Received: (at 34142) by debbugs.gnu.org; 20 Jan 2019 09:15:18 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jan 20 04:15:18 2019 Received: from localhost ([127.0.0.1]:38302 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1gl9CI-0005Hb-9c for submit <at> debbugs.gnu.org; Sun, 20 Jan 2019 04:15:18 -0500 Received: from mail-pg1-f180.google.com ([209.85.215.180]:43255) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <assafgordon@HIDDEN>) id 1gl9CG-0005HL-Nv for 34142 <at> debbugs.gnu.org; Sun, 20 Jan 2019 04:15:17 -0500 Received: by mail-pg1-f180.google.com with SMTP id v28so8085695pgk.10 for <34142 <at> debbugs.gnu.org>; Sun, 20 Jan 2019 01:15:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:subject:to:references:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=q/Lp0AsiataOEfiZRL7IasK0bOqKKMb/vmJNoxCVkVU=; b=GuZQR7dHt22zaN/XxyElvEEtVROzkR7ilAQhtM8zJ5BuLbAjgi688KlpoOmo1Kllc6 Tz8Utl8kyxJykuXjz6eh97Xp/kd5SP4VCmAa/tK1DlWuhfxCJemM6ZNJEDWn9GUUbHzG 6MgK/gciuTyYkUQh+lSVf21zhLEBfXcCddZRG8qk/jK+86vjNNA63qnb2F2gdwrG/bwm wrlt31rGDXBOfPoYEYyi8eTyNcyIiobwcy4cRoa/wO4g13XQOqCyXIz5PeZeDYr2JqIe sgYLgL4Drnpb1BDfQ2lL00Dwi1oYde7QxGCGa7MQD+15PS1aekyqBVgZhljNZlW10VYh jT1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:references:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=q/Lp0AsiataOEfiZRL7IasK0bOqKKMb/vmJNoxCVkVU=; b=f+/vnK5/Riqlu62PMz9tYaXuDmkrcrkoar2Pgk0o/iNuN+RRfr3qgFCIX95SaXBBdd jCh1oQefvYVvYtTgepIlzMrP3HVKSZiWI/NmJbxWinFR1UCNHtqlCQybM/YL9rHNF1pC OHbKjfS4bxqZgGG5KJ7bXzlwwvi9ssRPBllrMvbgPqb+IJ5bMOr3imUYyDtmio7IyRys hC6iL5xwexZpFKq/648ZgDMc4ry9cW3oS5CWOYAY43agqeEzN8nhEY4QkOg3AkAMVi2K hP4w54PtjipOJpy1uLSmepZzVdDxd+batHFkh6AXvILCzGHU69NqrU+naZxh/D1lALlP O4sg== X-Gm-Message-State: AJcUukc8hSXlTeXHljFYaNvfeZRNUmtZAuMtSqWqjBw30F3tsyT+tuoF s5ue9ItFZ+FVYG86rJsbj7Y= X-Google-Smtp-Source: ALg8bN4+kAfA17Zi0AlY2onzw8h49Zugfa/YJCbKUr2NpGVL6BjB3GJBN9QoFCbVFSXj0hYugylloA== X-Received: by 2002:aa7:83c6:: with SMTP id j6mr8022346pfn.91.1547975710898; Sun, 20 Jan 2019 01:15:10 -0800 (PST) Received: from tomato.housegordon.com (moose.housegordon.com. [184.68.105.38]) by smtp.googlemail.com with ESMTPSA id t185sm13434103pgd.90.2019.01.20.01.15.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 20 Jan 2019 01:15:09 -0800 (PST) From: Assaf Gordon <assafgordon@HIDDEN> Subject: Re: bug#34142: AddressSanitizer reported heap-buffer-overflow To: Hongxu Chen <leftcopy.chx@HIDDEN>, 34142 <at> debbugs.gnu.org, "bug-gnulib@HIDDEN List" <bug-gnulib@HIDDEN> References: <CAJPBKOHEQt0GJ2nF0fTZL9Ld4=sGZiUvrejieSgD9taxGT62ww@HIDDEN> Message-ID: <33466703-d85e-400d-3f19-f2ece6d9c32a@HIDDEN> Date: Sun, 20 Jan 2019 02:15:08 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: <CAJPBKOHEQt0GJ2nF0fTZL9Ld4=sGZiUvrejieSgD9taxGT62ww@HIDDEN> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 34142 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) (forwarding to gnulib) Hello, Hongxu Chen reported a heap-buffer-overflow in gnulib's regexec code. It can be reproduced with current sed using: git clone git://git.sv.gnu.org/sed.git cd sed ./bootstrap && ./configure make build-asan echo 00000000000000000000000000 | ./sed/sed -E -e 's/(.