Received: (at 34142) by debbugs.gnu.org; 20 Jan 2019 09:15:18 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jan 20 04:15:18 2019
Received: from localhost ([127.0.0.1]:38302 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1gl9CI-0005Hb-9c
for submit <at> debbugs.gnu.org; Sun, 20 Jan 2019 04:15:18 -0500
Received: from mail-pg1-f180.google.com ([209.85.215.180]:43255)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <assafgordon@HIDDEN>) id 1gl9CG-0005HL-Nv
for 34142 <at> debbugs.gnu.org; Sun, 20 Jan 2019 04:15:17 -0500
Received: by mail-pg1-f180.google.com with SMTP id v28so8085695pgk.10
for <34142 <at> debbugs.gnu.org>; Sun, 20 Jan 2019 01:15:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=from:subject:to:references:message-id:date:user-agent:mime-version
:in-reply-to:content-language:content-transfer-encoding;
bh=q/Lp0AsiataOEfiZRL7IasK0bOqKKMb/vmJNoxCVkVU=;
b=GuZQR7dHt22zaN/XxyElvEEtVROzkR7ilAQhtM8zJ5BuLbAjgi688KlpoOmo1Kllc6
Tz8Utl8kyxJykuXjz6eh97Xp/kd5SP4VCmAa/tK1DlWuhfxCJemM6ZNJEDWn9GUUbHzG
6MgK/gciuTyYkUQh+lSVf21zhLEBfXcCddZRG8qk/jK+86vjNNA63qnb2F2gdwrG/bwm
wrlt31rGDXBOfPoYEYyi8eTyNcyIiobwcy4cRoa/wO4g13XQOqCyXIz5PeZeDYr2JqIe
sgYLgL4Drnpb1BDfQ2lL00Dwi1oYde7QxGCGa7MQD+15PS1aekyqBVgZhljNZlW10VYh
jT1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:subject:to:references:message-id:date
:user-agent:mime-version:in-reply-to:content-language
:content-transfer-encoding;
bh=q/Lp0AsiataOEfiZRL7IasK0bOqKKMb/vmJNoxCVkVU=;
b=f+/vnK5/Riqlu62PMz9tYaXuDmkrcrkoar2Pgk0o/iNuN+RRfr3qgFCIX95SaXBBdd
jCh1oQefvYVvYtTgepIlzMrP3HVKSZiWI/NmJbxWinFR1UCNHtqlCQybM/YL9rHNF1pC
OHbKjfS4bxqZgGG5KJ7bXzlwwvi9ssRPBllrMvbgPqb+IJ5bMOr3imUYyDtmio7IyRys
hC6iL5xwexZpFKq/648ZgDMc4ry9cW3oS5CWOYAY43agqeEzN8nhEY4QkOg3AkAMVi2K
hP4w54PtjipOJpy1uLSmepZzVdDxd+batHFkh6AXvILCzGHU69NqrU+naZxh/D1lALlP
O4sg==
X-Gm-Message-State: AJcUukc8hSXlTeXHljFYaNvfeZRNUmtZAuMtSqWqjBw30F3tsyT+tuoF
s5ue9ItFZ+FVYG86rJsbj7Y=
X-Google-Smtp-Source: ALg8bN4+kAfA17Zi0AlY2onzw8h49Zugfa/YJCbKUr2NpGVL6BjB3GJBN9QoFCbVFSXj0hYugylloA==
X-Received: by 2002:aa7:83c6:: with SMTP id j6mr8022346pfn.91.1547975710898;
Sun, 20 Jan 2019 01:15:10 -0800 (PST)
Received: from tomato.housegordon.com (moose.housegordon.com. [184.68.105.38])
by smtp.googlemail.com with ESMTPSA id
t185sm13434103pgd.90.2019.01.20.01.15.09
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Sun, 20 Jan 2019 01:15:09 -0800 (PST)
From: Assaf Gordon <assafgordon@HIDDEN>
Subject: Re: bug#34142: AddressSanitizer reported heap-buffer-overflow
To: Hongxu Chen <leftcopy.chx@HIDDEN>, 34142 <at> debbugs.gnu.org,
"bug-gnulib@HIDDEN List" <bug-gnulib@HIDDEN>
References: <CAJPBKOHEQt0GJ2nF0fTZL9Ld4=sGZiUvrejieSgD9taxGT62ww@HIDDEN>
Message-ID: <33466703-d85e-400d-3f19-f2ece6d9c32a@HIDDEN>
Date: Sun, 20 Jan 2019 02:15:08 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <CAJPBKOHEQt0GJ2nF0fTZL9Ld4=sGZiUvrejieSgD9taxGT62ww@HIDDEN>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 34142
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
(forwarding to gnulib)
Hello,
Hongxu Chen reported a heap-buffer-overflow in gnulib's regexec code.
It can be reproduced with current sed using:
git clone git://git.sv.gnu.org/sed.git
cd sed
./bootstrap && ./configure
make build-asan
echo 00000000000000000000000000 | ./sed/sed -E -e 's/(.*)*\1//'
The above 'sed' invocation is a simplified variation of Hongxu's report.
Details below:
On 2019-01-19 11:09 p.m., Hongxu Chen wrote:
>
> =================================================================
> ==13920==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x606000000233 at pc 0x0000004b4136 bp 0x7ffc475e3930 sp 0x7ffc475e30e0
> READ of size 26 at 0x606000000233 thread T0
> #0 0x4b4135 in __interceptor_memcmp.part.283
> (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135)
> #1 0x5b274c in proceed_next_node
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:1296:9
> #2 0x597a4c in set_regs /home/hongxu/FOT/sed-O0/./lib/regexec.c:1453:18
> #3 0x569a4f in re_search_internal
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:864:10
> #4 0x56acd7 in re_search_stub
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:425:12
> #5 0x56b061 in rpl_re_search
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:289:10
> #6 0x52f572 in match_regex /home/hongxu/FOT/sed-O0/sed/regexp.c:358:11
> #7 0x5292d1 in do_subst /home/hongxu/FOT/sed-O0/sed/execute.c:1015:8
> #8 0x5233a2 in execute_program
> /home/hongxu/FOT/sed-O0/sed/execute.c:1543:15
> #9 0x520cba in process_files
> /home/hongxu/FOT/sed-O0/sed/execute.c:1680:16
> #10 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17
> #11 0x7f1dc2297b96 in __libc_start_main
> /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
> #12 0x41b219 in _start
> (/home/hongxu/FOT/sed-O0/install/bin/sed+0x41b219)
>
> 0x606000000233 is located 0 bytes to the right of 51-byte region
> [0x606000000200,0x606000000233)
> allocated by thread T0 here:
> #0 0x4db0d0 in malloc (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4db0d0)
> #1 0x5624f4 in xmalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:41:13
> #2 0x5627c4 in xzalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:86:18
> #3 0x520e16 in line_init /home/hongxu/FOT/sed-O0/sed/execute.c:281:15
> #4 0x5209ad in process_files
> /home/hongxu/FOT/sed-O0/sed/execute.c:1654:3
> #5 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17
> #6 0x7f1dc2297b96 in __libc_start_main
> /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow
> (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135) in
> __interceptor_memcmp.part.283
> Shadow bytes around the buggy address:
> 0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c0c7fff8000: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> 0x0c0c7fff8010: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
> 0x0c0c7fff8020: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
> 0x0c0c7fff8030: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> =>0x0c0c7fff8040: 00 00 00 00 00 00[03]fa fa fa fa fa 00 00 00 00
> 0x0c0c7fff8050: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
> 0x0c0c7fff8060: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> 0x0c0c7fff8070: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
> 0x0c0c7fff8080: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
> 0x0c0c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==13920==ABORTING
bug-sed@HIDDEN:bug#34142; Package sed.
Full text available.
Received: (at 34142) by debbugs.gnu.org; 20 Jan 2019 09:14:23 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jan 20 04:14:23 2019
Received: from localhost ([127.0.0.1]:38293 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1gl9BO-0005FF-KT
for submit <at> debbugs.gnu.org; Sun, 20 Jan 2019 04:14:22 -0500
Received: from mail-pf1-f175.google.com ([209.85.210.175]:42161)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <assafgordon@HIDDEN>) id 1gl9BL-0005El-BA
for 34142 <at> debbugs.gnu.org; Sun, 20 Jan 2019 04:14:21 -0500
Received: by mail-pf1-f175.google.com with SMTP id 64so8710134pfr.9
for <34142 <at> debbugs.gnu.org>; Sun, 20 Jan 2019 01:14:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=subject:to:references:from:message-id:date:user-agent:mime-version
:in-reply-to:content-language:content-transfer-encoding;
bh=q/Lp0AsiataOEfiZRL7IasK0bOqKKMb/vmJNoxCVkVU=;
b=JFuvIRBnsBTZkgm9o51bi9/DhicB9ux72YhOC2zv05MdDfS57hjybV4CDU9WFGpb8c
zQbKagEF7FypyAI7+EsjOWaGlFW4Ziky9eFhMS4vwPzlPR88fWsI0yj9ydjYqp+YqQ5J
zGIH9NK3T7AGxDVV/mHDEXsm2r61hyjuciTLm2pVU78p2/Feegy4ZKxmEu7EQttLBKdY
i5aPusLldrq7oMUgxvLL2hw/EhYPlr+KMmTcBuURKY5R+fP2gr5V6Dk0wxOh3Hp7nSvR
bx6dWsbNDspHh70JbBGOKb9x+iXfw3OUFFsnMJIvyujQthNir1ptTTqWB2ddA3eCC8UQ
d1Tg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:subject:to:references:from:message-id:date
:user-agent:mime-version:in-reply-to:content-language
:content-transfer-encoding;
bh=q/Lp0AsiataOEfiZRL7IasK0bOqKKMb/vmJNoxCVkVU=;
b=cjLJvc8kqdSOm0daAjKomY0b6NzASdZcuTVSBCRjXbL44lyFMc62xhWangrWfut0kf
OI3erpSuelKl+NbxarkReqLkUXOX/7SC7Rb2Cez4naij5Qpq/OWFJqpA8zsZQLYxhlbx
bYaNnQw1tQq724rru9K1rvNOJfGSLVYOHEJDs/X5kydjavs5eobFlK5WajHt24lNRACK
DUbQuZ+ED6NWRhIRh4d9HoGH8Xn2wsbripIrvvY1t/b20IeFpB8Abgha0S0adTT9jiZH
HW8aLPFkg/ZElavjEadPoxICNeocMchrtmNly4fYthqsy5gR7/CHohjt6qiZ8UpJzFGc
4iJw==
X-Gm-Message-State: AJcUukdInH1ohTeaQTmhCLdsYEedeul2Z/jtEhR6tjdMT/elgPRgbd0l
60EfYxw1mRdNRyJp0eSpAF33LKo0
X-Google-Smtp-Source: ALg8bN7VFOallua4zBR/iEA0MQVgyLbX344ShlWUv1JJSYXJ2GxGMJzNEobdoGgVoYkyJDIHyG4TkA==
X-Received: by 2002:a63:5207:: with SMTP id g7mr24279010pgb.253.1547975652615;
Sun, 20 Jan 2019 01:14:12 -0800 (PST)
Received: from tomato.housegordon.com (moose.housegordon.com. [184.68.105.38])
by smtp.googlemail.com with ESMTPSA id
v191sm20565810pgb.77.2019.01.20.01.14.11
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Sun, 20 Jan 2019 01:14:11 -0800 (PST)
Subject: Re: bug#34142: AddressSanitizer reported heap-buffer-overflow
To: Hongxu Chen <leftcopy.chx@HIDDEN>, 34142 <at> debbugs.gnu.org
References: <CAJPBKOHEQt0GJ2nF0fTZL9Ld4=sGZiUvrejieSgD9taxGT62ww@HIDDEN>
From: Assaf Gordon <assafgordon@HIDDEN>
Message-ID: <e7ba7ae7-8585-fef9-7a17-553d34be60b7@HIDDEN>
Date: Sun, 20 Jan 2019 02:14:10 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <CAJPBKOHEQt0GJ2nF0fTZL9Ld4=sGZiUvrejieSgD9taxGT62ww@HIDDEN>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 34142
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
(forwarding to gnulib)
Hello,
Hongxu Chen reported a heap-buffer-overflow in gnulib's regexec code.
