Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Zsh parser segmentation fault in strcatsub

X-seq: zsh-workers 41109
From: Eduardo Bustamante <dualbus@xxxxxxxxx>
To: Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>
Subject: Re: Zsh parser segmentation fault in strcatsub
Date: Mon, 15 May 2017 20:36:34 -0500
Cc: "zsh-workers@xxxxxxx" <zsh-workers@xxxxxxx>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tk8dtabJRS631A6jV59vAgUmAzCxXo0/9dpP/i7x0lA=; b=UxrgrPIVAAUaFJnHQ6xK0lJ3by5aPXtnavauqUoMa9Y8AEhhjiGZ65Btw+NIMQV9WY JmlPgom3d+0GuAn3XdMOE6ww7ezQS8B+ECLFQqaMBz/ldYVr4iVa+w7vTZMjGhwFMDg5 JG1vw35ZqLe3lTxQzn0E1QOl6H/bdu6M5zip1ihZlJv1E4zLC8oldj4g4vyEDEa2vcCK z+L1fFcTElCYiUyh0y3KSlw0WUvoB9pu++LmwaooUv49xtfBcaF7sBOvNN/oZfz3z2Ts BFoT7tcCILBzVFM15PDRewJHgrnxLfqiSFvoBLTBS/ut0PfI8uxMi20mq1XJJiKOw80n CuyQ==
In-reply-to: <CAH+w=7bs1PjG-DNLdCK1CsQsSNAsJzvOhE64j-sJZChuXLEGog@mail.gmail.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <CAOSMAuuUiTz_3ih-b6TYnZYnevs+eYgOkXHjLY6oOTtCmQOWfg@mail.gmail.com> <CAH+w=7bs1PjG-DNLdCK1CsQsSNAsJzvOhE64j-sJZChuXLEGog@mail.gmail.com>

On Mon, May 15, 2017 at 7:48 PM, Bart Schaefer
<schaefer@xxxxxxxxxxxxxxxx> wrote:
[...]
> You are not using "-f".  Is it possible that a setting in a startup
> file is affecting this?

How do you build Zsh?

Here's how I build it (with Clang, or GCC+ASAN).

dualbus@debian:~/src/zsh/zsh$ git rev-parse HEAD
171e7fa4c1d9cbf0d8ff35ee795e1599913aa329

dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CC=clang CFLAGS='-O0
-ggdb' LDFLAGS='' ./configure && make -j4
[...]

dualbus@debian:~/src/zsh/zsh$ md5sum strcatsub
45a3a29522b0bd62d073d791b722ce02  strcatsub

dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf strcatsub
Segmentation fault

dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CFLAGS='-O0 -ggdb
-fsanitize=address -fno-omit-frame-pointer' LDFLAGS=-lasan ./configure
&& make -j4
[...]

dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf strcatsub
=================================================================
==2860==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6290000041f8 at pc 0x56236c85fac3 bp 0x7ffe5ddad580 sp
0x7ffe5ddad578
READ of size 1 at 0x6290000041f8 thread T0
    #0 0x56236c85fac2 in mb_metacharlenconv
/home/dualbus/src/zsh/zsh/Src/utils.c:5370
    #1 0x56236c82ee04 in dopadding /home/dualbus/src/zsh/zsh/Src/subst.c:922
    #2 0x56236c83cdba in paramsubst /home/dualbus/src/zsh/zsh/Src/subst.c:4022
    #3 0x56236c82a954 in stringsubst /home/dualbus/src/zsh/zsh/Src/subst.c:247
    #4 0x56236c829070 in prefork /home/dualbus/src/zsh/zsh/Src/subst.c:85
    #5 0x56236c82bc22 in singsub /home/dualbus/src/zsh/zsh/Src/subst.c:430
    #6 0x56236c8375b9 in paramsubst /home/dualbus/src/zsh/zsh/Src/subst.c:3011
    #7 0x56236c82a954 in stringsubst /home/dualbus/src/zsh/zsh/Src/subst.c:247
    #8 0x56236c829070 in prefork /home/dualbus/src/zsh/zsh/Src/subst.c:85
    #9 0x56236c73114a in execcmd_getargs
/home/dualbus/src/zsh/zsh/Src/exec.c:2659
    #10 0x56236c731b24 in execcmd_exec /home/dualbus/src/zsh/zsh/Src/exec.c:2765
    #11 0x56236c72b753 in execpline2 /home/dualbus/src/zsh/zsh/Src/exec.c:1873
    #12 0x56236c7286bc in execpline /home/dualbus/src/zsh/zsh/Src/exec.c:1602
    #13 0x56236c72699e in execlist /home/dualbus/src/zsh/zsh/Src/exec.c:1360
    #14 0x56236c725117 in execode /home/dualbus/src/zsh/zsh/Src/exec.c:1141
    #15 0x56236c77a9a5 in loop /home/dualbus/src/zsh/zsh/Src/init.c:208
    #16 0x56236c784757 in zsh_main /home/dualbus/src/zsh/zsh/Src/init.c:1692
    #17 0x56236c6dd31f in main main.c:93
    #18 0x7f8561b282b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #19 0x56236c6dd1f9 in _start (/home/dualbus/src/zsh/zsh/Src/zsh+0x421f9)

