X-Loop: help-debbugs@HIDDEN
Subject: bug#34142: AddressSanitizer reported heap-buffer-overflow
Resent-From: Hongxu Chen <leftcopy.chx@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-sed@HIDDEN
Resent-Date: Sun, 20 Jan 2019 06:11:02 +0000
Resent-Message-ID: <handler.34142.B.15479646321208 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 34142
X-GNU-PR-Package: sed
X-GNU-PR-Keywords:
To: 34142 <at> debbugs.gnu.org
X-Debbugs-Original-To: bug-sed@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.15479646321208
(code B ref -1); Sun, 20 Jan 2019 06:11:02 +0000
Received: (at submit) by debbugs.gnu.org; 20 Jan 2019 06:10:32 +0000
Received: from localhost ([127.0.0.1]:38258 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1gl6JT-0000JQ-Q9
for submit <at> debbugs.gnu.org; Sun, 20 Jan 2019 01:10:32 -0500
Received: from eggs.gnu.org ([209.51.188.92]:48749)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <leftcopy.chx@HIDDEN>) id 1gl6JR-0000JA-Fr
for submit <at> debbugs.gnu.org; Sun, 20 Jan 2019 01:10:30 -0500
Received: from lists.gnu.org ([209.51.188.17]:43863)
by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
(Exim 4.71) (envelope-from <leftcopy.chx@HIDDEN>)
id 1gl6JK-0005ae-8O
for submit <at> debbugs.gnu.org; Sun, 20 Jan 2019 01:10:22 -0500
Received: from eggs.gnu.org ([209.51.188.92]:58930)
by lists.gnu.org with esmtp (Exim 4.71)
(envelope-from <leftcopy.chx@HIDDEN>) id 1gl6JI-0002z0-ES
for bug-sed@HIDDEN; Sun, 20 Jan 2019 01:10:22 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level:
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,
HTML_MESSAGE autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
(envelope-from <leftcopy.chx@HIDDEN>) id 1gl6JA-0005Tg-RS
for bug-sed@HIDDEN; Sun, 20 Jan 2019 01:10:16 -0500
Received: from mail-it1-x136.google.com ([2607:f8b0:4864:20::136]:40510)
by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
(Exim 4.71) (envelope-from <leftcopy.chx@HIDDEN>)
id 1gl6J6-0005Kl-Sb
for bug-sed@HIDDEN; Sun, 20 Jan 2019 01:10:10 -0500
Received: by mail-it1-x136.google.com with SMTP id h193so11144977ita.5
for <bug-sed@HIDDEN>; Sat, 19 Jan 2019 22:10:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:from:date:message-id:subject:to;
bh=FiMviPiFmlfU3UjuOjuj33uoETILXph46CagH9RBZTc=;
b=uRMU3AbgOto6Ma42FNVTRkhRj5d2BFcK5DCTl2LF9Osv5sV0268jW8SUrh2L+BMgpf
0UldWVkYsKEVSu/F2X85RniIrHak3gqa2PoghEajNSGcramyX5gR0EP+14oG0sqw9/4u
TZMQ6ssO70bYey4Misp0s0/mwuKgh3qMpIu66N9AU07emk2AAdeLDDTkVt4xjMAQXEJq
8jmKMpzJb1WbnLl/m+WbBYY7H20GfF0NoYCR6yruYHO/Spcs3UK+4CBDoUPiHufcKGo5
Q82YwcFCQM8YrDHrO6jQntsXQKjPvlkBAdWYScKg+9zDZ43JZYPVHEJgyaR9/nVNyzRv
m7ag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=FiMviPiFmlfU3UjuOjuj33uoETILXph46CagH9RBZTc=;
b=WXvixl3Ff6WJVIKQoLDHkoGw9FHLVD88D2hyY8DUur/ClXEW5ZUm4VUc4CrmLZoxO5
DqdW436vpuvKwdKYB0f1bmXbKlZtM11YQ3gVPxT7M26qlEgWCZ2dbmgEyGmaj8glkOru
Q3nsgsuXBFkY+WDDP1P92XobveG3XiuE9r7BhxaSXvT0/9trwzruTs33W2qvHYlYoRWV
t5tW4p9bWJxg9+oF3l0g9OcE8bQpl7Jv6fj1+KOWJZ6rUE9pb7o7feR6i4WjGVjbUdaR
CKpdrKSoQvnvdqjPa36OAY3sFT2qaqSGIJY2kyRrZltsVABmBXfSb45oYs4xzc/R4Z6z
etzw==
X-Gm-Message-State: AJcUukdHhAHrywIWx6Tbbjy17ScHe7ydC3iAcHv00h/mrDwlnjAW53cF
cWbjbsq4JOU89mybQTGi0Sr2vf13fjo8wv2E0l1pzHC/
X-Google-Smtp-Source: ALg8bN6jGbraBkqtAtcY79aZB93NZw5SpZRjjAMtl3nu40eAC+DtQWmzVx11TBpGhQw8snthVtW01Fo5P3PXiONENgs=
X-Received: by 2002:a05:660c:91:: with SMTP id
t17mr4980292itj.41.1547964598846;
Sat, 19 Jan 2019 22:09:58 -0800 (PST)
MIME-Version: 1.0
From: Hongxu Chen <leftcopy.chx@HIDDEN>
Date: Sun, 20 Jan 2019 14:09:48 +0800
Message-ID: <CAJPBKOHEQt0GJ2nF0fTZL9Ld4=sGZiUvrejieSgD9taxGT62ww@HIDDEN>
Content-Type: multipart/mixed; boundary="0000000000000a9597057fdd98a7"
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
recognized.
X-Received-From: 2607:f8b0:4864:20::136
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Spam-Score: 1.0 (+)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)
--0000000000000a9597057fdd98a7
Content-Type: multipart/alternative; boundary="0000000000000a9594057fdd98a5"
--0000000000000a9594057fdd98a5
Content-Type: text/plain; charset="UTF-8"
Hi,
When latest sed (4.7.4-f8503-dirty) is compiled with ASan, it report a
heap-buffer-overflow when executing the following command.
echo '0000000000000000000000000000' | ./sed -f c02.sed
=================================================================
==13920==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x606000000233 at pc 0x0000004b4136 bp 0x7ffc475e3930 sp 0x7ffc475e30e0
READ of size 26 at 0x606000000233 thread T0
#0 0x4b4135 in __interceptor_memcmp.part.283
(/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135)
#1 0x5b274c in proceed_next_node
/home/hongxu/FOT/sed-O0/./lib/regexec.c:1296:9
#2 0x597a4c in set_regs /home/hongxu/FOT/sed-O0/./lib/regexec.c:1453:18
#3 0x569a4f in re_search_internal
/home/hongxu/FOT/sed-O0/./lib/regexec.c:864:10
#4 0x56acd7 in re_search_stub
/home/hongxu/FOT/sed-O0/./lib/regexec.c:425:12
#5 0x56b061 in rpl_re_search
/home/hongxu/FOT/sed-O0/./lib/regexec.c:289:10
#6 0x52f572 in match_regex /home/hongxu/FOT/sed-O0/sed/regexp.c:358:11
#7 0x5292d1 in do_subst /home/hongxu/FOT/sed-O0/sed/execute.c:1015:8
#8 0x5233a2 in execute_program
/home/hongxu/FOT/sed-O0/sed/execute.c:1543:15
#9 0x520cba in process_files
/home/hongxu/FOT/sed-O0/sed/execute.c:1680:16
#10 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17
#11 0x7f1dc2297b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#12 0x41b219 in _start
(/home/hongxu/FOT/sed-O0/install/bin/sed+0x41b219)
0x606000000233 is located 0 bytes to the right of 51-byte region
[0x606000000200,0x606000000233)
allocated by thread T0 here:
#0 0x4db0d0 in malloc (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4db0d0)
#1 0x5624f4 in xmalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:41:13
#2 0x5627c4 in xzalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:86:18
#3 0x520e16 in line_init /home/hongxu/FOT/sed-O0/sed/execute.c:281:15
#4 0x5209ad in process_files
/home/hongxu/FOT/sed-O0/sed/execute.c:1654:3
#5 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17
#6 0x7f1dc2297b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135) in
__interceptor_memcmp.part.283
Shadow bytes around the buggy address:
0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0c7fff8000: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c7fff8010: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c7fff8020: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c7fff8030: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
=>0x0c0c7fff8040: 00 00 00 00 00 00[03]fa fa fa fa fa 00 00 00 00
0x0c0c7fff8050: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c7fff8060: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c7fff8070: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x0c0c7fff8080: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13920==ABORTING
[1] 13917 done echo '0000000000000000000000000000' |
13920 abort ./sed -f c02.sed
c02.sed is attached (it seems ok when executing with the c02.sed content
directly, `echo '0000000000000000000000000000' | ./sed -f
"s000;s0\(..*\)*\1\(\)\S00"`).