*)*\1//' The above 'sed' invocation is a simplified variation of Hongxu's report. Details below: On 2019-01-19 11:09 p.m., Hongxu Chen wrote: > > ================================================================= > ==13920==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x606000000233 at pc 0x0000004b4136 bp 0x7ffc475e3930 sp 0x7ffc475e30e0 > READ of size 26 at 0x606000000233 thread T0 > #0 0x4b4135 in __interceptor_memcmp.part.283 > (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135) > #1 0x5b274c in proceed_next_node > /home/hongxu/FOT/sed-O0/./lib/regexec.c:1296:9 > #2 0x597a4c in set_regs /home/hongxu/FOT/sed-O0/./lib/regexec.c:1453:18 > #3 0x569a4f in re_search_internal > /home/hongxu/FOT/sed-O0/./lib/regexec.c:864:10 > #4 0x56acd7 in re_search_stub > /home/hongxu/FOT/sed-O0/./lib/regexec.c:425:12 > #5 0x56b061 in rpl_re_search > /home/hongxu/FOT/sed-O0/./lib/regexec.c:289:10 > #6 0x52f572 in match_regex /home/hongxu/FOT/sed-O0/sed/regexp.c:358:11 > #7 0x5292d1 in do_subst /home/hongxu/FOT/sed-O0/sed/execute.c:1015:8 > #8 0x5233a2 in execute_program > /home/hongxu/FOT/sed-O0/sed/execute.c:1543:15 > #9 0x520cba in process_files > /home/hongxu/FOT/sed-O0/sed/execute.c:1680:16 > #10 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17 > #11 0x7f1dc2297b96 in __libc_start_main > /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 > #12 0x41b219 in _start > (/home/hongxu/FOT/sed-O0/install/bin/sed+0x41b219) > > 0x606000000233 is located 0 bytes to the right of 51-byte region > [0x606000000200,0x606000000233) > allocated by thread T0 here: > #0 0x4db0d0 in malloc (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4db0d0) > #1 0x5624f4 in xmalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:41:13 > #2 0x5627c4 in xzalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:86:18 > #3 0x520e16 in line_init /home/hongxu/FOT/sed-O0/sed/execute.c:281:15 > #4 0x5209ad in process_files > /home/hongxu/FOT/sed-O0/sed/execute.c:1654:3 > #5 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17 > #6 0x7f1dc2297b96 in __libc_start_main > /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 > > SUMMARY: AddressSanitizer: heap-buffer-overflow > (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135) in > __interceptor_memcmp.part.283 > Shadow bytes around the buggy address: > 0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c0c7fff8000: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa > 0x0c0c7fff8010: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd > 0x0c0c7fff8020: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa > 0x0c0c7fff8030: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa > =>0x0c0c7fff8040: 00 00 00 00 00 00[03]fa fa fa fa fa 00 00 00 00 > 0x0c0c7fff8050: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c0c7fff8060: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa > 0x0c0c7fff8070: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 > 0x0c0c7fff8080: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd > 0x0c0c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > ==13920==ABORTING
bug-sed@HIDDEN
:bug#34142
; Package sed
.
