From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HTML_MESSAGE,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 7695 invoked from network); 11 Sep 2022 14:48:36 -0000 Received: from zero.zsh.org (2a02:898:31:0:48:4558:7a:7368) by inbox.vuxu.org with ESMTPUTF8; 11 Sep 2022 14:48:36 -0000 ARC-Seal: i=2; cv=pass; a=rsa-sha256; d=zsh.org; s=rsa-20210803; t=1662907716; b=YFzyGlItPFLcBladvhlHacTN8RUb6n4FnYgR/ORJCnAWZTS7sb2i3vRnsYpaXowmykT3/94VU5 MsvW+R3WocxTL/mLM2AF1KZOZk1oZqwCVlQMV5Tsj2rYGZ3pf5qp+QTGy6glAMgCuiXbfyqqfE FdOEi2Ktzr4cIIAzY1i+JUjv4Ef9EEvoaigK/PYDbBeNikPRvcCkouQLg0HSkUl3hb7rX98vGf mjpA4WCk0NJ5Aqfvv/b7xgMzZX68Oi4/aQ2SPTtAGMllZt72XocsX4qTNz9RdLzifd5b95RLyS L7vYmC2kB3HMG37EKergiTx0t3OnZrG2IYfkYxWW2WosYQ==; ARC-Authentication-Results: i=2; zsh.org; iprev=pass (mail-sn1anam02on2095.outbound.protection.outlook.com) smtp.remote-ip=40.107.96.95; dkim=pass header.d=psu.edu header.s=selector1 header.a=rsa-sha256; dmarc=pass header.from=psu.edu; arc=pass (i=1) header.s=arcselector9901 arc.oldest-pass=1 smtp.remote-ip=40.107.96.95 ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20210803; t=1662907716; bh=gBU6jksMsAX75emViMvWk4QzCcvR1q4CJsuENAVBoH4=; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help: List-Id:Sender:MIME-Version:Content-Type:Message-ID:Date:Subject:Cc:To:From: DKIM-Signature:DKIM-Signature; b=MY0LkyhYmaPSOxnj9gnRSRB9b9tggjKB1yeRJSoaZ2VeIrbfE2rB3fV0/jzUODVtEgEICoBBQG 4aYFm2vcDmdV0cdQg1v4izKpr0Y6gjVCf+9EHc5lnBsrgRb2HV7RkbTw0kqywKKn0KJ0lUDXN8 7jA+jbtPlXKXaRzUa1RBusXmTuZRVoINxVU1o5uQ6eijccFyV2cf+oxleZQXR+GhoCeviJzMMn bHLn7IoOflaC7p0EkEDF2wCfLT2f0i84TKC23NvpLab/iVPl9/4J3PkumhicHa//LWId/vwvT3 QwFBZxVUTNkDOn0PGUpDTLFHAGgFquaxQRpz69t+JksV6g==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org; s=rsa-20210803; h=List-Archive:List-Owner:List-Post:List-Unsubscribe: List-Subscribe:List-Help:List-Id:Sender:MIME-Version:Content-Type:Message-ID: Date:Subject:CC:To:From:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References; bh=JiRPZI+M4HjSxu5qWVaZuGbjpygjusoSSrUyx2qms4Q=; b=gRuzFKdBkKIin0/VuwxSWwz4ES oy261KfnqFQroQZwrQx9MM724xib+vltAqJMwJLUuzcB0wD2KhODCCVkPHy7F1sa9vy6vIxby6743 2E4oByA+G3Z+dAnVErGdZ7mm1aHGGoJ8cg8yohNJUikPD0lWlfVU6DN/ckJX9TmNTfuWUfDXvyVfh og94wGwZ5TzAg8a4bYY7u5PU7KvV2mXI3WzlBj1nbzx8GTFXc8cxmS4NA6yM4LJpi+ibv3cAwrNqD G210WcuDtvFgDc8vDAo4uIX7n62nuo3XIcaGWXQHlyXf0YyMmnWxC3mYJqvqxb4uOO2TnPyEwGEEY QuEhBFGA==; Received: from authenticated user by zero.zsh.org with local id 1oXOGB-000NiB-71; Sun, 11 Sep 2022 14:48:35 +0000 Authentication-Results: zsh.org; iprev=pass (mail-sn1anam02on2095.outbound.protection.outlook.com) smtp.remote-ip=40.107.96.95; dkim=pass header.d=psu.edu header.s=selector1 header.a=rsa-sha256; dmarc=pass header.from=psu.edu; arc=pass (i=1) header.s=arcselector9901 arc.oldest-pass=1 smtp.remote-ip=40.107.96.95 Received: from mail-sn1anam02on2095.outbound.protection.outlook.com ([40.107.96.95]:63812 helo=NAM02-SN1-obe.outbound.protection.outlook.com) by zero.zsh.org with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1oXOB0-000NGB-2F; Sun, 11 Sep 2022 14:43:15 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cu/hcCBytYILdWDOYPgpgVEi/I948fkeOKejJFQF5As8owqrYCb5uQjCVwpNXnIONGvlWxp685TKwX/kdVWJo9x4ES2QWne0vFifplzuduKZSK1FCbUe8j/Xvhim2Rw2MuIpz1zKsrlLHkkzrcLfC75FwCeKm43r/pHCczJ6TuI2tfOeQN+YDGSmxq2gh9f8Fx1wjgDEWNmMcZkqdXgvi42WLrVs78kw1PoWLx3GSEFM8RGe9yXsOQFSF9vd1zCMMtGiogUOWI8I2lbtXDKfKeT6Gy0fh/lSuEgBtxwU2Y2a+rbuV5Yr8q8hbx4Zf7WcXfxzc8MHuHhb/8/+b7f6nA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JiRPZI+M4HjSxu5qWVaZuGbjpygjusoSSrUyx2qms4Q=; b=WL6mIhxDWYIngulmRl21b+QNRkK87xKNJwwRY/RvMkwI1ueLCZ1IY32au1zKJGyzV+PI2jhpsfslw/6iru1si5AcdS3Y1uN1BtCP7IELOCnpMAW7wAYl4+5vH7rD20h0XsB2WGVnEyxwL2IPIg6Uq1CIGptwLytcs1upwdwXH5pl7CnNR/aqEZiOR1sODeAaysYR3scslOpjy/vTH4ahpMHPkoue0BahS1KWPlfEeEyfUscakVEgO6Juzr1RckQBBmw1wiyvIWtlq8wwt/hppa7xwgyNwwjnxjnWHw1Lebbf3cHFe7WunqXwNH/w/lTm5hQ8Gn2mrtSZM8sIs6Gm2Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=psu.edu; dmarc=pass action=none header.from=psu.edu; dkim=pass header.d=psu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=psu.edu; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JiRPZI+M4HjSxu5qWVaZuGbjpygjusoSSrUyx2qms4Q=; b=dBRpECXvFlUYL4svWs2HZ2qkxmJcH/3xfO3PAg0hhcC/DUjvEr5NCVOabCnWbUZ6kToXc5AQGtRgnJHG4R5DksqGQPF5ocmpGa3JUCckTU70b3M4C9itS6Ffc4L3Ak1Kf/qrQOUpyZXibY17gGyDzgsMLI4gWRyNsj0shJpFPZs= Received: from SN6PR02MB4575.namprd02.prod.outlook.com (2603:10b6:805:ad::17) by CH0PR02MB7865.namprd02.prod.outlook.com (2603:10b6:610:ec::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5612.20; Sun, 11 Sep 2022 14:43:09 +0000 Received: from SN6PR02MB4575.namprd02.prod.outlook.com ([fe80::6caf:56b3:bca9:b5e8]) by SN6PR02MB4575.namprd02.prod.outlook.com ([fe80::6caf:56b3:bca9:b5e8%5]) with mapi id 15.20.5612.022; Sun, 11 Sep 2022 14:43:08 +0000 From: "Liu, Song" To: "zsh-workers@zsh.org" CC: "Hu, Hong" Subject: ZSH crashed when reading bytes from a large binary Thread-Topic: ZSH crashed when reading bytes from a large binary Thread-Index: AQHYxY26V7gINWWSZE6ix9EFvU7J6w== Date: Sun, 11 Sep 2022 14:43:08 +0000 Message-ID: Accept-Language: zh-CN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=psu.edu; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SN6PR02MB4575:EE_|CH0PR02MB7865:EE_ x-ms-office365-filtering-correlation-id: d5ad5565-e07b-4556-10d6-08da9403f1c7 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: wfcI09KOBneMx0gsybzR2ZWB2dh3KORi72ySoA7RWJGyIBvZxNlXbE+QFXgLJ7aXVJUBxdZfw2low6TjRjNqVfSRdnX0ElHWivjmaNoNm9iOrB0nC7VZUCdop4xbMxaHiz54Zir4750gN7IavXqWGU+ykADNsyFFjanuGNoJP0r0VSLeSF2X/6VjsaabMuxKSqY8l1o1dfg7/P2ZE/+t26qPs8YXLm3nISAGl5Y5WxlTgH2+ZiMa59Y1Aips9KZ58yNYsLLz8gkk8ZcvM1/vNJz/YgclQaqV4h3tWZRSH9eqd1Ukce5QNX5D+0z1yWeczxgmNhW8ficlEeGzsCJjG7XT+QAg8vndJOpfUrwLcM04AtVEo2knKZ5lBd9lGL8L5pvsXvh0oCpYQkH+6z9LDg4PFcKMrWqiI+ohZK1iMLJ0xR8ejFtidyDJyZPNAcRcpgW8QLC3aZ1nSHqcBgjfcmAc+H25gDJfcrsyOEGorEqRFwcTdRVGOB3Jf/aDONg38DPQuHsB6XD0rWJnX+7WtsmO1GK1Wv0djg9MtPav/2HPN/0x1Ke1Ih+OLnE+GATpnXsQkwkmyxkmlY2k9JifQQ8Gu4AJo/J4bbQOj0ZPF4hRDaCStza1NrxGF12vdqHgKCcPJ8lkEIwtiikC/N0NMcLHNVKVcPNY8oW28w6F15Rs+pCuBpXFv68HmRmur45QMVmIOAWxC/okPdIy5vX5o51zQJupZ0FNkudAhB+c67y8I7mvt1k0edC9t4bSwVAR59S3b2zp3pZNU5GgcKLZrw== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR02MB4575.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(4636009)(396003)(346002)(136003)(39860400002)(376002)(366004)(75432002)(122000001)(64756008)(8676002)(66476007)(91956017)(66946007)(66446008)(66556008)(76116006)(478600001)(4326008)(6916009)(38070700005)(55016003)(316002)(786003)(71200400001)(38100700002)(86362001)(83380400001)(2906002)(8936002)(186003)(33656002)(52536014)(5660300002)(41300700001)(6506007)(7696005)(9686003);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?Windows-1252?Q?Fk1/NqbN15v3hJKxve8wsRxz6MhwwnDXnxVsQMmfa4HbJbIc/jJsRUEm?= =?Windows-1252?Q?VnIXdjSEGxKmy4nTBqdahmfMXrOX7JBTspWoZNpeq7CDdQnQhvCCtUDO?= =?Windows-1252?Q?zJWjG/8aKpmQm3knsTo2M4ifhJe29S3W+zC6WzQCtdG8rIgHBF7Vf90x?= =?Windows-1252?Q?bhoDmXvLxaVL1l/NdVsV7c9Zsl7Zkj3wE16EVIE4MBfM8zWgndYeCf+E?= =?Windows-1252?Q?LosMQ6atehDuvorFh+/uTjmpz0uqFl4ev6nmfFiehdoedkw3GSzQBCly?= =?Windows-1252?Q?n9e33Q5Tyb1iszl5ztypv9pUPlwcoYFuJiWw5M+tvUrph+lzL5DzbuU7?= =?Windows-1252?Q?XanMO4+26l6K6PIntkst/4keX8jIAjdfs85C53I8Hj+2sOuwOlUAlsUs?= =?Windows-1252?Q?1PhDUu1oqUhdmmE7VxB/UPq3rE7DpeZ19rlFVQgtgEXvnsBrMiH3u0jb?= =?Windows-1252?Q?0vagW/dZ8W6p2+KwQClTaJF2CvWfIlcSwJKgDPhFFb90VuAVG2OMUGBU?= =?Windows-1252?Q?GXgAHZw2p4cQceGN/x8tbEMNvr4T8E2wtVCFhTWjoXo7o4+s19J6M5az?= =?Windows-1252?Q?HNoaYqYiJ0FLEBSX9vdzNKlARhy+F30WDt4sPDGhSS3du3i4dgQgcBCm?= =?Windows-1252?Q?8idDqViSwK291kjQRa7A1/P/Fu/rvvZ7h+NR1PwU6BVUO98xc0sMKdUD?= =?Windows-1252?Q?RP6YzDHzIMbgm72sLiNSSjhZbIl+N8INPp6zoa4z1ntm+JTVu5SlZ4pS?