

Not sure if this is right, but this fixes it:
--
diff --git a/execute_cmd.c b/execute_cmd.c
index f13114b9..09f6faee 100644
--- a/execute_cmd.c
+++ b/execute_cmd.c
@@ -746,6 +746,7 @@ execute_command_internal (COMMAND *command, int
asynchronous, int pipe_in, int p
                                : EXECUTION_SUCCESS);

              last_command_exit_value = exec_result;
+             currently_executing_command = (COMMAND *)NULL;
              if (user_subshell && was_error_trap && ignore_return ==
0 && invert == 0 && exec_result != EXECUTION_SUCCESS)
                {
                  save_line_number = line_number;

heap-use-after-free in executing_line_number

Reply via email to