From: Herbert Xu <herbert@gondor.apana.org.au>
To: Aleksander Ushakov <aushakov@astralinux.ru>
Cc: dash@vger.kernel.org
Subject: Re: [BUG] heap-use-after-free(read) pstrcmp() src/mystring.c
Date: Wed, 27 Aug 2025 13:19:58 +0800 [thread overview]
Message-ID: <aK6VfoGws2WeSj9d@gondor.apana.org.au> (raw)
In-Reply-To: <0fe0fea8-24c5-4dbb-a2c9-3c0e01af7c18@astralinux.ru>
Aleksander Ushakov <aushakov@astralinux.ru> wrote:
>
> I encountered a bug in Dash in commit fd725b7a75 and would like to
> report it. The details are provided below.
> The target crashed when reading from memory after it has been freed.
> ==119==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x515000008f08 at pc 0x62b3e92a9f96 bp 0x7ffe2076bc00 sp 0x7ffe2076b3b0
> READ of size 1 at 0x515000008f08 thread T0
> #0 0x62b3e92a9f95 in __interceptor_strcmp
> ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:466
> #1 0x62b3e9353a34 in bsearch
> /usr/include/x86_64-linux-gnu/bits/stdlib-bsearch.h:33
> #2 0x62b3e9353a34 in findstring /upstream/dash/src/mystring.c:260
> #3 0x62b3e935c140 in readtoken /upstream/dash/src/parser.c:737
> #4 0x62b3e935ce76 in list /upstream/dash/src/parser.c:181
> #5 0x62b3e936072e in readtoken1 /upstream/dash/src/parser.c:1587
> #6 0x62b3e93693ff in parseheredoc /upstream/dash/src/parser.c:690
> #7 0x62b3e93601d6 in readtoken1 /upstream/dash/src/parser.c:1597
> #8 0x62b3e9369bc3 in xxreadtoken /upstream/dash/src/parser.c:843
> #9 0x62b3e935bfb6 in readtoken /upstream/dash/src/parser.c:711
> #10 0x62b3e935ce76 in list /upstream/dash/src/parser.c:181
> #11 0x62b3e934a242 in cmdloop /upstream/dash/src/main.c:223
> #12 0x62b3e922543c in main /upstream/dash/src/main.c:180
> #13 0x7ab34e084249 in __libc_start_call_main
> ../sysdeps/nptl/libc_start_call_main.h:58
> #14 0x7ab34e084304 in __libc_start_main_impl ../csu/libc-start.c:360
> #15 0x62b3e9226520 in _start (/upstream/dash/src/dash+0x1a520)
>
> 0x515000008f08 is located 8 bytes inside of 512-byte region
> [0x515000008f00,0x515000009100)
> freed by thread T0 here:
> #0 0x62b3e92b9068 in __interceptor_free
> ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
> #1 0x62b3e934c8cd in popstackmark /upstream/dash/src/memalloc.c:187
Thanks for the report. This is a manifestation of the fact that
the dash parser is not re-entrant. Despite that, it gets called
recursively when a prompt needs to be generated during parsing.
Hence the crash.
Cheers,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
prev parent reply other threads:[~2025-08-27 5:20 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-30 17:37 [BUG] heap-use-after-free(read) pstrcmp() src/mystring.c Aleksander Ushakov
2025-08-27 5:19 ` Herbert Xu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aK6VfoGws2WeSj9d@gondor.apana.org.au \
--to=herbert@gondor.apana.org.au \
--cc=aushakov@astralinux.ru \
--cc=dash@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox