From nobody Sat Jun 15 20:17:43 2024 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W1nWX0jzyz5PN1N for ; Sat, 15 Jun 2024 20:17:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4W1nWW5NDMz4p6D for ; Sat, 15 Jun 2024 20:17:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1718482663; a=rsa-sha256; cv=none; b=dnZyhjPw1WNdNWitSVT1MbOGukmcyLATs37QfAMHcDVXJ5cqdRh7wOui4scdvzBxGMipkH JmSuAMcB+3NSeqyGqwWS6qo0LLMOaZaGxgL9445JZ38dE4s6vedbr8r2GnxeCY9YLgCFKM s7/9N3N/2iyxerM7rfS+5uHm1OL8SAfCYB1+ipbiYw2vNLbNdnWJ1ExyxzJ+7O1k13EEYl pZvBpgeCzayHxun/w/Rjc7wYNxk5NfuVEEnNFsfYcp99wmkEn3hpPXHFtPyo68q6UiR5eA 9cNUMWqGkTGrC/O2idzGbc23lfrIY845pMTYw7mSGd5FHib/K70GtX/c3pNx3Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1718482663; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4IoA+39eCvDcX3sOHUpBWdgv1IxpSx51M5nG4H3Dhr4=; b=DK/GTFHW++KY4i9drxvGgKYI0NBs+YVs9uUJsllVwCroJ7BCqAOlvmbe0zLH10DdYywZqX 3iKks8CPNiVqU/C9Wuo5II5xs7LUbW/xQ9WSe/ZXao5a9rsp0tPVkzI/u2K6Cb6NwTM32i d1gIfRhla40q2RndGOXoTBREcLTv3pBAVSPzqkFR76RqFHxaBSnHrp52RNdfMm1qDXDwSx NC9rmqCDyM7NuoWfntOb9vQzFQWlMOU57rUWgH7b/+lns3mbzRy2VCXvvzZudyhy0xR0if lgYjmDf8vJAQ0MWGeB3o4TEirkuVgHKTH4w6cEgdzvfREuYEUPu69bAWp8HPvA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4W1nWW4zvxzJ8w for ; Sat, 15 Jun 2024 20:17:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 45FKHhMu013969 for ; Sat, 15 Jun 2024 20:17:43 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 45FKHhjN013968 for bugs@FreeBSD.org; Sat, 15 Jun 2024 20:17:43 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 279772] use (write) after free in libedit's em_copy_prev_word() Date: Sat, 15 Jun 2024 20:17:43 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rtm@lcs.mit.edu X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.mimetype attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D279772 Bug ID: 279772 Summary: use (write) after free in libedit's em_copy_prev_word() Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #251479 text/plain mime type: Created attachment 251479 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D251479&action= =3Dedit demo of a use-after-free in libedit's em_copy_prev_word() em_copy_prev_word() in contrib/libedit/emacs.c: oldc =3D el->el_line.cursor; /* does a bounds check */ cp =3D c__prev_word(el->el_line.cursor, el->el_line.buffer, el->el_state.argument, ce__isword); c_insert(el, (int)(oldc - cp)); for (dp =3D oldc; cp < oldc && dp < el->el_line.lastchar; cp++) *dp++ =3D *cp; c_insert() can call realloc() on el->el_line.buffer. This means that oldc and cp can end up pointing into the old buffer that realloc() freed. Then the assignment in the for loop reads and writes freed memory. I've attached a demo of this in sh's use of libedit. The demo requires /usr/local/bin/valgrind. $ cc sh11a.c -lutil $ ./a.out ... Invalid read of size 4 at 0x487C1AC: em_copy_prev_word (rtm/freebsd/contrib/libedit/emacs.c:4= 58) by 0x4889747: el_wgets (rtm/freebsd/contrib/libedit/read.c:540) by 0x4879B3C: el_gets (rtm/freebsd/contrib/libedit/eln.c:75) by 0x123D6E: preadfd (rtm/freebsd/bin/sh/input.c:138) by 0x12387A: preadbuffer (rtm/freebsd/bin/sh/input.c:210) by 0x1326C5: xxreadtoken (rtm/freebsd/bin/sh/parser.c:910) by 0x12E4FC: readtoken (rtm/freebsd/bin/sh/parser.c:827) by 0x12E379: parsecmd (rtm/freebsd/bin/sh/parser.c:222) by 0x129786: cmdloop (rtm/freebsd/bin/sh/main.c:206) by 0x1295D2: main (rtm/freebsd/bin/sh/main.c:167) Address 0x553d160 is 0 bytes inside a block of size 8,192 free'd at 0x4851951: realloc (vg_replace_malloc.c:1694) by 0x48732AA: ch_enlargebufs (rtm/freebsd/contrib/libedit/chared.c:502) by 0x487318C: c_insert (rtm/freebsd/contrib/libedit/chared.c:104) by 0x487C16A: em_copy_prev_word (rtm/freebsd/contrib/libedit/emacs.c:4= 56) by 0x4889747: el_wgets (rtm/freebsd/contrib/libedit/read.c:540) by 0x4879B3C: el_gets (rtm/freebsd/contrib/libedit/eln.c:75) by 0x123D6E: preadfd (rtm/freebsd/bin/sh/input.c:138) by 0x12387A: preadbuffer (rtm/freebsd/bin/sh/input.c:210) by 0x1326C5: xxreadtoken (rtm/freebsd/bin/sh/parser.c:910) by 0x12E4FC: readtoken (rtm/freebsd/bin/sh/parser.c:827) by 0x12E379: parsecmd (rtm/freebsd/bin/sh/parser.c:222) by 0x129786: cmdloop (rtm/freebsd/bin/sh/main.c:206) Block was alloc'd at at 0x4851951: realloc (vg_replace_malloc.c:1694) by 0x48732AA: ch_enlargebufs (rtm/freebsd/contrib/libedit/chared.c:502) by 0x4875B8D: ed_insert (rtm/freebsd/contrib/libedit/common.c:86) by 0x4889747: el_wgets (rtm/freebsd/contrib/libedit/read.c:540) by 0x4879B3C: el_gets (rtm/freebsd/contrib/libedit/eln.c:75) by 0x123D6E: preadfd (rtm/freebsd/bin/sh/input.c:138) by 0x12387A: preadbuffer (rtm/freebsd/bin/sh/input.c:210) by 0x1326C5: xxreadtoken (rtm/freebsd/bin/sh/parser.c:910) by 0x12E4FC: readtoken (rtm/freebsd/bin/sh/parser.c:827) by 0x12E379: parsecmd (rtm/freebsd/bin/sh/parser.c:222) by 0x129786: cmdloop (rtm/freebsd/bin/sh/main.c:206) by 0x1295D2: main (rtm/freebsd/bin/sh/main.c:167) Invalid write of size 4 at 0x487C1BD: em_copy_prev_word (rtm/freebsd/contrib/libedit/emacs.c:4= 58) by 0x4889747: el_wgets (rtm/freebsd/contrib/libedit/read.c:540) by 0x4879B3C: el_gets (rtm/freebsd/contrib/libedit/eln.c:75) by 0x123D6E: preadfd (rtm/freebsd/bin/sh/input.c:138) by 0x12387A: preadbuffer (rtm/freebsd/bin/sh/input.c:210) by 0x1326C5: xxreadtoken (rtm/freebsd/bin/sh/parser.c:910) by 0x12E4FC: readtoken (rtm/freebsd/bin/sh/parser.c:827) by 0x12E379: parsecmd (rtm/freebsd/bin/sh/parser.c:222) by 0x129786: cmdloop (rtm/freebsd/bin/sh/main.c:206) by 0x1295D2: main (rtm/freebsd/bin/sh/main.c:167) Address 0x553e164 is 4,100 bytes inside a block of size 8,192 free'd at 0x4851951: realloc (vg_replace_malloc.c:1694) by 0x48732AA: ch_enlargebufs (rtm/freebsd/contrib/libedit/chared.c:502) by 0x487318C: c_insert (rtm/freebsd/contrib/libedit/chared.c:104) by 0x487C16A: em_copy_prev_word (rtm/freebsd/contrib/libedit/emacs.c:4= 56) by 0x4889747: el_wgets (rtm/freebsd/contrib/libedit/read.c:540) by 0x4879B3C: el_gets (rtm/freebsd/contrib/libedit/eln.c:75) by 0x123D6E: preadfd (rtm/freebsd/bin/sh/input.c:138) by 0x12387A: preadbuffer (rtm/freebsd/bin/sh/input.c:210) by 0x1326C5: xxreadtoken (rtm/freebsd/bin/sh/parser.c:910) by 0x12E4FC: readtoken (rtm/freebsd/bin/sh/parser.c:827) by 0x12E379: parsecmd (rtm/freebsd/bin/sh/parser.c:222) by 0x129786: cmdloop (rtm/freebsd/bin/sh/main.c:206) Block was alloc'd at at 0x4851951: realloc (vg_replace_malloc.c:1694) by 0x48732AA: ch_enlargebufs (rtm/freebsd/contrib/libedit/chared.c:502) by 0x4875B8D: ed_insert (rtm/freebsd/contrib/libedit/common.c:86) by 0x4889747: el_wgets (rtm/freebsd/contrib/libedit/read.c:540) by 0x4879B3C: el_gets (rtm/freebsd/contrib/libedit/eln.c:75) by 0x123D6E: preadfd (rtm/freebsd/bin/sh/input.c:138) by 0x12387A: preadbuffer (rtm/freebsd/bin/sh/input.c:210) by 0x1326C5: xxreadtoken (rtm/freebsd/bin/sh/parser.c:910) by 0x12E4FC: readtoken (rtm/freebsd/bin/sh/parser.c:827) by 0x12E379: parsecmd (rtm/freebsd/bin/sh/parser.c:222) by 0x129786: cmdloop (rtm/freebsd/bin/sh/main.c:206) by 0x1295D2: main (rtm/freebsd/bin/sh/main.c:167) --=20 You are receiving this mail because: You are the assignee for the bug.=