This seems an issue in lib/regexec.c since we found GNU debbugs #34140 has
a similar case.
Best Regards,
Hongxu
--0000000000000a9594057fdd98a5
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div di=
r=3D"ltr"><div dir=3D"ltr"><div>Hi,</div><div><br></div><div>=C2=A0 =C2=A0 =
When latest sed (4.7.4-f8503-dirty) is compiled with ASan, it report a heap=
-buffer-overflow when executing the following command.</div><div><br></div>=
<div>=C2=A0 =C2=A0 =C2=A0 echo '0000000000000000000000000000' | ./s=
ed -f c02.sed</div><div><br></div><div>=C2=A0 =C2=A0=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D</div><div>=3D=3D13920=3D=3DERROR: AddressSanitizer=
: heap-buffer-overflow on address 0x606000000233 at pc 0x0000004b4136 bp 0x=
7ffc475e3930 sp 0x7ffc475e30e0</div><div>READ of size 26 at 0x606000000233 =
thread T0</div><div>=C2=A0 =C2=A0 #0 0x4b4135 in __interceptor_memcmp.part.=
283 (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135)</div><div>=C2=A0 =C2=
=A0 #1 0x5b274c in proceed_next_node /home/hongxu/FOT/sed-O0/./lib/regexec.=
c:1296:9</div><div>=C2=A0 =C2=A0 #2 0x597a4c in set_regs /home/hongxu/FOT/s=
ed-O0/./lib/regexec.c:1453:18</div><div>=C2=A0 =C2=A0 #3 0x569a4f in re_sea=
rch_internal /home/hongxu/FOT/sed-O0/./lib/regexec.c:864:10</div><div>=C2=
=A0 =C2=A0 #4 0x56acd7 in re_search_stub /home/hongxu/FOT/sed-O0/./lib/rege=
xec.c:425:12</div><div>=C2=A0 =C2=A0 #5 0x56b061 in rpl_re_search /home/hon=
gxu/FOT/sed-O0/./lib/regexec.c:289:10</div><div>=C2=A0 =C2=A0 #6 0x52f572 i=
n match_regex /home/hongxu/FOT/sed-O0/sed/regexp.c:358:11</div><div>=C2=A0 =
=C2=A0 #7 0x5292d1 in do_subst /home/hongxu/FOT/sed-O0/sed/execute.c:1015:8=
</div><div>=C2=A0 =C2=A0 #8 0x5233a2 in execute_program /home/hongxu/FOT/se=
d-O0/sed/execute.c:1543:15</div><div>=C2=A0 =C2=A0 #9 0x520cba in process_f=
iles /home/hongxu/FOT/sed-O0/sed/execute.c:1680:16</div><div>=C2=A0 =C2=A0 =
#10 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17</div><div>=C2=
=A0 =C2=A0 #11 0x7f1dc2297b96 in __libc_start_main /build/glibc-OTsEL5/glib=
c-2.27/csu/../csu/libc-start.c:310</div><div>=C2=A0 =C2=A0 #12 0x41b219 in =
_start (/home/hongxu/FOT/sed-O0/install/bin/sed+0x41b219)</div><div><br></d=
iv><div>0x606000000233 is located 0 bytes to the right of 51-byte region [0=
x606000000200,0x606000000233)</div><div>allocated by thread T0 here:</div><=
div>=C2=A0 =C2=A0 #0 0x4db0d0 in malloc (/home/hongxu/FOT/sed-O0/install/bi=
n/sed+0x4db0d0)</div><div>=C2=A0 =C2=A0 #1 0x5624f4 in xmalloc /home/hongxu=
/FOT/sed-O0/lib/xmalloc.c:41:13</div><div>=C2=A0 =C2=A0 #2 0x5627c4 in xzal=
loc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:86:18</div><div>=C2=A0 =C2=A0 #3 =
0x520e16 in line_init /home/hongxu/FOT/sed-O0/sed/execute.c:281:15</div><di=
v>=C2=A0 =C2=A0 #4 0x5209ad in process_files /home/hongxu/FOT/sed-O0/sed/ex=
ecute.c:1654:3</div><div>=C2=A0 =C2=A0 #5 0x5300dc in main /home/hongxu/FOT=
/sed-O0/sed/sed.c:382:17</div><div>=C2=A0 =C2=A0 #6 0x7f1dc2297b96 in __lib=
c_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310</di=
v><div><br></div><div>SUMMARY: AddressSanitizer: heap-buffer-overflow (/hom=
e/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135) in __interceptor_memcmp.part.=
283</div><div>Shadow bytes around the buggy address:</div><div>=C2=A0 0x0c0=
c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</div><div>=C2=A0=
0x0c0c7fff8000: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa</div><div>=
=C2=A0 0x0c0c7fff8010: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd</div=
><div>=C2=A0 0x0c0c7fff8020: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd f=
a</div><div>=C2=A0 0x0c0c7fff8030: fa fa fa fa fd fd fd fd fd fd fd fa fa f=
a fa fa</div><div>=3D>0x0c0c7fff8040: 00 00 00 00 00 00[03]fa fa fa fa f=
a 00 00 00 00</div><div>=C2=A0 0x0c0c7fff8050: 00 00 03 fa fa fa fa fa 00 0=
0 00 00 00 00 00 00</div><div>=C2=A0 0x0c0c7fff8060: fa fa fa fa fd fd fd f=
d fd fd fd fa fa fa fa fa</div><div>=C2=A0 0x0c0c7fff8070: 00 00 00 00 00 0=
0 00 fa fa fa fa fa 00 00 00 00</div><div>=C2=A0 0x0c0c7fff8080: 00 00 00 f=
a fa fa fa fa fd fd fd fd fd fd fd fd</div><div>=C2=A0 0x0c0c7fff8090: fa f=
a fa fa 00 00 00 00 00 00 00 00 fa fa fa fa</div><div>Shadow byte legend (o=
ne shadow byte represents 8 application bytes):</div><div>=C2=A0 Addressabl=
e:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A000</div><div>=C2=A0 Partially ad=
dressable: 01 02 03 04 05 06 07=C2=A0</div><div>=C2=A0 Heap left redzone:=
=C2=A0 =C2=A0 =C2=A0 =C2=A0fa</div><div>=C2=A0 Freed heap region:=C2=A0 =C2=
=A0 =C2=A0 =C2=A0fd</div><div>=C2=A0 Stack left redzone:=C2=A0 =C2=A0 =C2=
=A0 f1</div><div>=C2=A0 Stack mid redzone:=C2=A0 =C2=A0 =C2=A0 =C2=A0f2</di=
v><div>=C2=A0 Stack right redzone:=C2=A0 =C2=A0 =C2=A0f3</div><div>=C2=A0 S=
tack after return:=C2=A0 =C2=A0 =C2=A0 f5</div><div>=C2=A0 Stack use after =
scope:=C2=A0 =C2=A0f8</div><div>=C2=A0 Global redzone:=C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 f9</div><div>=C2=A0 Global init order:=C2=A0 =C2=A0 =C2=A0 =
=C2=A0f6</div><div>=C2=A0 Poisoned by user:=C2=A0 =C2=A0 =C2=A0 =C2=A0 f7</=
div><div>=C2=A0 Container overflow:=C2=A0 =C2=A0 =C2=A0 fc</div><div>=C2=A0=
Array cookie:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ac</div><div>=C2=A0=
Intra object redzone:=C2=A0 =C2=A0 bb</div><div>=C2=A0 ASan internal:=C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0fe</div><div>=C2=A0 Left alloca redzo=
ne:=C2=A0 =C2=A0 =C2=A0ca</div><div>=C2=A0 Right alloca redzone:=C2=A0 =C2=
=A0 cb</div><div>=3D=3D13920=3D=3DABORTING</div><div>[1]=C2=A0 =C2=A0 13917=
done=C2=A0 =C2=A0 =C2=A0 =C2=A0echo '0000000000000000000000000000'=
|=C2=A0</div><div>=C2=A0 =C2=A0 =C2=A0 =C2=A013920 abort=C2=A0 =C2=A0 =C2=
=A0 ./sed -f c02.sed</div><div><br></div><div>c02.sed is attached (it seems=
ok when executing with the c02.sed content directly, `echo '0000000000=
000000000000000000' | ./sed -f "s000;s0\(..*\)*\1\(\)\S00"`).=
</div><div><br></div><div>This seems an issue in lib/regexec.c since we fou=
nd GNU debbugs #34140 has a similar case.</div><br clear=3D"all"><div><div =
dir=3D"ltr" class=3D"gmail_signature"><div dir=3D"ltr"><div><div dir=3D"ltr=
"><font color=3D"#313131" face=3D"Arial, sans-serif"><span style=3D"font-si=
ze:12px">Best Regards,</span></font><div><font color=3D"#313131" face=3D"Ar=
ial, sans-serif"><span style=3D"font-size:12px">Hongxu</span></font></div><=
/div></div></div></div></div></div></div></div></div></div></div>
--0000000000000a9594057fdd98a5--
--0000000000000a9597057fdd98a7
Content-Type: application/octet-stream; name="c02.sed"
Content-Disposition: attachment; filename="c02.sed"
Content-Transfer-Encoding: base64
Content-ID: <f_jr4hzhog0>
X-Attachment-Id: f_jr4hzhog0
czCJMDA7czBcKC4uKlwpKlwxXChcKVxTMDA=
--0000000000000a9597057fdd98a7--
