Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 948122

Summary: =app-shells/bash-5.2_p37: double-free in libreadline after mashing arrow keys and PgUp/PgDn
Product: Gentoo Linux Reporter: David Korth <gerbilsoft>
Component: Current packagesAssignee: Gentoo's Team for Core System packages <base-system>
Status: UNCONFIRMED ---    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: emerge --info

Description David Korth 2025-01-14 22:37:51 UTC 
Created attachment 916548 [details]
emerge --info

I encountered an odd issue and I'm not entirely sure where to file this. On my laptop (ThinkPad T14 Gen 3 AMD), the arrow key area also has PgUp/PgDn. If I mash all six keys randomly in bash, it eventually crashes with a double-free.

After recompiling both bash and readline with -O0 -ggdb, I can still reproduce the crash, and I get this backtrace:

bash-5.2$ rlwrapfree(): double free detected in tcache 2

Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
warning: 44     pthread_kill.c: No such file or directory
(gdb) bt
quit
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1  0x00007ffff7d8fd43 in __pthread_kill_internal (threadid=<optimized out>, signo=6) at pthread_kill.c:78
#2  0x00007ffff7d38c26 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007ffff7d208fa in __GI_abort () at abort.c:79
#4  0x00007ffff7d2190a in __libc_message_impl (fmt=fmt@entry=0x7ffff7e97775 "%s\n") at ../sysdeps/posix/libc_fatal.c:132
#5  0x00007ffff7d9a027 in malloc_printerr (str=str@entry=0x7ffff7e9ab18 "free(): double free detected in tcache 2") at malloc.c:5772
#6  0x00007ffff7d9c610 in _int_free (av=0x7ffff7ed2ac0 <main_arena>, p=<optimized out>, have_lock=have_lock@entry=0) at malloc.c:4541
#7  0x00007ffff7d9edb3 in __GI___libc_free (mem=<optimized out>) at malloc.c:3398
#8  0x00007ffff7f69016 in _rl_free (string=0x5555556370d0) at /var/tmp/portage/sys-libs/readline-8.2_p13-r1/work/readline-8.2/xfree.c:48
#9  0x00007ffff7f56e0f in _rl_free_undo_list (ul=0x555000335c87) at /var/tmp/portage/sys-libs/readline-8.2_p13-r1/work/readline-8.2/undo.c:111
#10 0x00007ffff7f5f36e in _rl_free_saved_history_line () at /var/tmp/portage/sys-libs/readline-8.2_p13-r1/work/readline-8.2/misc.c:396
#11 0x00007ffff7f3d68e in rl_history_search_reinit (flags=1) at /var/tmp/portage/sys-libs/readline-8.2_p13-r1/work/readline-8.2/search.c:633
#12 0x00007ffff7f3d6e6 in rl_history_search_forward (count=1, ignore=126) at /var/tmp/portage/sys-libs/readline-8.2_p13-r1/work/readline-8.2/search.c:647
#13 0x00007ffff7f355de in _rl_dispatch_subseq (key=126, map=0x55555564bb60, got_subseq=0) at /var/tmp/portage/sys-libs/readline-8.2_p13-r1/work/readline-8.2/readline.c:925
#14 0x00007ffff7f35c17 in _rl_dispatch_subseq (key=54, map=0x555555648b00, got_subseq=0) at /var/tmp/portage/sys-libs/readline-8.2_p13-r1/work/readline-8.2/readline.c:1071
#15 0x00007ffff7f35c17 in _rl_dispatch_subseq (key=91, map=0x7ffff7f77080 <emacs_meta_keymap>, got_subseq=0) at /var/tmp/portage/sys-libs/readline-8.2_p13-r1/work/readline-8.2/readline.c:1071
#16 0x00007ffff7f35c17 in _rl_dispatch_subseq (key=27, map=0x7ffff7f76060 <emacs_standard_keymap>, got_subseq=0) at /var/tmp/portage/sys-libs/readline-8.2_p13-r1/work/readline-8.2/readline.c:1071
#17 0x00007ffff7f352be in _rl_dispatch (key=0, map=0x7ffff7f76060 <emacs_standard_keymap>) at /var/tmp/portage/sys-libs/readline-8.2_p13-r1/work/readline-8.2/readline.c:860
#18 0x00007ffff7f34d8d in readline_internal_char () at /var/tmp/portage/sys-libs/readline-8.2_p13-r1/work/readline-8.2/readline.c:675
#19 0x00007ffff7f34f0b in readline_internal_charloop () at /var/tmp/portage/sys-libs/readline-8.2_p13-r1/work/readline-8.2/readline.c:721
#20 0x00007ffff7f34f32 in readline_internal () at /var/tmp/portage/sys-libs/readline-8.2_p13-r1/work/readline-8.2/readline.c:733
#21 0x00007ffff7f34644 in readline (prompt=0x5555556782b0 "bash-5.2$ ") at /var/tmp/portage/sys-libs/readline-8.2_p13-r1/work/readline-8.2/readline.c:387
#22 0x00005555555ae0ff in yy_readline_get () at /usr/local/src/chet/src/bash/src/parse.y:1543
#23 0x0000555555578b76 in yy_getc () at /usr/local/src/chet/src/bash/src/parse.y:1477
#24 shell_getc (remove_quoted_newline=remove_quoted_newline@entry=1) at /usr/local/src/chet/src/bash/src/parse.y:2408
#25 0x0000555555575f49 in read_token.constprop.0 (command=<optimized out>) at /usr/local/src/chet/src/bash/src/parse.y:3418
#26 0x00005555555746ed in yylex () at /usr/local/src/chet/src/bash/src/parse.y:2905
#27 yyparse () at /var/tmp/portage/app-shells/bash-5.2_p37/work/bash-5.2/y.tab.c:1854
#28 0x0000555555574062 in parse_command () at /var/tmp/portage/app-shells/bash-5.2_p37/work/bash-5.2/eval.c:348
#29 0x000055555558628a in read_command () at /var/tmp/portage/app-shells/bash-5.2_p37/work/bash-5.2/eval.c:392
#30 0x0000555555586055 in reader_loop.isra.0 () at /var/tmp/portage/app-shells/bash-5.2_p37/work/bash-5.2/eval.c:139
#31 0x000055555559c061 in main (argc=1, argv=0x7fffffffd5b8, env=0x7fffffffd5c8) at /var/tmp/portage/app-shells/bash-5.2_p37/work/bash-5.2/shell.c:833

Package versions:
- app-shells/bash: 5.2_p37
- sys-libs/readline: 8.2_p13-r1
- sys-libs/glibc: 2.40-r7

emerge --info is attached.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-01-15 15:02:30 UTC 
Thanks. Could you report this upstream to Chet on the bug-bash (or bug-readline) mailing list, and link it here?