0x6290000041f8 is located 0 bytes to the right of 16376-byte region
[0x629000000200,0x6290000041f8)
allocated by thread T0 here:
    #0 0x7f85628a1d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x56236c7b4df3 in zalloc /home/dualbus/src/zsh/zsh/Src/mem.c:966
    #2 0x56236c7b2ff9 in zhalloc /home/dualbus/src/zsh/zsh/Src/mem.c:639
    #3 0x56236c82874e in dupstring /home/dualbus/src/zsh/zsh/Src/string.c:39
    #4 0x56236c7a003f in parse_subst_string
/home/dualbus/src/zsh/zsh/Src/lex.c:1710
    #5 0x56236c837436 in paramsubst /home/dualbus/src/zsh/zsh/Src/subst.c:2975
    #6 0x56236c82a954 in stringsubst /home/dualbus/src/zsh/zsh/Src/subst.c:247
    #7 0x56236c829070 in prefork /home/dualbus/src/zsh/zsh/Src/subst.c:85
    #8 0x56236c73114a in execcmd_getargs
/home/dualbus/src/zsh/zsh/Src/exec.c:2659
    #9 0x56236c731b24 in execcmd_exec /home/dualbus/src/zsh/zsh/Src/exec.c:2765
    #10 0x56236c72b753 in execpline2 /home/dualbus/src/zsh/zsh/Src/exec.c:1873
    #11 0x56236c7286bc in execpline /home/dualbus/src/zsh/zsh/Src/exec.c:1602
    #12 0x56236c72699e in execlist /home/dualbus/src/zsh/zsh/Src/exec.c:1360
    #13 0x56236c725117 in execode /home/dualbus/src/zsh/zsh/Src/exec.c:1141
    #14 0x56236c77a9a5 in loop /home/dualbus/src/zsh/zsh/Src/init.c:208
    #15 0x56236c784757 in zsh_main /home/dualbus/src/zsh/zsh/Src/init.c:1692
    #16 0x56236c6dd31f in main main.c:93
    #17 0x7f8561b282b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/dualbus/src/zsh/zsh/Src/utils.c:5370 in mb_metacharlenconv
Shadow bytes around the buggy address:
  0x0c527fff87e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff87f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c527fff8830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
  0x0c527fff8840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2860==ABORTING

It doesn't segfault if I run it under Valgrind.

Follow-Ups:
- Re: Zsh parser segmentation fault in strcatsub
  - From: Bart Schaefer
- Re: Zsh parser segmentation fault in strcatsub
  - From: Bart Schaefer

References:
- Zsh parser segmentation fault in strcatsub
  - From: Eduardo Bustamante
- Re: Zsh parser segmentation fault in strcatsub
  - From: Bart Schaefer

Messages sorted by: Reverse Date, Date, Thread, Author