Full text available.Received: (at 34142) by debbugs.gnu.org; 20 Jan 2019 09:14:23 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jan 20 04:14:23 2019 Received: from localhost ([127.0.0.1]:38293 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1gl9BO-0005FF-KT for submit <at> debbugs.gnu.org; Sun, 20 Jan 2019 04:14:22 -0500 Received: from mail-pf1-f175.google.com ([209.85.210.175]:42161) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <assafgordon@HIDDEN>) id 1gl9BL-0005El-BA for 34142 <at> debbugs.gnu.org; Sun, 20 Jan 2019 04:14:21 -0500 Received: by mail-pf1-f175.google.com with SMTP id 64so8710134pfr.9 for <34142 <at> debbugs.gnu.org>; Sun, 20 Jan 2019 01:14:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=q/Lp0AsiataOEfiZRL7IasK0bOqKKMb/vmJNoxCVkVU=; b=JFuvIRBnsBTZkgm9o51bi9/DhicB9ux72YhOC2zv05MdDfS57hjybV4CDU9WFGpb8c zQbKagEF7FypyAI7+EsjOWaGlFW4Ziky9eFhMS4vwPzlPR88fWsI0yj9ydjYqp+YqQ5J zGIH9NK3T7AGxDVV/mHDEXsm2r61hyjuciTLm2pVU78p2/Feegy4ZKxmEu7EQttLBKdY i5aPusLldrq7oMUgxvLL2hw/EhYPlr+KMmTcBuURKY5R+fP2gr5V6Dk0wxOh3Hp7nSvR bx6dWsbNDspHh70JbBGOKb9x+iXfw3OUFFsnMJIvyujQthNir1ptTTqWB2ddA3eCC8UQ d1Tg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=q/Lp0AsiataOEfiZRL7IasK0bOqKKMb/vmJNoxCVkVU=; b=cjLJvc8kqdSOm0daAjKomY0b6NzASdZcuTVSBCRjXbL44lyFMc62xhWangrWfut0kf OI3erpSuelKl+NbxarkReqLkUXOX/7SC7Rb2Cez4naij5Qpq/OWFJqpA8zsZQLYxhlbx bYaNnQw1tQq724rru9K1rvNOJfGSLVYOHEJDs/X5kydjavs5eobFlK5WajHt24lNRACK DUbQuZ+ED6NWRhIRh4d9HoGH8Xn2wsbripIrvvY1t/b20IeFpB8Abgha0S0adTT9jiZH HW8aLPFkg/ZElavjEadPoxICNeocMchrtmNly4fYthqsy5gR7/CHohjt6qiZ8UpJzFGc 4iJw== X-Gm-Message-State: AJcUukdInH1ohTeaQTmhCLdsYEedeul2Z/jtEhR6tjdMT/elgPRgbd0l 60EfYxw1mRdNRyJp0eSpAF33LKo0 X-Google-Smtp-Source: ALg8bN7VFOallua4zBR/iEA0MQVgyLbX344ShlWUv1JJSYXJ2GxGMJzNEobdoGgVoYkyJDIHyG4TkA== X-Received: by 2002:a63:5207:: with SMTP id g7mr24279010pgb.253.1547975652615; Sun, 20 Jan 2019 01:14:12 -0800 (PST) Received: from tomato.housegordon.com (moose.housegordon.com. [184.68.105.38]) by smtp.googlemail.com with ESMTPSA id v191sm20565810pgb.77.2019.01.20.01.14.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 20 Jan 2019 01:14:11 -0800 (PST) Subject: Re: bug#34142: AddressSanitizer reported heap-buffer-overflow To: Hongxu Chen <leftcopy.chx@HIDDEN>, 34142 <at> debbugs.gnu.org References: <CAJPBKOHEQt0GJ2nF0fTZL9Ld4=sGZiUvrejieSgD9taxGT62ww@HIDDEN> From: Assaf Gordon <assafgordon@HIDDEN> Message-ID: <e7ba7ae7-8585-fef9-7a17-553d34be60b7@HIDDEN> Date: Sun, 20 Jan 2019 02:14:10 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: <CAJPBKOHEQt0GJ2nF0fTZL9Ld4=sGZiUvrejieSgD9taxGT62ww@HIDDEN> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 34142 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) (forwarding to gnulib) Hello, Hongxu Chen reported a heap-buffer-overflow in gnulib's regexec code. It can be reproduced with current sed using: git clone git://git.sv.gnu.org/sed.git cd sed ./bootstrap && ./configure make build-asan echo 00000000000000000000000000 | ./sed/sed -E -e 's/(.