GNU bug report logs - #22127
Segfault / null pointer access in function str_append_modified()

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 22127 in the body.
You can then email your comments to 22127 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Hanno Böck <hanno <at> hboeck.de>
To: bug-sed <at> gnu.org
Subject: Segfault / null pointer access in function str_append_modified()
Date: Wed, 9 Dec 2015 12:42:11 +0100

[Message part 1 (text/plain, inline)]

Hi,

With a malformed input (see attachmend) sed can crash in the function
str_append_modified()

Test:
echo|./sed -f sed-nullptr-str_append_modified

Seems to be a null pointer access.
This only seems to happen in the git code of sed and not in 4.2.2.

This is the stack trace from address sanitizer:
==21489==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd77e298c16 bp 0x611000009c86 sp 0x7fffe46649d0 T0)
    #0 0x7fd77e298c15 in wcrtomb /var/tmp/portage/sys-libs/glibc-2.22-r1/work/glibc-2.22/wcsmbs/wcrtomb.c:89
    #1 0x5029ca in str_append_modified /mnt/ram/sed-plain/sed/execute.c:273:11
    #2 0x4faa8c in append_replacement /mnt/ram/sed-plain/sed/execute.c:992:11
    #3 0x4faa8c in do_subst /mnt/ram/sed-plain/sed/execute.c:1078
    #4 0x4faa8c in execute_program /mnt/ram/sed-plain/sed/execute.c:1513
    #5 0x4faa8c in process_files /mnt/ram/sed-plain/sed/execute.c:1681
    #6 0x4e1365 in main /mnt/ram/sed-plain/sed/sed.c:362:17
    #7 0x7fd77e21b62f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r1/work/glibc-2.22/csu/libc-start.c:289
    #8 0x4191a8 in _start (/tmp/sed+0x4191a8)


This was found with the help of american fuzzy lop.

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno <at> hboeck.de
GPG: BBB51E42

[sed-nullptr-str_append_modified (application/octet-stream, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #8 received at 22127 <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: Hanno Böck <hanno <at> hboeck.de>
Cc: 22127 <at> debbugs.gnu.org
Subject: Re: bug#22127: Segfault / null pointer access in function
 str_append_modified()
Date: Thu, 17 Dec 2015 18:56:51 -0800

[Message part 1 (text/plain, inline)]

On Wed, Dec 9, 2015 at 3:42 AM, Hanno Böck <hanno <at> hboeck.de> wrote:
> Hi,
>
> With a malformed input (see attachmend) sed can crash in the function
> str_append_modified()
>
> Test:
> echo|./sed -f sed-nullptr-str_append_modified
>
> Seems to be a null pointer access.
> This only seems to happen in the git code of sed and not in 4.2.2.
>
> This is the stack trace from address sanitizer:
> ==21489==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd77e298c16 bp 0x611000009c86 sp 0x7fffe46649d0 T0)
>     #0 0x7fd77e298c15 in wcrtomb /var/tmp/portage/sys-libs/glibc-2.22-r1/work/glibc-2.22/wcsmbs/wcrtomb.c:89
>     #1 0x5029ca in str_append_modified /mnt/ram/sed-plain/sed/execute.c:273:11
>     #2 0x4faa8c in append_replacement /mnt/ram/sed-plain/sed/execute.c:992:11
>     #3 0x4faa8c in do_subst /mnt/ram/sed-plain/sed/execute.c:1078
>     #4 0x4faa8c in execute_program /mnt/ram/sed-plain/sed/execute.c:1513
>     #5 0x4faa8c in process_files /mnt/ram/sed-plain/sed/execute.c:1681
>     #6 0x4e1365 in main /mnt/ram/sed-plain/sed/sed.c:362:17
>     #7 0x7fd77e21b62f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r1/work/glibc-2.22/csu/libc-start.c:289
>     #8 0x4191a8 in _start (/tmp/sed+0x4191a8)
>
>
> This was found with the help of american fuzzy lop.