It can be reproduced with current sed using:
git clone git://git.sv.gnu.org/sed.git
cd sed
./bootstrap && ./configure
make build-asan
echo 00000000000000000000000000 | ./sed/sed -E -e 's/(.*)*\1//'
The above 'sed' invocation is a simplified variation of Hongxu's report.
Details below:
On 2019-01-19 11:09 p.m., Hongxu Chen wrote:
>
> =================================================================
> ==13920==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x606000000233 at pc 0x0000004b4136 bp 0x7ffc475e3930 sp 0x7ffc475e30e0
> READ of size 26 at 0x606000000233 thread T0
> #0 0x4b4135 in __interceptor_memcmp.part.283
> (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135)
> #1 0x5b274c in proceed_next_node
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:1296:9
> #2 0x597a4c in set_regs /home/hongxu/FOT/sed-O0/./lib/regexec.c:1453:18
> #3 0x569a4f in re_search_internal
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:864:10
> #4 0x56acd7 in re_search_stub
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:425:12
> #5 0x56b061 in rpl_re_search
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:289:10
> #6 0x52f572 in match_regex /home/hongxu/FOT/sed-O0/sed/regexp.c:358:11
> #7 0x5292d1 in do_subst /home/hongxu/FOT/sed-O0/sed/execute.c:1015:8
> #8 0x5233a2 in execute_program
> /home/hongxu/FOT/sed-O0/sed/execute.c:1543:15
> #9 0x520cba in process_files
> /home/hongxu/FOT/sed-O0/sed/execute.c:1680:16
> #10 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17
> #11 0x7f1dc2297b96 in __libc_start_main
> /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
> #12 0x41b219 in _start
> (/home/hongxu/FOT/sed-O0/install/bin/sed+0x41b219)
>
> 0x606000000233 is located 0 bytes to the right of 51-byte region
> [0x606000000200,0x606000000233)
> allocated by thread T0 here:
> #0 0x4db0d0 in malloc (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4db0d0)
> #1 0x5624f4 in xmalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:41:13
> #2 0x5627c4 in xzalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:86:18
> #3 0x520e16 in line_init /home/hongxu/FOT/sed-O0/sed/execute.c:281:15
> #4 0x5209ad in process_files
> /home/hongxu/FOT/sed-O0/sed/execute.c:1654:3
> #5 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17
> #6 0x7f1dc2297b96 in __libc_start_main
> /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow
> (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135) in
> __interceptor_memcmp.part.283
> Shadow bytes around the buggy address:
> 0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c0c7fff8000: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> 0x0c0c7fff8010: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
> 0x0c0c7fff8020: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
> 0x0c0c7fff8030: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> =>0x0c0c7fff8040: 00 00 00 00 00 00[03]fa fa fa fa fa 00 00 00 00
> 0x0c0c7fff8050: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
> 0x0c0c7fff8060: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> 0x0c0c7fff8070: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
> 0x0c0c7fff8080: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
> 0x0c0c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==13920==ABORTING
bug-sed@HIDDEN:bug#34142; Package sed.