*)*\1//' The above 'sed' invocation is a simplified variation of Hongxu's report. Details below: On 2019-01-19 11:09 p.m., Hongxu Chen wrote: > > ================================================================= > ==13920==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x606000000233 at pc 0x0000004b4136 bp 0x7ffc475e3930 sp 0x7ffc475e30e0 > READ of size 26 at 0x606000000233 thread T0 > #0 0x4b4135 in __interceptor_memcmp.part.283 > (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135) > #1 0x5b274c in proceed_next_node > /home/hongxu/FOT/sed-O0/./lib/regexec.c:1296:9 > #2 0x597a4c in set_regs /home/hongxu/FOT/sed-O0/./lib/regexec.c:1453:18 > #3 0x569a4f in re_search_internal > /home/hongxu/FOT/sed-O0/./lib/regexec.c:864:10 > #4 0x56acd7 in re_search_stub > /home/hongxu/FOT/sed-O0/./lib/regexec.c:425:12 > #5 0x56b061 in rpl_re_search > /home/hongxu/FOT/sed-O0/./lib/regexec.c:289:10 > #6 0x52f572 in match_regex /home/hongxu/FOT/sed-O0/sed/regexp.c:358:11 > #7 0x5292d1 in do_subst /home/hongxu/FOT/sed-O0/sed/execute.c:1015:8 > #8 0x5233a2 in execute_program > /home/hongxu/FOT/sed-O0/sed/execute.c:1543:15 > #9 0x520cba in process_files > /home/hongxu/FOT/sed-O0/sed/execute.c:1680:16 > #10 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17 > #11 0x7f1dc2297b96 in __libc_start_main > /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 > #12 0x41b219 in _start > (/home/hongxu/FOT/sed-O0/install/bin/sed+0x41b219) > > 0x606000000233 is located 0 bytes to the right of 51-byte region > [0x606000000200,0x606000000233) > allocated by thread T0 here: > #0 0x4db0d0 in malloc (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4db0d0) > #1 0x5624f4 in xmalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:41:13 > #2 0x5627c4 in xzalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:86:18 > #3 0x520e16 in line_init /home/hongxu/FOT/sed-O0/sed/execute.c:281:15 > #4 0x5209ad in process_files > /home/hongxu/FOT/sed-O0/sed/execute.c:1654:3 > #5 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17 > #6 0x7f1dc2297b96 in __libc_start_main > /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 > > SUMMARY: AddressSanitizer: heap-buffer-overflow > (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135) in > __interceptor_memcmp.part.283 > Shadow bytes around the buggy address: > 0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c0c7fff8000: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa > 0x0c0c7fff8010: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd > 0x0c0c7fff8020: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa > 0x0c0c7fff8030: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa > =>0x0c0c7fff8040: 00 00 00 00 00 00[03]fa fa fa fa fa 00 00 00 00 > 0x0c0c7fff8050: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c0c7fff8060: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa > 0x0c0c7fff8070: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 > 0x0c0c7fff8080: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd > 0x0c0c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > ==13920==ABORTING
bug-sed@HIDDEN
:bug#34142
; Package sed
.