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Type: text/plain; charset=utf-8 X-Loop: help-debbugs@HIDDEN From: help-debbugs@HIDDEN (GNU bug Tracking System) To: Hongxu Chen <leftcopy.chx@HIDDEN> Subject: bug#34142: Acknowledgement (AddressSanitizer reported heap-buffer-overflow) Message-ID: <handler.34142.B.15479646321208.ack <at> debbugs.gnu.org> References: <CAJPBKOHEQt0GJ2nF0fTZL9Ld4=sGZiUvrejieSgD9taxGT62ww@HIDDEN> X-Gnu-PR-Message: ack 34142 X-Gnu-PR-Package: sed Reply-To: 34142 <at> debbugs.gnu.org Date: Sun, 20 Jan 2019 06:11:02 +0000 Thank you for filing a new bug report with debbugs.gnu.org. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): bug-sed@HIDDEN If you wish to submit further information on this problem, please send it to 34142 <at> debbugs.gnu.org. Please do not send mail to help-debbugs@HIDDEN unless you wish to report a problem with the Bug-tracking system. --=20 34142: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D34142 GNU Bug Tracking System Contact help-debbugs@HIDDEN with problems
X-Loop: help-debbugs@HIDDEN
Subject: bug#34142: AddressSanitizer reported heap-buffer-overflow
Resent-From: Assaf Gordon <assafgordon@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-sed@HIDDEN
Resent-Date: Sun, 20 Jan 2019 09:15:03 +0000
Resent-Message-ID: <handler.34142.B34142.154797566320169 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 34142
X-GNU-PR-Package: sed
X-GNU-PR-Keywords:
To: Hongxu Chen <leftcopy.chx@HIDDEN>, 34142 <at> debbugs.gnu.org
Received: via spool by 34142-submit <at> debbugs.gnu.org id=B34142.154797566320169
(code B ref 34142); Sun, 20 Jan 2019 09:15:03 +0000
Received: (at 34142) by debbugs.gnu.org; 20 Jan 2019 09:14:23 +0000
Received: from localhost ([127.0.0.1]:38293 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1gl9BO-0005FF-KT
for submit <at> debbugs.gnu.org; Sun, 20 Jan 2019 04:14:22 -0500
Received: from mail-pf1-f175.google.com ([209.85.210.175]:42161)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <assafgordon@HIDDEN>) id 1gl9BL-0005El-BA
for 34142 <at> debbugs.gnu.org; Sun, 20 Jan 2019 04:14:21 -0500
Received: by mail-pf1-f175.google.com with SMTP id 64so8710134pfr.9
for <34142 <at> debbugs.gnu.org>; Sun, 20 Jan 2019 01:14:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=subject:to:references:from:message-id:date:user-agent:mime-version
:in-reply-to:content-language:content-transfer-encoding;
bh=q/Lp0AsiataOEfiZRL7IasK0bOqKKMb/vmJNoxCVkVU=;
b=JFuvIRBnsBTZkgm9o51bi9/DhicB9ux72YhOC2zv05MdDfS57hjybV4CDU9WFGpb8c
zQbKagEF7FypyAI7+EsjOWaGlFW4Ziky9eFhMS4vwPzlPR88fWsI0yj9ydjYqp+YqQ5J
zGIH9NK3T7AGxDVV/mHDEXsm2r61hyjuciTLm2pVU78p2/Feegy4ZKxmEu7EQttLBKdY
i5aPusLldrq7oMUgxvLL2hw/EhYPlr+KMmTcBuURKY5R+fP2gr5V6Dk0wxOh3Hp7nSvR
bx6dWsbNDspHh70JbBGOKb9x+iXfw3OUFFsnMJIvyujQthNir1ptTTqWB2ddA3eCC8UQ
d1Tg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:subject:to:references:from:message-id:date
:user-agent:mime-version:in-reply-to:content-language
:content-transfer-encoding;
bh=q/Lp0AsiataOEfiZRL7IasK0bOqKKMb/vmJNoxCVkVU=;
b=cjLJvc8kqdSOm0daAjKomY0b6NzASdZcuTVSBCRjXbL44lyFMc62xhWangrWfut0kf
OI3erpSuelKl+NbxarkReqLkUXOX/7SC7Rb2Cez4naij5Qpq/OWFJqpA8zsZQLYxhlbx
bYaNnQw1tQq724rru9K1rvNOJfGSLVYOHEJDs/X5kydjavs5eobFlK5WajHt24lNRACK
DUbQuZ+ED6NWRhIRh4d9HoGH8Xn2wsbripIrvvY1t/b20IeFpB8Abgha0S0adTT9jiZH
HW8aLPFkg/ZElavjEadPoxICNeocMchrtmNly4fYthqsy5gR7/CHohjt6qiZ8UpJzFGc
4iJw==
X-Gm-Message-State: AJcUukdInH1ohTeaQTmhCLdsYEedeul2Z/jtEhR6tjdMT/elgPRgbd0l
60EfYxw1mRdNRyJp0eSpAF33LKo0
X-Google-Smtp-Source: ALg8bN7VFOallua4zBR/iEA0MQVgyLbX344ShlWUv1JJSYXJ2GxGMJzNEobdoGgVoYkyJDIHyG4TkA==
X-Received: by 2002:a63:5207:: with SMTP id g7mr24279010pgb.253.1547975652615;
Sun, 20 Jan 2019 01:14:12 -0800 (PST)
Received: from tomato.housegordon.com (moose.housegordon.com. [184.68.105.38])
by smtp.googlemail.com with ESMTPSA id