Full text available.
Received: (at submit) by debbugs.gnu.org; 20 Jan 2019 06:10:32 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jan 20 01:10:32 2019
Received: from localhost ([127.0.0.1]:38258 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1gl6JT-0000JQ-Q9
for submit <at> debbugs.gnu.org; Sun, 20 Jan 2019 01:10:32 -0500
Received: from eggs.gnu.org ([209.51.188.92]:48749)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <leftcopy.chx@HIDDEN>) id 1gl6JR-0000JA-Fr
for submit <at> debbugs.gnu.org; Sun, 20 Jan 2019 01:10:30 -0500
Received: from lists.gnu.org ([209.51.188.17]:43863)
by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
(Exim 4.71) (envelope-from <leftcopy.chx@HIDDEN>)
id 1gl6JK-0005ae-8O
for submit <at> debbugs.gnu.org; Sun, 20 Jan 2019 01:10:22 -0500
Received: from eggs.gnu.org ([209.51.188.92]:58930)
by lists.gnu.org with esmtp (Exim 4.71)
(envelope-from <leftcopy.chx@HIDDEN>) id 1gl6JI-0002z0-ES
for bug-sed@HIDDEN; Sun, 20 Jan 2019 01:10:22 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level:
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,
HTML_MESSAGE autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
(envelope-from <leftcopy.chx@HIDDEN>) id 1gl6JA-0005Tg-RS
for bug-sed@HIDDEN; Sun, 20 Jan 2019 01:10:16 -0500
Received: from mail-it1-x136.google.com ([2607:f8b0:4864:20::136]:40510)
by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
(Exim 4.71) (envelope-from <leftcopy.chx@HIDDEN>)
id 1gl6J6-0005Kl-Sb
for bug-sed@HIDDEN; Sun, 20 Jan 2019 01:10:10 -0500
Received: by mail-it1-x136.google.com with SMTP id h193so11144977ita.5
for <bug-sed@HIDDEN>; Sat, 19 Jan 2019 22:10:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:from:date:message-id:subject:to;
bh=FiMviPiFmlfU3UjuOjuj33uoETILXph46CagH9RBZTc=;
b=uRMU3AbgOto6Ma42FNVTRkhRj5d2BFcK5DCTl2LF9Osv5sV0268jW8SUrh2L+BMgpf
0UldWVkYsKEVSu/F2X85RniIrHak3gqa2PoghEajNSGcramyX5gR0EP+14oG0sqw9/4u
TZMQ6ssO70bYey4Misp0s0/mwuKgh3qMpIu66N9AU07emk2AAdeLDDTkVt4xjMAQXEJq
8jmKMpzJb1WbnLl/m+WbBYY7H20GfF0NoYCR6yruYHO/Spcs3UK+4CBDoUPiHufcKGo5
Q82YwcFCQM8YrDHrO6jQntsXQKjPvlkBAdWYScKg+9zDZ43JZYPVHEJgyaR9/nVNyzRv
m7ag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=FiMviPiFmlfU3UjuOjuj33uoETILXph46CagH9RBZTc=;
b=WXvixl3Ff6WJVIKQoLDHkoGw9FHLVD88D2hyY8DUur/ClXEW5ZUm4VUc4CrmLZoxO5
DqdW436vpuvKwdKYB0f1bmXbKlZtM11YQ3gVPxT7M26qlEgWCZ2dbmgEyGmaj8glkOru
Q3nsgsuXBFkY+WDDP1P92XobveG3XiuE9r7BhxaSXvT0/9trwzruTs33W2qvHYlYoRWV
t5tW4p9bWJxg9+oF3l0g9OcE8bQpl7Jv6fj1+KOWJZ6rUE9pb7o7feR6i4WjGVjbUdaR
CKpdrKSoQvnvdqjPa36OAY3sFT2qaqSGIJY2kyRrZltsVABmBXfSb45oYs4xzc/R4Z6z
etzw==
X-Gm-Message-State: AJcUukdHhAHrywIWx6Tbbjy17ScHe7ydC3iAcHv00h/mrDwlnjAW53cF
cWbjbsq4JOU89mybQTGi0Sr2vf13fjo8wv2E0l1pzHC/
X-Google-Smtp-Source: ALg8bN6jGbraBkqtAtcY79aZB93NZw5SpZRjjAMtl3nu40eAC+DtQWmzVx11TBpGhQw8snthVtW01Fo5P3PXiONENgs=
X-Received: by 2002:a05:660c:91:: with SMTP id
t17mr4980292itj.41.1547964598846;
Sat, 19 Jan 2019 22:09:58 -0800 (PST)
MIME-Version: 1.0
From: Hongxu Chen <leftcopy.chx@HIDDEN>
Date: Sun, 20 Jan 2019 14:09:48 +0800
Message-ID: <CAJPBKOHEQt0GJ2nF0fTZL9Ld4=sGZiUvrejieSgD9taxGT62ww@HIDDEN>
Subject: AddressSanitizer reported heap-buffer-overflow
To: bug-sed@HIDDEN
Content-Type: multipart/mixed; boundary="0000000000000a9597057fdd98a7"
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
recognized.