Full text available.Received: (at submit) by debbugs.gnu.org; 20 Jan 2019 06:10:32 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jan 20 01:10:32 2019 Received: from localhost ([127.0.0.1]:38258 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1gl6JT-0000JQ-Q9 for submit <at> debbugs.gnu.org; Sun, 20 Jan 2019 01:10:32 -0500 Received: from eggs.gnu.org ([209.51.188.92]:48749) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <leftcopy.chx@HIDDEN>) id 1gl6JR-0000JA-Fr for submit <at> debbugs.gnu.org; Sun, 20 Jan 2019 01:10:30 -0500 Received: from lists.gnu.org ([209.51.188.17]:43863) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from <leftcopy.chx@HIDDEN>) id 1gl6JK-0005ae-8O for submit <at> debbugs.gnu.org; Sun, 20 Jan 2019 01:10:22 -0500 Received: from eggs.gnu.org ([209.51.188.92]:58930) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <leftcopy.chx@HIDDEN>) id 1gl6JI-0002z0-ES for bug-sed@HIDDEN; Sun, 20 Jan 2019 01:10:22 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, HTML_MESSAGE autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <leftcopy.chx@HIDDEN>) id 1gl6JA-0005Tg-RS for bug-sed@HIDDEN; Sun, 20 Jan 2019 01:10:16 -0500 Received: from mail-it1-x136.google.com ([2607:f8b0:4864:20::136]:40510) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from <leftcopy.chx@HIDDEN>) id 1gl6J6-0005Kl-Sb for bug-sed@HIDDEN; Sun, 20 Jan 2019 01:10:10 -0500 Received: by mail-it1-x136.google.com with SMTP id h193so11144977ita.5 for <bug-sed@HIDDEN>; Sat, 19 Jan 2019 22:10:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=FiMviPiFmlfU3UjuOjuj33uoETILXph46CagH9RBZTc=; b=uRMU3AbgOto6Ma42FNVTRkhRj5d2BFcK5DCTl2LF9Osv5sV0268jW8SUrh2L+BMgpf 0UldWVkYsKEVSu/F2X85RniIrHak3gqa2PoghEajNSGcramyX5gR0EP+14oG0sqw9/4u TZMQ6ssO70bYey4Misp0s0/mwuKgh3qMpIu66N9AU07emk2AAdeLDDTkVt4xjMAQXEJq 8jmKMpzJb1WbnLl/m+WbBYY7H20GfF0NoYCR6yruYHO/Spcs3UK+4CBDoUPiHufcKGo5 Q82YwcFCQM8YrDHrO6jQntsXQKjPvlkBAdWYScKg+9zDZ43JZYPVHEJgyaR9/nVNyzRv m7ag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=FiMviPiFmlfU3UjuOjuj33uoETILXph46CagH9RBZTc=; b=WXvixl3Ff6WJVIKQoLDHkoGw9FHLVD88D2hyY8DUur/ClXEW5ZUm4VUc4CrmLZoxO5 DqdW436vpuvKwdKYB0f1bmXbKlZtM11YQ3gVPxT7M26qlEgWCZ2dbmgEyGmaj8glkOru Q3nsgsuXBFkY+WDDP1P92XobveG3XiuE9r7BhxaSXvT0/9trwzruTs33W2qvHYlYoRWV t5tW4p9bWJxg9+oF3l0g9OcE8bQpl7Jv6fj1+KOWJZ6rUE9pb7o7feR6i4WjGVjbUdaR CKpdrKSoQvnvdqjPa36OAY3sFT2qaqSGIJY2kyRrZltsVABmBXfSb45oYs4xzc/R4Z6z etzw== X-Gm-Message-State: AJcUukdHhAHrywIWx6Tbbjy17ScHe7ydC3iAcHv00h/mrDwlnjAW53cF cWbjbsq4JOU89mybQTGi0Sr2vf13fjo8wv2E0l1pzHC/ X-Google-Smtp-Source: ALg8bN6jGbraBkqtAtcY79aZB93NZw5SpZRjjAMtl3nu40eAC+DtQWmzVx11TBpGhQw8snthVtW01Fo5P3PXiONENgs= X-Received: by 2002:a05:660c:91:: with SMTP id t17mr4980292itj.41.1547964598846; Sat, 19 Jan 2019 22:09:58 -0800 (PST) MIME-Version: 1.0 From: Hongxu Chen <leftcopy.chx@HIDDEN> Date: Sun, 20 Jan 2019 14:09:48 +0800 Message-ID: <CAJPBKOHEQt0GJ2nF0fTZL9Ld4=sGZiUvrejieSgD9taxGT62ww@HIDDEN> Subject: AddressSanitizer reported heap-buffer-overflow To: bug-sed@HIDDEN Content-Type: multipart/mixed; boundary="0000000000000a9597057fdd98a7" X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4864:20::136 