Bug 8671

Summary: ash: Segmentation fault - Invalid free trapcmd (fuzz)
Product: Busybox Reporter: Fernando Muñoz <fernando>
Component: OtherAssignee: unassigned
Status: RESOLVED DUPLICATE    
Severity: normal CC: busybox-cvs
Priority: P5    
Version: 1.24.x   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:
Attachments: crash test

Description Fernando Muñoz 2016-02-09 19:23:27 UTC 
Created attachment 6311 [details]
crash test

(gdb) run sh fuzzed.sh 
Starting program: /root/fuzzshell/busybox_unstripped sh fuzzed.sh
fuzzed.sh: trap: line 1: 4846957808957: invalid signal specification
*** Error in `/root/fuzzshell/busybox_unstripped': free(): invalid pointer: 0x08105364 ***

Program received signal SIGABRT, Aborted.
0xb7fdcc38 in __kernel_vsyscall ()
(gdb) bt
#0  0xb7fdcc38 in __kernel_vsyscall ()
#1  0xb7df0e17 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#2  0xb7df23e9 in __GI_abort () at abort.c:89
#3  0xb7e2e43e in __libc_message (do_abort=1, fmt=0xb7f262f8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#4  0xb7e34007 in malloc_printerr (action=<optimized out>, str=0xb7f22490 "free(): invalid pointer", ptr=0x8105364) at malloc.c:4965
#5  0xb7e3475d in _int_free (av=0x696c2064, p=<optimized out>, have_lock=0) at malloc.c:3834
#6  0x0808bad4 in trapcmd ()
#7  0x00000001 in ?? ()


Valgrind reports

==30861== Invalid free() / delete / delete[] / realloc()
==30861==    at 0x402C3B8: free (vg_replace_malloc.c:530)
==30861==    by 0x808BAD3: trapcmd (in /root/fuzzshell/busybox_unstripped)
==30861==  Address 0x333831 is not stack'd, malloc'd or (recently) free'd

I'm unable to minimize my test cases since I can't get ASAN working on my build #8641
Comment 1 Mike Frysinger 2016-02-13 03:31:51 UTC 
pretty sure it's just the same as bug 8661

*** This bug has been marked as a duplicate of bug 8661 ***