= =?Windows-1252?Q?OiRinCOIq0QpYKqGsrw7vhEl7n3n8RXypMLse4bzqlEflNdFy7FEY9rm?= =?Windows-1252?Q?U0KEkPinpAnouLV4p44yB/X4twK6h2W+DXtOqRJo0foOKre0TBZPlKYi?= =?Windows-1252?Q?CeRbEg6AMPiTVg5vQp8JD/2bypLnNC6JlGVj5bCAK7A5U4fuqSzYknK7?= =?Windows-1252?Q?VxSbob097QQSqZP4pB/I6nM+XCmUaZ+jUdjUXXbjRUFqg3pbFkCtjUOV?= =?Windows-1252?Q?ioJKvyy1i0e65mVqBLYZB5vQzSX4uJBTp/UEDN9hkfg5o5CcPBYmHmsc?= =?Windows-1252?Q?dT+LZD//ov9lgaGg9INFyJSpgZr/vkQiBLHRd3kyuDOY53WuwJlrDM6h?= =?Windows-1252?Q?nqmV6olA1dvFbqvDFAUZGc/By1VSn0pxCpKyzKFd/UEIm5MQmFgRwvwE?= =?Windows-1252?Q?MJkjawnDH0WG5qAFiIQL0of+aImxoVK7mRSQqw0Tp7PUYQDO+NbDzJbu?= =?Windows-1252?Q?i46VnT+p8W6cM/vrzceHWNPDQztxadpi/9MSc4O261oczM9xcNevQ+/E?= =?Windows-1252?Q?L4UPC848CYOdnBpDjX+Ph6v5S7iQu13XtEUlWLeoU90kbC4asPHv/s3g?= =?Windows-1252?Q?MaOM4WL+C/OcWYwRtbKjw3Lup5DIYjkkC0whgBnCvemKjyM96zgx+GhU?= =?Windows-1252?Q?AFlrvYxhQ5JESw3bIfTX0hU/VlsVkNcTcfI6qDHNB0RUIFXaZ5d3U3Rv?= =?Windows-1252?Q?cV7dGPCWGtlAkF0OZK97VZq7Rf8lrvEiIcsFM9MZg00GoOTmsaQdhVEh?= =?Windows-1252?Q?cUeahRYmDgzBTg5Gf1Hk0FvpsEGhc/xqI6WtfTLVVwf0p9VP/H4A4bxK?= =?Windows-1252?Q?N3kDVhoKGpAHI+MlwtblZ7oYxLD/eJai/j/fbdZCUZkWrRKAbYHvpQoH?= =?Windows-1252?Q?nU7y+A5FnA1sQywRNqs/0RF6+b4yXweMCUIK54n33ppAbWetJHgmem4d?= =?Windows-1252?Q?ArQqc6IW1HzECKXy0JqlEILL2ZhG5eiFMmNLB463?= Content-Type: multipart/alternative; boundary="_000_SN6PR02MB4575B046FAF910E0AACD5903B3459SN6PR02MB4575namp_" MIME-Version: 1.0 X-OriginatorOrg: psu.edu X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SN6PR02MB4575.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: d5ad5565-e07b-4556-10d6-08da9403f1c7 X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Sep 2022 14:43:08.8201 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 7cf48d45-3ddb-4389-a9c1-c115526eb52e X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: YJze/yWz+ysXYDM6YZEZTjtE01kPlRCIQQIelviZEIDlsTt9Jww5Z1sssiJo/aOv X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR02MB7865 X-Seq: 50621 Archived-At: X-Loop: zsh-workers@zsh.org Errors-To: zsh-workers-owner@zsh.org Precedence: list Precedence: bulk Sender: zsh-workers-request@zsh.org X-no-archive: yes List-Id: List-Help: List-Subscribe: List-Unsubscribe: List-Post: List-Owner: List-Archive: --_000_SN6PR02MB4575B046FAF910E0AACD5903B3459SN6PR02MB4575namp_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Dear maintainers: When ZSH reads bytes from binary, ZSH will adjust the allocated memory acco= rding to binary size. But if the binary size is large enough, ZSH will fail= to reallocate memory. The problem is that, when ZSH failed to reallocate memory, ZSH didn=92t che= ck the return value of `realloc` function and handle the error. This will m= ake ZSH crash. On line 6923 of `zsh/Src/builtin.c`, the correct code should like the follo= wing: ``` c If (buf =3D realloc(buf, bsiz *=3D 2)) { // same as previous code } else { free(buf); return EXIT_FAILURE; } ``` Environments: * Ubuntu 20.04.5 LTS x86_64 * Ubuntu clang version 10.0.1-++20211003084855+ef32c611aa21-1~exp1~2021= 1003085243.2 * ZSH source code commit: eb738c793a6f9f293fc655c6aa87effc3dd9e44f (lat= est) Steps to Reproduce: ``` shell # clone and build zsh shell from source git clone git@github.com:zsh-users/zsh.git cd zsh ./Util/preconfig # compile ZSH with Address Sanitizer CFLAGS=3D" -g -O0 " LDFLAGS=3D" -fsanitize=3Daddress " ../zsh/configure make -j$(nproc) # generate large binary. dd if=3D/dev/zero of=3Dlarge.bin iflag=3Dfullblock bs=3D1M count=3D600 # trigger segment fault. ./Src/zsh -c "read byte < ./large.bin" # Segment fault ``` ASAN log: ``` shell =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D883996=3D=3DERROR: AddressSanitizer: requested allocation size 0xffff= ffff80000000 (0xffffffff80001000 after adjustments for alignment, red zones= etc.) exceeds maximum supported size of 0x10000000000 (thread T0) #0 0x7f3bfc697c3e in __interceptor_realloc ../../../../src/libsanitizer= /asan/asan_malloc_linux.cc:163 #1 0x55c82f1a6ad6 in bin_read /data/song/zsh-crash/zsh/Src/builtin.c:69= 23 #2 0x55c82f18d8bb in execbuiltin /data/song/zsh-crash/zsh/Src/builtin.c= :506 #3 0x55c82f1b6dc1 in execcmd_exec /data/song/zsh-crash/zsh/Src/exec.c:4= 148 #4 0x55c82f1b06c6 in execpline2 /data/song/zsh-crash/zsh/Src/exec.c:196= 0 #5 0x55c82f1af35c in execpline /data/song/zsh-crash/zsh/Src/exec.c:1689 #6 0x55c82f1ae671 in execlist /data/song/zsh-crash/zsh/Src/exec.c:1444 #7 0x55c82f1adced in execode /data/song/zsh-crash/zsh/Src/exec.c:1221 #8 0x55c82f1adbb1 in execstring /data/song/zsh-crash/zsh/Src/exec.c:118= 7 #9 0x55c82f1d7432 in init_misc /data/song/zsh-crash/zsh/Src/init.c:1389 #10 0x55c82f1d89b6 in zsh_main /data/song/zsh-crash/zsh/Src/init.c:1780 #11 0x55c82f18c95c in main main.c:93 #12 0x7f3bfc1f1082 in __libc_start_main ../csu/libc-start.c:308 =3D=3D883996=3D=3DHINT: if you don't care about these errors you may set al= locator_may_return_null=3D1 SUMMARY: AddressSanitizer: allocation-size-too-big ../../../../src/libsanit= izer/asan/asan_malloc_linux.cc:163 in __interceptor_realloc =3D=3D883996=3D=3DABORTING ``` Sincerely, Song --_000_SN6PR02MB4575B046FAF910E0AACD5903B3459SN6PR02MB4575namp_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable

Dear maintainers:

 

When ZSH reads bytes from binary, ZSH will adjust th= e allocated memory according to binary size. But if the binary size is larg= e enough, ZSH will fail to reallocate memory.

 

The problem is that, when ZSH failed to reallocate m= emory, ZSH didn=92t check the return value of `realloc` function and handle= the error. This will make ZSH crash.

 

On line 6923 of `zsh/Src/builtin.c`, the correct cod= e should like the following:

 

``` c

If (buf =3D realloc(buf, bsiz *=3D 2)) {

   // same as previous code

} else {

free(buf);

return EXIT_FAILURE;

}

```

 

Environments:

  • Ubuntu 20.04.5 LTS x86_64
  • Ubuntu clang version 10.0.1-++202= 11003084855+ef32c611aa21-1~exp1~20211003085243.2
  • ZSH source code = commit: eb738c793a6f9f293fc655c6aa87effc3dd9e44f (latest)

 

Steps to Reproduce:

``` shell

# clone and build zsh shell from source

git clone git@github.com:zsh-users/zsh.git

cd zsh

./Util/preconfig

# compile ZSH with Address Sanitizer

CFLAGS=3D" -g -O0 " LDFLAGS=3D" -fsan= itize=3Daddress " ../zsh/configure

make -j$(nproc)

 

# generate large binary.

dd if=3D/dev/zero of=3Dlarge.bin iflag=3Dfullblock b= s=3D1M count=3D600

 

# trigger segment fault.

./Src/zsh -c "read byte < ./large.bin"&= nbsp;           &nbs= p;       #  Segment fault

```

 

ASAN log:

 

``` shell

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

=3D=3D883996=3D=3DERROR: AddressSanitizer: requested= allocation size 0xffffffff80000000 (0xffffffff80001000 after adjustments f= or alignment, red zones etc.) exceeds maximum supported size of 0x100000000= 00 (thread T0)

    #0 0x7f3bfc697c3e in __intercepto= r_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163

    #1 0x55c82f1a6ad6 in bin_read /da= ta/song/zsh-crash/zsh/Src/builtin.c:6923

    #2 0x55c82f18d8bb in execbuiltin = /data/song/zsh-crash/zsh/Src/builtin.c:506

    #3 0x55c82f1b6dc1 in execcmd_exec= /data/song/zsh-crash/zsh/Src/exec.c:4148

    #4 0x55c82f1b06c6 in execpline2 /= data/song/zsh-crash/zsh/Src/exec.c:1960

    #5 0x55c82f1af35c in execpline /d= ata/song/zsh-crash/zsh/Src/exec.c:1689

    #6 0x55c82f1ae671 in execlist /da= ta/song/zsh-crash/zsh/Src/exec.c:1444

    #7 0x55c82f1adced in execode /dat= a/song/zsh-crash/zsh/Src/exec.c:1221

    #8 0x55c82f1adbb1 in execstring /= data/song/zsh-crash/zsh/Src/exec.c:1187

    #9 0x55c82f1d7432 in init_misc /d= ata/song/zsh-crash/zsh/Src/init.c:1389

    #10 0x55c82f1d89b6 in zsh_main /d= ata/song/zsh-crash/zsh/Src/init.c:1780

    #11 0x55c82f18c95c in main main.c= :93

    #12 0x7f3bfc1f1082 in __libc_star= t_main ../csu/libc-start.c:308

 

=3D=3D883996=3D=3DHINT: if you don't care about thes= e errors you may set allocator_may_return_null=3D1

SUMMARY: AddressSanitizer: allocation-size-too-big .= ./../../../src/libsanitizer/asan/asan_malloc_linux.cc:163 in __interceptor_= realloc

=3D=3D883996=3D=3DABORTING

```

 

 

Sincerely,

Song

 

--_000_SN6PR02MB4575B046FAF910E0AACD5903B3459SN6PR02MB4575namp_--