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.0 (/) --0000000000000a9597057fdd98a7 Content-Type: multipart/alternative; boundary="0000000000000a9594057fdd98a5" --0000000000000a9594057fdd98a5 Content-Type: text/plain; charset="UTF-8" Hi, When latest sed (4.7.4-f8503-dirty) is compiled with ASan, it report a heap-buffer-overflow when executing the following command. echo '0000000000000000000000000000' | ./sed -f c02.sed ================================================================= ==13920==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000000233 at pc 0x0000004b4136 bp 0x7ffc475e3930 sp 0x7ffc475e30e0 READ of size 26 at 0x606000000233 thread T0 #0 0x4b4135 in __interceptor_memcmp.part.283 (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135) #1 0x5b274c in proceed_next_node /home/hongxu/FOT/sed-O0/./lib/regexec.c:1296:9 #2 0x597a4c in set_regs /home/hongxu/FOT/sed-O0/./lib/regexec.c:1453:18 #3 0x569a4f in re_search_internal /home/hongxu/FOT/sed-O0/./lib/regexec.c:864:10 #4 0x56acd7 in re_search_stub /home/hongxu/FOT/sed-O0/./lib/regexec.c:425:12 #5 0x56b061 in rpl_re_search /home/hongxu/FOT/sed-O0/./lib/regexec.c:289:10 #6 0x52f572 in match_regex /home/hongxu/FOT/sed-O0/sed/regexp.c:358:11 #7 0x5292d1 in do_subst /home/hongxu/FOT/sed-O0/sed/execute.c:1015:8 #8 0x5233a2 in execute_program /home/hongxu/FOT/sed-O0/sed/execute.c:1543:15 #9 0x520cba in process_files /home/hongxu/FOT/sed-O0/sed/execute.c:1680:16 #10 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17 #11 0x7f1dc2297b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #12 0x41b219 in _start (/home/hongxu/FOT/sed-O0/install/bin/sed+0x41b219) 0x606000000233 is located 0 bytes to the right of 51-byte region [0x606000000200,0x606000000233) allocated by thread T0 here: #0 0x4db0d0 in malloc (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4db0d0) #1 0x5624f4 in xmalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:41:13 #2 0x5627c4 in xzalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:86:18 #3 0x520e16 in line_init /home/hongxu/FOT/sed-O0/sed/execute.c:281:15 #4 0x5209ad in process_files /home/hongxu/FOT/sed-O0/sed/execute.c:1654:3 #5 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17 #6 0x7f1dc2297b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135) in __interceptor_memcmp.part.283 Shadow bytes around the buggy address: 0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0c7fff8000: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa 0x0c0c7fff8010: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd 0x0c0c7fff8020: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa 0x0c0c7fff8030: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa =>0x0c0c7fff8040: 00 00 00 00 00 00[03]fa fa fa fa fa 00 00 00 00 0x0c0c7fff8050: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c0c7fff8060: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa 0x0c0c7fff8070: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 0x0c0c7fff8080: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c0c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==13920==ABORTING [1] 13917 done echo '0000000000000000000000000000' | 13920 abort ./sed -f c02.sed c02.sed is attached (it seems ok when executing with the c02.sed content directly, `echo '0000000000000000000000000000' | ./sed -f "s000;s0\(..