v191sm20565810pgb.77.2019.01.20.01.14.11
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Sun, 20 Jan 2019 01:14:11 -0800 (PST)
References: <CAJPBKOHEQt0GJ2nF0fTZL9Ld4=sGZiUvrejieSgD9taxGT62ww@HIDDEN>
From: Assaf Gordon <assafgordon@HIDDEN>
Message-ID: <e7ba7ae7-8585-fef9-7a17-553d34be60b7@HIDDEN>
Date: Sun, 20 Jan 2019 02:14:10 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <CAJPBKOHEQt0GJ2nF0fTZL9Ld4=sGZiUvrejieSgD9taxGT62ww@HIDDEN>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
(forwarding to gnulib)
Hello,
Hongxu Chen reported a heap-buffer-overflow in gnulib's regexec code.
It can be reproduced with current sed using:
git clone git://git.sv.gnu.org/sed.git
cd sed
./bootstrap && ./configure
make build-asan
echo 00000000000000000000000000 | ./sed/sed -E -e 's/(.*)*\1//'
The above 'sed' invocation is a simplified variation of Hongxu's report.
Details below:
On 2019-01-19 11:09 p.m., Hongxu Chen wrote:
>
> =================================================================
> ==13920==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x606000000233 at pc 0x0000004b4136 bp 0x7ffc475e3930 sp 0x7ffc475e30e0
> READ of size 26 at 0x606000000233 thread T0
> #0 0x4b4135 in __interceptor_memcmp.part.283
> (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135)
> #1 0x5b274c in proceed_next_node
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:1296:9
> #2 0x597a4c in set_regs /home/hongxu/FOT/sed-O0/./lib/regexec.c:1453:18
> #3 0x569a4f in re_search_internal
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:864:10
> #4 0x56acd7 in re_search_stub
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:425:12
> #5 0x56b061 in rpl_re_search
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:289:10
> #6 0x52f572 in match_regex /home/hongxu/FOT/sed-O0/sed/regexp.c:358:11
> #7 0x5292d1 in do_subst /home/hongxu/FOT/sed-O0/sed/execute.c:1015:8
> #8 0x5233a2 in execute_program
> /home/hongxu/FOT/sed-O0/sed/execute.c:1543:15
> #9 0x520cba in process_files
> /home/hongxu/FOT/sed-O0/sed/execute.c:1680:16
> #10 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17
> #11 0x7f1dc2297b96 in __libc_start_main
> /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
> #12 0x41b219 in _start
> (/home/hongxu/FOT/sed-O0/install/bin/sed+0x41b219)
>
> 0x606000000233 is located 0 bytes to the right of 51-byte region
> [0x606000000200,0x606000000233)
> allocated by thread T0 here:
> #0 0x4db0d0 in malloc (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4db0d0)
> #1 0x5624f4 in xmalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:41:13
> #2 0x5627c4 in xzalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:86:18
> #3 0x520e16 in line_init /home/hongxu/FOT/sed-O0/sed/execute.c:281:15
> #4 0x5209ad in process_files
> /home/hongxu/FOT/sed-O0/sed/execute.c:1654:3
> #5 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17
> #6 0x7f1dc2297b96 in __libc_start_main
> /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow
> (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135) in
> __interceptor_memcmp.part.283
> Shadow bytes around the buggy address:
> 0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c0c7fff8000: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> 0x0c0c7fff8010: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
> 0x0c0c7fff8020: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
> 0x0c0c7fff8030: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> =>0x0c0c7fff8040: 00 00 00 00 00 00[03]fa fa fa fa fa 00 00 00 00