Thank you for the report.
I've reduced it to the following one-liner (demonstrating
failure with an ASAN-enabled binary), and have attached
a patch:

$ echo > k; LC_ALL=en_US.utf8 sed/sed $(printf 's/^/\\L\233\375\134\200/') k
=================================================================
==3335==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60600000edb2 at pc 0x000000446933 bp 0x7ffd73a42ee0 sp
0x7ffd73a42690
WRITE of size 6 at 0x60600000edb2 thread T0
    #0 0x446932 in __interceptor_wcrtomb
../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:2751
    #1 0x4dc393 in str_append_modified /home/j/w/co/sed/sed/execute.c:273
    #2 0x4e08e2 in append_replacement /home/j/w/co/sed/sed/execute.c:992
    #3 0x4e1272 in do_subst /home/j/w/co/sed/sed/execute.c:1078
    #4 0x4e2d09 in execute_program /home/j/w/co/sed/sed/execute.c:1513
    #5 0x4e359a in process_files /home/j/w/co/sed/sed/execute.c:1681
    #6 0x4d446a in main /home/j/w/co/sed/sed/sed.c:362
    #7 0x7f5541c7f57f in __libc_start_main (/lib64/libc.so.6+0x2057f)
    #8 0x406d18 in _start (/home/j/w/co/sed/sed/sed+0x406d18)

0x60600000edb2 is located 0 bytes to the right of 50-byte region
[0x60600000ed80,0x60600000edb2)
allocated by thread T0 here:
    #0 0x4a2050 in __interceptor_calloc
../../../../libsanitizer/asan/asan_malloc_linux.cc:54
    #1 0x4e59d3 in ck_malloc /home/j/w/co/sed/sed/utils.c:398
    #2 0x4dc4e9 in line_init /home/j/w/co/sed/sed/execute.c:288
    #3 0x4dc75f in line_reset /home/j/w/co/sed/sed/execute.c:306
    #4 0x4e0d37 in do_subst /home/j/w/co/sed/sed/execute.c:1023
    #5 0x4e2d09 in execute_program /home/j/w/co/sed/sed/execute.c:1513
    #6 0x4e359a in process_files /home/j/w/co/sed/sed/execute.c:1681
    #7 0x4d446a in main /home/j/w/co/sed/sed/sed.c:362
    #8 0x7f5541c7f57f in __libc_start_main (/lib64/libc.so.6+0x2057f)

SUMMARY: AddressSanitizer: heap-buffer-overflow
../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:2751
in __interceptor_wcrtomb
Shadow bytes around the buggy address:
  0x0c0c7fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fff9db0: 00 00 00 00 00 00[02]fa fa fa fa fa 00 00 00 00
  0x0c0c7fff9dc0: 00 00 02 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff9dd0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fff9de0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
  0x0c0c7fff9df0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

[0001-sed-fix-a-heap-clobbering-buffer-overrun.patch (text/x-patch, attachment)]

Message #11 received at 22127 <at> debbugs.gnu.org (full text, mbox):

From: Assaf Gordon <assafgordon <at> gmail.com>
To: Jim Meyering <jim <at> meyering.net>
Cc: Hanno Böck <hanno <at> hboeck.de>, 22127 <at> debbugs.gnu.org
Subject: Re: bug#22127: Segfault / null pointer access in function
 str_append_modified()
Date: Sat, 28 Jan 2017 23:11:06 +0000

tags 22172 fixed
close 22172
stop

Hello,

On Thu, Dec 17, 2015 at 06:56:51PM -0800, Jim Meyering wrote:
>On Wed, Dec 9, 2015 at 3:42 AM, Hanno Böck <hanno <at> hboeck.de> wrote:
>> With a malformed input (see attachmend) sed can crash in the function
>> str_append_modified()
>
>Thank you for the report.
>I've reduced it to the following one-liner (demonstrating
>failure with an ASAN-enabled binary), and have attached
>a patch:

The fix was pushed here:
 http://git.savannah.gnu.org/cgit/sed.git/commit/?id=67b3fcc980
and was included in sed-4.3.

I'm marking this as fixed and closing the bug.

regards,
- assaf

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.