*\)*\1\(\)\S00"`). This seems an issue in lib/regexec.c since we found GNU debbugs #34140 has a similar case. Best Regards, Hongxu --0000000000000a9594057fdd98a5 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div di= r=3D"ltr"><div dir=3D"ltr"><div>Hi,</div><div><br></div><div>=C2=A0 =C2=A0 = When latest sed (4.7.4-f8503-dirty) is compiled with ASan, it report a heap= -buffer-overflow when executing the following command.</div><div><br></div>= <div>=C2=A0 =C2=A0 =C2=A0 echo '0000000000000000000000000000' | ./s= ed -f c02.sed</div><div><br></div><div>=C2=A0 =C2=A0=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D</div><div>=3D=3D13920=3D=3DERROR: AddressSanitizer= : heap-buffer-overflow on address 0x606000000233 at pc 0x0000004b4136 bp 0x= 7ffc475e3930 sp 0x7ffc475e30e0</div><div>READ of size 26 at 0x606000000233 = thread T0</div><div>=C2=A0 =C2=A0 #0 0x4b4135 in __interceptor_memcmp.part.= 283 (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135)</div><div>=C2=A0 =C2= =A0 #1 0x5b274c in proceed_next_node /home/hongxu/FOT/sed-O0/./lib/regexec.= c:1296:9</div><div>=C2=A0 =C2=A0 #2 0x597a4c in set_regs /home/hongxu/FOT/s= ed-O0/./lib/regexec.c:1453:18</div><div>=C2=A0 =C2=A0 #3 0x569a4f in re_sea= rch_internal /home/hongxu/FOT/sed-O0/./lib/regexec.c:864:10</div><div>=C2= =A0 =C2=A0 #4 0x56acd7 in re_search_stub /home/hongxu/FOT/sed-O0/./lib/rege= xec.c:425:12</div><div>=C2=A0 =C2=A0 #5 0x56b061 in rpl_re_search /home/hon= gxu/FOT/sed-O0/./lib/regexec.c:289:10</div><div>=C2=A0 =C2=A0 #6 0x52f572 i= n match_regex /home/hongxu/FOT/sed-O0/sed/regexp.c:358:11</div><div>=C2=A0 = =C2=A0 #7 0x5292d1 in do_subst /home/hongxu/FOT/sed-O0/sed/execute.c:1015:8= </div><div>=C2=A0 =C2=A0 #8 0x5233a2 in execute_program /home/hongxu/FOT/se= d-O0/sed/execute.c:1543:15</div><div>=C2=A0 =C2=A0 #9 0x520cba in process_f= iles /home/hongxu/FOT/sed-O0/sed/execute.c:1680:16</div><div>=C2=A0 =C2=A0 = #10 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17</div><div>=C2= =A0 =C2=A0 #11 0x7f1dc2297b96 in __libc_start_main /build/glibc-OTsEL5/glib= c-2.27/csu/../csu/libc-start.c:310</div><div>=C2=A0 =C2=A0 #12 0x41b219 in = _start (/home/hongxu/FOT/sed-O0/install/bin/sed+0x41b219)</div><div><br></d= iv><div>0x606000000233 is located 0 bytes to the right of 51-byte region [0= x606000000200,0x606000000233)</div><div>allocated by thread T0 here:</div><= div>=C2=A0 =C2=A0 #0 0x4db0d0 in malloc (/home/hongxu/FOT/sed-O0/install/bi= n/sed+0x4db0d0)</div><div>=C2=A0 =C2=A0 #1 0x5624f4 in xmalloc /home/hongxu= /FOT/sed-O0/lib/xmalloc.c:41:13</div><div>=C2=A0 =C2=A0 #2 0x5627c4 in xzal= loc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:86:18</div><div>=C2=A0 =C2=A0 #3 = 0x520e16 in line_init /home/hongxu/FOT/sed-O0/sed/execute.c:281:15</div><di= v>=C2=A0 =C2=A0 #4 0x5209ad in process_files /home/hongxu/FOT/sed-O0/sed/ex= ecute.c:1654:3</div><div>=C2=A0 =C2=A0 #5 0x5300dc in main /home/hongxu/FOT= /sed-O0/sed/sed.c:382:17</div><div>=C2=A0 =C2=A0 #6 0x7f1dc2297b96 in __lib= c_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310</di= v><div><br></div><div>SUMMARY: AddressSanitizer: heap-buffer-overflow (/hom= e/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135) in __interceptor_memcmp.part.