> 0x0c0c7fff8050: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
> 0x0c0c7fff8060: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> 0x0c0c7fff8070: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
> 0x0c0c7fff8080: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
> 0x0c0c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==13920==ABORTING
X-Loop: help-debbugs@HIDDEN
Subject: bug#34142: AddressSanitizer reported heap-buffer-overflow
Resent-From: Assaf Gordon <assafgordon@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-sed@HIDDEN
Resent-Date: Sun, 20 Jan 2019 09:16:02 +0000
Resent-Message-ID: <handler.34142.B34142.154797571820315 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 34142
X-GNU-PR-Package: sed
X-GNU-PR-Keywords:
To: Hongxu Chen <leftcopy.chx@HIDDEN>, 34142 <at> debbugs.gnu.org, "bug-gnulib@HIDDEN List" <bug-gnulib@HIDDEN>
Received: via spool by 34142-submit <at> debbugs.gnu.org id=B34142.154797571820315
(code B ref 34142); Sun, 20 Jan 2019 09:16:02 +0000
Received: (at 34142) by debbugs.gnu.org; 20 Jan 2019 09:15:18 +0000
Received: from localhost ([127.0.0.1]:38302 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1gl9CI-0005Hb-9c
for submit <at> debbugs.gnu.org; Sun, 20 Jan 2019 04:15:18 -0500
Received: from mail-pg1-f180.google.com ([209.85.215.180]:43255)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <assafgordon@HIDDEN>) id 1gl9CG-0005HL-Nv
for 34142 <at> debbugs.gnu.org; Sun, 20 Jan 2019 04:15:17 -0500
Received: by mail-pg1-f180.google.com with SMTP id v28so8085695pgk.10
for <34142 <at> debbugs.gnu.org>; Sun, 20 Jan 2019 01:15:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=from:subject:to:references:message-id:date:user-agent:mime-version
:in-reply-to:content-language:content-transfer-encoding;
bh=q/Lp0AsiataOEfiZRL7IasK0bOqKKMb/vmJNoxCVkVU=;
b=GuZQR7dHt22zaN/XxyElvEEtVROzkR7ilAQhtM8zJ5BuLbAjgi688KlpoOmo1Kllc6
Tz8Utl8kyxJykuXjz6eh97Xp/kd5SP4VCmAa/tK1DlWuhfxCJemM6ZNJEDWn9GUUbHzG
6MgK/gciuTyYkUQh+lSVf21zhLEBfXcCddZRG8qk/jK+86vjNNA63qnb2F2gdwrG/bwm
wrlt31rGDXBOfPoYEYyi8eTyNcyIiobwcy4cRoa/wO4g13XQOqCyXIz5PeZeDYr2JqIe
sgYLgL4Drnpb1BDfQ2lL00Dwi1oYde7QxGCGa7MQD+15PS1aekyqBVgZhljNZlW10VYh
jT1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:subject:to:references:message-id:date
:user-agent:mime-version:in-reply-to:content-language
:content-transfer-encoding;
bh=q/Lp0AsiataOEfiZRL7IasK0bOqKKMb/vmJNoxCVkVU=;
b=f+/vnK5/Riqlu62PMz9tYaXuDmkrcrkoar2Pgk0o/iNuN+RRfr3qgFCIX95SaXBBdd
jCh1oQefvYVvYtTgepIlzMrP3HVKSZiWI/NmJbxWinFR1UCNHtqlCQybM/YL9rHNF1pC
OHbKjfS4bxqZgGG5KJ7bXzlwwvi9ssRPBllrMvbgPqb+IJ5bMOr3imUYyDtmio7IyRys
hC6iL5xwexZpFKq/648ZgDMc4ry9cW3oS5CWOYAY43agqeEzN8nhEY4QkOg3AkAMVi2K
hP4w54PtjipOJpy1uLSmepZzVdDxd+batHFkh6AXvILCzGHU69NqrU+naZxh/D1lALlP
O4sg==
X-Gm-Message-State: AJcUukc8hSXlTeXHljFYaNvfeZRNUmtZAuMtSqWqjBw30F3tsyT+tuoF
s5ue9ItFZ+FVYG86rJsbj7Y=
X-Google-Smtp-Source: ALg8bN4+kAfA17Zi0AlY2onzw8h49Zugfa/YJCbKUr2NpGVL6BjB3GJBN9QoFCbVFSXj0hYugylloA==
X-Received: by 2002:aa7:83c6:: with SMTP id j6mr8022346pfn.91.1547975710898;
Sun, 20 Jan 2019 01:15:10 -0800 (PST)
Received: from tomato.housegordon.com (moose.housegordon.com. [184.68.105.38])
by smtp.googlemail.com with ESMTPSA id
t185sm13434103pgd.90.2019.01.20.01.15.09
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Sun, 20 Jan 2019 01:15:09 -0800 (PST)
From: Assaf Gordon <assafgordon@HIDDEN>
References: <CAJPBKOHEQt0GJ2nF0fTZL9Ld4=sGZiUvrejieSgD9taxGT62ww@HIDDEN>
Message-ID: <33466703-d85e-400d-3f19-f2ece6d9c32a@HIDDEN>