X-Received-From: 2607:f8b0:4864:20::136
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)
--0000000000000a9597057fdd98a7
Content-Type: multipart/alternative; boundary="0000000000000a9594057fdd98a5"
--0000000000000a9594057fdd98a5
Content-Type: text/plain; charset="UTF-8"
Hi,
When latest sed (4.7.4-f8503-dirty) is compiled with ASan, it report a
heap-buffer-overflow when executing the following command.
echo '0000000000000000000000000000' | ./sed -f c02.sed
=================================================================
==13920==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x606000000233 at pc 0x0000004b4136 bp 0x7ffc475e3930 sp 0x7ffc475e30e0
READ of size 26 at 0x606000000233 thread T0
#0 0x4b4135 in __interceptor_memcmp.part.283
(/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135)
#1 0x5b274c in proceed_next_node
/home/hongxu/FOT/sed-O0/./lib/regexec.c:1296:9
#2 0x597a4c in set_regs /home/hongxu/FOT/sed-O0/./lib/regexec.c:1453:18
#3 0x569a4f in re_search_internal
/home/hongxu/FOT/sed-O0/./lib/regexec.c:864:10
#4 0x56acd7 in re_search_stub
/home/hongxu/FOT/sed-O0/./lib/regexec.c:425:12
#5 0x56b061 in rpl_re_search
/home/hongxu/FOT/sed-O0/./lib/regexec.c:289:10
#6 0x52f572 in match_regex /home/hongxu/FOT/sed-O0/sed/regexp.c:358:11
#7 0x5292d1 in do_subst /home/hongxu/FOT/sed-O0/sed/execute.c:1015:8
#8 0x5233a2 in execute_program
/home/hongxu/FOT/sed-O0/sed/execute.c:1543:15
#9 0x520cba in process_files
/home/hongxu/FOT/sed-O0/sed/execute.c:1680:16
#10 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17
#11 0x7f1dc2297b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#12 0x41b219 in _start
(/home/hongxu/FOT/sed-O0/install/bin/sed+0x41b219)
0x606000000233 is located 0 bytes to the right of 51-byte region
[0x606000000200,0x606000000233)
allocated by thread T0 here:
#0 0x4db0d0 in malloc (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4db0d0)
#1 0x5624f4 in xmalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:41:13
#2 0x5627c4 in xzalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:86:18
#3 0x520e16 in line_init /home/hongxu/FOT/sed-O0/sed/execute.c:281:15
#4 0x5209ad in process_files
/home/hongxu/FOT/sed-O0/sed/execute.c:1654:3
#5 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17
#6 0x7f1dc2297b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135) in
__interceptor_memcmp.part.283
Shadow bytes around the buggy address:
0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0c7fff8000: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c7fff8010: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c7fff8020: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c7fff8030: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
=>0x0c0c7fff8040: 00 00 00 00 00 00[03]fa fa fa fa fa 00 00 00 00
0x0c0c7fff8050: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c7fff8060: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c7fff8070: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x0c0c7fff8080: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13920==ABORTING
[1] 13917 done echo '0000000000000000000000000000' |
13920 abort ./sed -f c02.sed
c02.sed is attached (it seems ok when executing with the c02.sed content
directly, `echo '0000000000000000000000000000' | ./sed -f
"s000;s0\(..*\)*\1\(\)\S00"`).
This seems an issue in lib/regexec.c since we found GNU debbugs #34140 has
a similar case.
