From: Eduardo Bustamante <dualbus@gmail.com>
To: Bart Schaefer <schaefer@brasslantern.com>
Cc: "zsh-workers@zsh.org" <zsh-workers@zsh.org>
Subject: Re: Zsh parser segmentation fault in strcatsub
Date: Mon, 15 May 2017 20:36:34 -0500 [thread overview]
Message-ID: <CAOSMAuvh6XLhfLYd37v_JQC+DQ7yMv_M4VEAM6DiXB4TLf2N1A@mail.gmail.com> (raw)
In-Reply-To: <CAH+w=7bs1PjG-DNLdCK1CsQsSNAsJzvOhE64j-sJZChuXLEGog@mail.gmail.com>
On Mon, May 15, 2017 at 7:48 PM, Bart Schaefer
<schaefer@brasslantern.com> wrote:
[...]
> You are not using "-f". Is it possible that a setting in a startup
> file is affecting this?
How do you build Zsh?
Here's how I build it (with Clang, or GCC+ASAN).
dualbus@debian:~/src/zsh/zsh$ git rev-parse HEAD
171e7fa4c1d9cbf0d8ff35ee795e1599913aa329
dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CC=clang CFLAGS='-O0
-ggdb' LDFLAGS='' ./configure && make -j4
[...]
dualbus@debian:~/src/zsh/zsh$ md5sum strcatsub
45a3a29522b0bd62d073d791b722ce02 strcatsub
dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf strcatsub
Segmentation fault
dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CFLAGS='-O0 -ggdb
-fsanitize=address -fno-omit-frame-pointer' LDFLAGS=-lasan ./configure
&& make -j4
[...]
dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf strcatsub
=================================================================
==2860==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6290000041f8 at pc 0x56236c85fac3 bp 0x7ffe5ddad580 sp
0x7ffe5ddad578
READ of size 1 at 0x6290000041f8 thread T0
#0 0x56236c85fac2 in mb_metacharlenconv
/home/dualbus/src/zsh/zsh/Src/utils.c:5370
#1 0x56236c82ee04 in dopadding /home/dualbus/src/zsh/zsh/Src/subst.c:922
#2 0x56236c83cdba in paramsubst /home/dualbus/src/zsh/zsh/Src/subst.c:4022
#3 0x56236c82a954 in stringsubst /home/dualbus/src/zsh/zsh/Src/subst.c:247
#4 0x56236c829070 in prefork /home/dualbus/src/zsh/zsh/Src/subst.c:85
#5 0x56236c82bc22 in singsub /home/dualbus/src/zsh/zsh/Src/subst.c:430
#6 0x56236c8375b9 in paramsubst /home/dualbus/src/zsh/zsh/Src/subst.c:3011
#7 0x56236c82a954 in stringsubst /home/dualbus/src/zsh/zsh/Src/subst.c:247
#8 0x56236c829070 in prefork /home/dualbus/src/zsh/zsh/Src/subst.c:85
#9 0x56236c73114a in execcmd_getargs
/home/dualbus/src/zsh/zsh/Src/exec.c:2659
#10 0x56236c731b24 in execcmd_exec /home/dualbus/src/zsh/zsh/Src/exec.c:2765
#11 0x56236c72b753 in execpline2 /home/dualbus/src/zsh/zsh/Src/exec.c:1873
#12 0x56236c7286bc in execpline /home/dualbus/src/zsh/zsh/Src/exec.c:1602
#13 0x56236c72699e in execlist /home/dualbus/src/zsh/zsh/Src/exec.c:1360
#14 0x56236c725117 in execode /home/dualbus/src/zsh/zsh/Src/exec.c:1141
#15 0x56236c77a9a5 in loop /home/dualbus/src/zsh/zsh/Src/init.c:208
#16 0x56236c784757 in zsh_main /home/dualbus/src/zsh/zsh/Src/init.c:1692
#17 0x56236c6dd31f in main main.c:93
#18 0x7f8561b282b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#19 0x56236c6dd1f9 in _start (/home/dualbus/src/zsh/zsh/Src/zsh+0x421f9)
0x6290000041f8 is located 0 bytes to the right of 16376-byte region
[0x629000000200,0x6290000041f8)
allocated by thread T0 here:
#0 0x7f85628a1d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x56236c7b4df3 in zalloc /home/dualbus/src/zsh/zsh/Src/mem.c:966
#2 0x56236c7b2ff9 in zhalloc /home/dualbus/src/zsh/zsh/Src/mem.c:639
#3 0x56236c82874e in dupstring /home/dualbus/src/zsh/zsh/Src/string.c:39
#4 0x56236c7a003f in parse_subst_string
/home/dualbus/src/zsh/zsh/Src/lex.c:1710
#5 0x56236c837436 in paramsubst /home/dualbus/src/zsh/zsh/Src/subst.c:2975
#6 0x56236c82a954 in stringsubst /home/dualbus/src/zsh/zsh/Src/subst.c:247
#7 0x56236c829070 in prefork /home/dualbus/src/zsh/zsh/Src/subst.c:85
#8 0x56236c73114a in execcmd_getargs
/home/dualbus/src/zsh/zsh/Src/exec.c:2659
#9 0x56236c731b24 in execcmd_exec /home/dualbus/src/zsh/zsh/Src/exec.c:2765
#10 0x56236c72b753 in execpline2 /home/dualbus/src/zsh/zsh/Src/exec.c:1873
#11 0x56236c7286bc in execpline /home/dualbus/src/zsh/zsh/Src/exec.c:1602
#12 0x56236c72699e in execlist /home/dualbus/src/zsh/zsh/Src/exec.c:1360
#13 0x56236c725117 in execode /home/dualbus/src/zsh/zsh/Src/exec.c:1141
#14 0x56236c77a9a5 in loop /home/dualbus/src/zsh/zsh/Src/init.c:208
#15 0x56236c784757 in zsh_main /home/dualbus/src/zsh/zsh/Src/init.c:1692
#16 0x56236c6dd31f in main main.c:93
#17 0x7f8561b282b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/dualbus/src/zsh/zsh/Src/utils.c:5370 in mb_metacharlenconv
Shadow bytes around the buggy address:
0x0c527fff87e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff87f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff8800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff8810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff8820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c527fff8830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
0x0c527fff8840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2860==ABORTING
It doesn't segfault if I run it under Valgrind.
next prev parent reply other threads:[~2017-05-16 1:37 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-15 21:30 Eduardo Bustamante
2017-05-16 0:48 ` Bart Schaefer
2017-05-16 1:36 ` Eduardo Bustamante [this message]
2017-05-16 3:38 ` Bart Schaefer
2017-05-17 18:37 ` Bart Schaefer
2017-05-18 2:21 ` Eduardo Bustamante
2017-05-16 8:47 ` Peter Stephenson
2017-05-16 13:30 ` Daniel Shahaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAOSMAuvh6XLhfLYd37v_JQC+DQ7yMv_M4VEAM6DiXB4TLf2N1A@mail.gmail.com \
--to=dualbus@gmail.com \
--cc=schaefer@brasslantern.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).