Date: Sun, 20 Jan 2019 02:15:08 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <CAJPBKOHEQt0GJ2nF0fTZL9Ld4=sGZiUvrejieSgD9taxGT62ww@HIDDEN>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
(forwarding to gnulib)
Hello,
Hongxu Chen reported a heap-buffer-overflow in gnulib's regexec code.
It can be reproduced with current sed using:
git clone git://git.sv.gnu.org/sed.git
cd sed
./bootstrap && ./configure
make build-asan
echo 00000000000000000000000000 | ./sed/sed -E -e 's/(.*)*\1//'
The above 'sed' invocation is a simplified variation of Hongxu's report.
Details below:
On 2019-01-19 11:09 p.m., Hongxu Chen wrote:
>
> =================================================================
> ==13920==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x606000000233 at pc 0x0000004b4136 bp 0x7ffc475e3930 sp 0x7ffc475e30e0
> READ of size 26 at 0x606000000233 thread T0
> #0 0x4b4135 in __interceptor_memcmp.part.283
> (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135)
> #1 0x5b274c in proceed_next_node
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:1296:9
> #2 0x597a4c in set_regs /home/hongxu/FOT/sed-O0/./lib/regexec.c:1453:18
> #3 0x569a4f in re_search_internal
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:864:10
> #4 0x56acd7 in re_search_stub
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:425:12
> #5 0x56b061 in rpl_re_search
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:289:10
> #6 0x52f572 in match_regex /home/hongxu/FOT/sed-O0/sed/regexp.c:358:11
> #7 0x5292d1 in do_subst /home/hongxu/FOT/sed-O0/sed/execute.c:1015:8
> #8 0x5233a2 in execute_program
> /home/hongxu/FOT/sed-O0/sed/execute.c:1543:15
> #9 0x520cba in process_files
> /home/hongxu/FOT/sed-O0/sed/execute.c:1680:16
> #10 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17
> #11 0x7f1dc2297b96 in __libc_start_main
> /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
> #12 0x41b219 in _start
> (/home/hongxu/FOT/sed-O0/install/bin/sed+0x41b219)
>
> 0x606000000233 is located 0 bytes to the right of 51-byte region
> [0x606000000200,0x606000000233)
> allocated by thread T0 here:
> #0 0x4db0d0 in malloc (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4db0d0)
> #1 0x5624f4 in xmalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:41:13
> #2 0x5627c4 in xzalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:86:18
> #3 0x520e16 in line_init /home/hongxu/FOT/sed-O0/sed/execute.c:281:15
> #4 0x5209ad in process_files
> /home/hongxu/FOT/sed-O0/sed/execute.c:1654:3
> #5 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17
> #6 0x7f1dc2297b96 in __libc_start_main
> /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow
> (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135) in
> __interceptor_memcmp.part.283
> Shadow bytes around the buggy address:
> 0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c0c7fff8000: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> 0x0c0c7fff8010: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
> 0x0c0c7fff8020: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
> 0x0c0c7fff8030: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> =>0x0c0c7fff8040: 00 00 00 00 00 00[03]fa fa fa fa fa 00 00 00 00
> 0x0c0c7fff8050: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
> 0x0c0c7fff8060: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> 0x0c0c7fff8070: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
> 0x0c0c7fff8080: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
> 0x0c0c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==13920==ABORTING
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.