Best Regards,
Hongxu
--0000000000000a9594057fdd98a5
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div di=
r=3D"ltr"><div dir=3D"ltr"><div>Hi,</div><div><br></div><div>=C2=A0 =C2=A0 =
When latest sed (4.7.4-f8503-dirty) is compiled with ASan, it report a heap=
-buffer-overflow when executing the following command.</div><div><br></div>=
<div>=C2=A0 =C2=A0 =C2=A0 echo '0000000000000000000000000000' | ./s=
ed -f c02.sed</div><div><br></div><div>=C2=A0 =C2=A0=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D</div><div>=3D=3D13920=3D=3DERROR: AddressSanitizer=
: heap-buffer-overflow on address 0x606000000233 at pc 0x0000004b4136 bp 0x=
7ffc475e3930 sp 0x7ffc475e30e0</div><div>READ of size 26 at 0x606000000233 =
thread T0</div><div>=C2=A0 =C2=A0 #0 0x4b4135 in __interceptor_memcmp.part.=
283 (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135)</div><div>=C2=A0 =C2=
=A0 #1 0x5b274c in proceed_next_node /home/hongxu/FOT/sed-O0/./lib/regexec.=
c:1296:9</div><div>=C2=A0 =C2=A0 #2 0x597a4c in set_regs /home/hongxu/FOT/s=
ed-O0/./lib/regexec.c:1453:18</div><div>=C2=A0 =C2=A0 #3 0x569a4f in re_sea=
rch_internal /home/hongxu/FOT/sed-O0/./lib/regexec.c:864:10</div><div>=C2=
=A0 =C2=A0 #4 0x56acd7 in re_search_stub /home/hongxu/FOT/sed-O0/./lib/rege=
xec.c:425:12</div><div>=C2=A0 =C2=A0 #5 0x56b061 in rpl_re_search /home/hon=
gxu/FOT/sed-O0/./lib/regexec.c:289:10</div><div>=C2=A0 =C2=A0 #6 0x52f572 i=
n match_regex /home/hongxu/FOT/sed-O0/sed/regexp.c:358:11</div><div>=C2=A0 =
=C2=A0 #7 0x5292d1 in do_subst /home/hongxu/FOT/sed-O0/sed/execute.c:1015:8=
</div><div>=C2=A0 =C2=A0 #8 0x5233a2 in execute_program /home/hongxu/FOT/se=
d-O0/sed/execute.c:1543:15</div><div>=C2=A0 =C2=A0 #9 0x520cba in process_f=
iles /home/hongxu/FOT/sed-O0/sed/execute.c:1680:16</div><div>=C2=A0 =C2=A0 =
#10 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17</div><div>=C2=
=A0 =C2=A0 #11 0x7f1dc2297b96 in __libc_start_main /build/glibc-OTsEL5/glib=
c-2.27/csu/../csu/libc-start.c:310</div><div>=C2=A0 =C2=A0 #12 0x41b219 in =
_start (/home/hongxu/FOT/sed-O0/install/bin/sed+0x41b219)</div><div><br></d=
iv><div>0x606000000233 is located 0 bytes to the right of 51-byte region [0=
x606000000200,0x606000000233)</div><div>allocated by thread T0 here:</div><=
div>=C2=A0 =C2=A0 #0 0x4db0d0 in malloc (/home/hongxu/FOT/sed-O0/install/bi=
n/sed+0x4db0d0)</div><div>=C2=A0 =C2=A0 #1 0x5624f4 in xmalloc /home/hongxu=
/FOT/sed-O0/lib/xmalloc.c:41:13</div><div>=C2=A0 =C2=A0 #2 0x5627c4 in xzal=
loc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:86:18</div><div>=C2=A0 =C2=A0 #3 =
0x520e16 in line_init /home/hongxu/FOT/sed-O0/sed/execute.c:281:15</div><di=
v>=C2=A0 =C2=A0 #4 0x5209ad in process_files /home/hongxu/FOT/sed-O0/sed/ex=
ecute.c:1654:3</div><div>=C2=A0 =C2=A0 #5 0x5300dc in main /home/hongxu/FOT=
/sed-O0/sed/sed.c:382:17</div><div>=C2=A0 =C2=A0 #6 0x7f1dc2297b96 in __lib=
c_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310</di=
v><div><br></div><div>SUMMARY: AddressSanitizer: heap-buffer-overflow (/hom=
e/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135) in __interceptor_memcmp.part.=
283</div><div>Shadow bytes around the buggy address:</div><div>=C2=A0 0x0c0=
c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</div><div>=C2=A0=
0x0c0c7fff8000: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa</div><div>=
=C2=A0 0x0c0c7fff8010: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd</div=
