From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 23201 invoked by alias); 20 Mar 2016 13:57:35 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 38190 Received: (qmail 4621 invoked from network); 20 Mar 2016 13:57:34 -0000 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, T_DKIM_INVALID autolearn=ham autolearn_force=no version=3.4.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to; bh=VHUPo6USClqrfXU/VaFHfF6zmP4gQIZdWsseS7EvOQA=; b=t3+aWv7wip/KiP2bBvalGKfjoYqal0YTD6XbX3e1LsvwV7KOXRJhOn6ihZdYseoOYu xpCdggP3ONEo589sJRIakDDshkntOv9JvADUnJbDU6t0o0ICg2xdAm4Ub+doloZc7tnO ycggmRdX7BamkDbXAsLOC2NWxft5TV2cvByyiw4ueJmd8sX0EWRW0vAHcVS4DSCUaweT +mbLRnezdpOKXzFxJPhu090eukT8UyLnMX4BOZnyJakObxMRgqoUIWQ0WQqSJ5J8dccC 6ElquYqiaUix1X/Rd6bmMLGxknhF3jCIszLdOSZ91VEUUht1Wg3WDXVqP3csmqongGmK Gkbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=VHUPo6USClqrfXU/VaFHfF6zmP4gQIZdWsseS7EvOQA=; b=PZxWbhCrO/WeKAFm5Uc0fvI3MZ5xfcmGK8P9pnqyvzc/MeDLnn6dPUYf1pnbGEzX5q WSKcAMwoPU1fxUE3z2nPvTuhtk0VUvRG3YjlJVbfedxnY2zzuDzDWUqoPPyVTE6c2TlT i880U7+0g3lvC5uoUAOVzMqS2/m2kxIxcUQI2nuMlMj5NYKZznm5r9uhtX1x7iqmoXkd xLlrqvzDEU+scqiv4tvn2EY4WIkTyjmU/7dE1cAbps2rP5G+aQIA2YG1j3mA+iGAFGy6 OqwhcAX7SH6AudqjN9HipVxwbPetqbblYUOmgfD4I5ia9BAkzGYYF2WJqUyBJwiKoSAz KEAA== X-Gm-Message-State: AD7BkJKCPfjw5yV9RYIKvWrzKEP+ViK/8Srlg9NbpxPSqnz5ONZBI/VL3yzCGPt+K4HKa/ajafoWPHk9+SPckw== MIME-Version: 1.0 X-Received: by 10.202.229.134 with SMTP id c128mr14742214oih.115.1458482253556; Sun, 20 Mar 2016 06:57:33 -0700 (PDT) Date: Sun, 20 Mar 2016 21:57:33 +0800 Message-ID: Subject: access already freed memory when resize window From: comic fans To: zsh-workers@zsh.org Content-Type: text/plain; charset=UTF-8 when resizing, zle_main.c: in function reexpandprompt will call free(lpromptbuf); ------> already free then call lpromptbuf = promptexpand .... but call stack will then reach zle_refresh.c resetvideo line 754 call countprompt (lpromptbuf, .... ----------> access invalid memory I've confirm this bug in version 5.2 and latest git version address sanitizer report ==26994==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100079d8c0 at pc 0x513f5f bp 0x7ffcfb207820 sp 0x7ffcfb207810 READ of size 1 at 0x61100079d8c0 thread T0 #0 0x513f5e in countprompt /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/prompt.c:1082 #1 0x7ff8e48e9ee4 in resetvideo /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/Zle/zle_refresh.c:754 #2 0x7ff8e48f24b5 in zrefresh /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/Zle/zle_refresh.c:1151 #3 0x7ff8e48d4e74 in zle_main_entry /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/Zle/zle_main.c:1994 #4 0x49856f in zleentry /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/init.c:1531 #5 0x51ee49 in zhandler /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/signals.c:654 #6 0x7ff8e7e6f44f (/lib64/libc.so.6+0x3344f) #7 0x7ff8e7e6f785 in __sigsuspend (/lib64/libc.so.6+0x33785) #8 0x51d7b5 in signal_suspend /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/signals.c:384 #9 0x4a47b8 in waitforpid /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/jobs.c:1401 #10 0x45f6f7 in getoutput /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/exec.c:4149 #11 0x52da9d in stringsubst /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/subst.c:324 #12 0x536ef8 in prefork /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/subst.c:85 #13 0x537e77 in singsub /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/subst.c:428 #14 0x51ad01 in promptexpand /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/prompt.c:187 #15 0x7ff8e48d0664 in reexpandprompt /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/Zle/zle_main.c:1870 #16 0x7ff8e48d07f8 in zle_resetprompt /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/Zle/zle_main.c:1895 #17 0x7ff8e48d4d24 in zle_main_entry /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/Zle/zle_main.c:1990 #18 0x49856f in zleentry /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/init.c:1531 #19 0x548a55 in adjustwinsize /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/utils.c:1933 #20 0x51ee49 in zhandler /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/signals.c:654 #21 0x7ff8e7e6f44f (/lib64/libc.so.6+0x3344f) #22 0x7ff8e7f1829f in read (/lib64/libc.so.6+0xdc29f) #23 0x7ff8e89765f6 in __interceptor_read (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x2a5f6) #24 0x7ff8e48cccf9 in read /usr/include/bits/unistd.h:44 #25 0x7ff8e48cccf9 in raw_getbyte /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/Zle/zle_main.c:819 #26 0x7ff8e48cccf9 in getbyte /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/Zle/zle_main.c:854 #27 0x7ff8e48cb086 in getkeybuf /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/Zle/zle_keymap.c:1660 #28 0x7ff8e48cb086 in getkeymapcmd /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/Zle/zle_keymap.c:1578 #29 0x7ff8e48cb66e in getkeycmd /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/Zle/zle_keymap.c:1689 #30 0x7ff8e48cfc33 in zlecore /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/Zle/zle_main.c:1083 #31 0x7ff8e48d17cc in zleread /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/Zle/zle_main.c:1292 #32 0x49856f in zleentry /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/init.c:1531 #33 0x49bddd in inputline /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/input.c:293 #34 0x49bddd in ingetc /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/input.c:226 #35 0x488a88 in ihgetc /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/hist.c:391 #36 0x4b1790 in gettok /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/lex.c:611 #37 0x4b1790 in zshlex /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/lex.c:275 #38 0x4feba6 in parse_event /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/parse.c:570 #39 0x490a85 in loop /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/init.c:146 #40 0x4995f8 in zsh_main /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/init.c:1687 #41 0x7ff8e7e5c59f in __libc_start_main (/lib64/libc.so.6+0x2059f) #42 0x412b18 in _start (/bin/zsh+0x412b18) 0x61100079d8c0 is located 0 bytes inside of 256-byte region [0x61100079d8c0,0x61100079d9c0) freed by thread T0 here: #0 0x7ff8e89a355f in __interceptor_free (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x5755f) #1 0x7ff8e48d0625 in reexpandprompt /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/Zle/zle_main.c:1869 previously allocated by thread T0 here: #0 0x7ff8e89a37d7 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x577d7) #1 0x4c3c9e in zshcalloc /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/mem.c:974 #2 0xfff9f64152d (+0xdff0f64a52d) SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/debug/app-shells/zsh-9999/zsh-9999/Src/prompt.c:1082 countprompt Shadow bytes around the buggy address: 0x0c22800ebac0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c22800ebad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c22800ebae0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c22800ebaf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c22800ebb00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c22800ebb10: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd 0x0c22800ebb20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c22800ebb30: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c22800ebb40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c22800ebb50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c22800ebb60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==26994==ABORTING