><div>=C2=A0 0x0c0c7fff8020: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd f=
a</div><div>=C2=A0 0x0c0c7fff8030: fa fa fa fa fd fd fd fd fd fd fd fa fa f=
a fa fa</div><div>=3D>0x0c0c7fff8040: 00 00 00 00 00 00[03]fa fa fa fa f=
a 00 00 00 00</div><div>=C2=A0 0x0c0c7fff8050: 00 00 03 fa fa fa fa fa 00 0=
0 00 00 00 00 00 00</div><div>=C2=A0 0x0c0c7fff8060: fa fa fa fa fd fd fd f=
d fd fd fd fa fa fa fa fa</div><div>=C2=A0 0x0c0c7fff8070: 00 00 00 00 00 0=
0 00 fa fa fa fa fa 00 00 00 00</div><div>=C2=A0 0x0c0c7fff8080: 00 00 00 f=
a fa fa fa fa fd fd fd fd fd fd fd fd</div><div>=C2=A0 0x0c0c7fff8090: fa f=
a fa fa 00 00 00 00 00 00 00 00 fa fa fa fa</div><div>Shadow byte legend (o=
ne shadow byte represents 8 application bytes):</div><div>=C2=A0 Addressabl=
e:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A000</div><div>=C2=A0 Partially ad=
dressable: 01 02 03 04 05 06 07=C2=A0</div><div>=C2=A0 Heap left redzone:=
=C2=A0 =C2=A0 =C2=A0 =C2=A0fa</div><div>=C2=A0 Freed heap region:=C2=A0 =C2=
=A0 =C2=A0 =C2=A0fd</div><div>=C2=A0 Stack left redzone:=C2=A0 =C2=A0 =C2=
=A0 f1</div><div>=C2=A0 Stack mid redzone:=C2=A0 =C2=A0 =C2=A0 =C2=A0f2</di=
v><div>=C2=A0 Stack right redzone:=C2=A0 =C2=A0 =C2=A0f3</div><div>=C2=A0 S=
tack after return:=C2=A0 =C2=A0 =C2=A0 f5</div><div>=C2=A0 Stack use after =
scope:=C2=A0 =C2=A0f8</div><div>=C2=A0 Global redzone:=C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 f9</div><div>=C2=A0 Global init order:=C2=A0 =C2=A0 =C2=A0 =
=C2=A0f6</div><div>=C2=A0 Poisoned by user:=C2=A0 =C2=A0 =C2=A0 =C2=A0 f7</=
div><div>=C2=A0 Container overflow:=C2=A0 =C2=A0 =C2=A0 fc</div><div>=C2=A0=
Array cookie:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ac</div><div>=C2=A0=
Intra object redzone:=C2=A0 =C2=A0 bb</div><div>=C2=A0 ASan internal:=C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0fe</div><div>=C2=A0 Left alloca redzo=
ne:=C2=A0 =C2=A0 =C2=A0ca</div><div>=C2=A0 Right alloca redzone:=C2=A0 =C2=
=A0 cb</div><div>=3D=3D13920=3D=3DABORTING</div><div>[1]=C2=A0 =C2=A0 13917=
done=C2=A0 =C2=A0 =C2=A0 =C2=A0echo '0000000000000000000000000000'=
|=C2=A0</div><div>=C2=A0 =C2=A0 =C2=A0 =C2=A013920 abort=C2=A0 =C2=A0 =C2=
=A0 ./sed -f c02.sed</div><div><br></div><div>c02.sed is attached (it seems=
ok when executing with the c02.sed content directly, `echo '0000000000=
000000000000000000' | ./sed -f "s000;s0\(..*\)*\1\(\)\S00"`).=
</div><div><br></div><div>This seems an issue in lib/regexec.c since we fou=
nd GNU debbugs #34140 has a similar case.</div><br clear=3D"all"><div><div =
dir=3D"ltr" class=3D"gmail_signature"><div dir=3D"ltr"><div><div dir=3D"ltr=
"><font color=3D"#313131" face=3D"Arial, sans-serif"><span style=3D"font-si=
ze:12px">Best Regards,</span></font><div><font color=3D"#313131" face=3D"Ar=
ial, sans-serif"><span style=3D"font-size:12px">Hongxu</span></font></div><=
/div></div></div></div></div></div></div></div></div></div></div>
--0000000000000a9594057fdd98a5--
--0000000000000a9597057fdd98a7
Content-Type: application/octet-stream; name="c02.sed"
Content-Disposition: attachment; filename="c02.sed"
Content-Transfer-Encoding: base64
Content-ID: <f_jr4hzhog0>
X-Attachment-Id: f_jr4hzhog0
czCJMDA7czBcKC4uKlwpKlwxXChcKVxTMDA=
--0000000000000a9597057fdd98a7--
Hongxu Chen <leftcopy.chx@HIDDEN>:bug-sed@HIDDEN.
Full text available.bug-sed@HIDDEN:bug#34142; Package sed.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.