= 283</div><div>Shadow bytes around the buggy address:</div><div>=C2=A0 0x0c0= c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</div><div>=C2=A0= 0x0c0c7fff8000: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa</div><div>= =C2=A0 0x0c0c7fff8010: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd</div= ><div>=C2=A0 0x0c0c7fff8020: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd f= a</div><div>=C2=A0 0x0c0c7fff8030: fa fa fa fa fd fd fd fd fd fd fd fa fa f= a fa fa</div><div>=3D>0x0c0c7fff8040: 00 00 00 00 00 00[03]fa fa fa fa f= a 00 00 00 00</div><div>=C2=A0 0x0c0c7fff8050: 00 00 03 fa fa fa fa fa 00 0= 0 00 00 00 00 00 00</div><div>=C2=A0 0x0c0c7fff8060: fa fa fa fa fd fd fd f= d fd fd fd fa fa fa fa fa</div><div>=C2=A0 0x0c0c7fff8070: 00 00 00 00 00 0= 0 00 fa fa fa fa fa 00 00 00 00</div><div>=C2=A0 0x0c0c7fff8080: 00 00 00 f= a fa fa fa fa fd fd fd fd fd fd fd fd</div><div>=C2=A0 0x0c0c7fff8090: fa f= a fa fa 00 00 00 00 00 00 00 00 fa fa fa fa</div><div>Shadow byte legend (o= ne shadow byte represents 8 application bytes):</div><div>=C2=A0 Addressabl= e:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A000</div><div>=C2=A0 Partially ad= dressable: 01 02 03 04 05 06 07=C2=A0</div><div>=C2=A0 Heap left redzone:= =C2=A0 =C2=A0 =C2=A0 =C2=A0fa</div><div>=C2=A0 Freed heap region:=C2=A0 =C2= =A0 =C2=A0 =C2=A0fd</div><div>=C2=A0 Stack left redzone:=C2=A0 =C2=A0 =C2= =A0 f1</div><div>=C2=A0 Stack mid redzone:=C2=A0 =C2=A0 =C2=A0 =C2=A0f2</di= v><div>=C2=A0 Stack right redzone:=C2=A0 =C2=A0 =C2=A0f3</div><div>=C2=A0 S= tack after return:=C2=A0 =C2=A0 =C2=A0 f5</div><div>=C2=A0 Stack use after = scope:=C2=A0 =C2=A0f8</div><div>=C2=A0 Global redzone:=C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 f9</div><div>=C2=A0 Global init order:=C2=A0 =C2=A0 =C2=A0 = =C2=A0f6</div><div>=C2=A0 Poisoned by user:=C2=A0 =C2=A0 =C2=A0 =C2=A0 f7</= div><div>=C2=A0 Container overflow:=C2=A0 =C2=A0 =C2=A0 fc</div><div>=C2=A0= Array cookie:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ac</div><div>=C2=A0= Intra object redzone:=C2=A0 =C2=A0 bb</div><div>=C2=A0 ASan internal:=C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0fe</div><div>=C2=A0 Left alloca redzo= ne:=C2=A0 =C2=A0 =C2=A0ca</div><div>=C2=A0 Right alloca redzone:=C2=A0 =C2= =A0 cb</div><div>=3D=3D13920=3D=3DABORTING</div><div>[1]=C2=A0 =C2=A0 13917= done=C2=A0 =C2=A0 =C2=A0 =C2=A0echo '0000000000000000000000000000'= |=C2=A0</div><div>=C2=A0 =C2=A0 =C2=A0 =C2=A013920 abort=C2=A0 =C2=A0 =C2= =A0 ./sed -f c02.sed</div><div><br></div><div>c02.sed is attached (it seems= ok when executing with the c02.sed content directly, `echo '0000000000= 000000000000000000' | ./sed -f "s000;s0\(..*\)*\1\(\)\S00"`).= </div><div><br></div><div>This seems an issue in lib/regexec.c since we fou= nd GNU debbugs #34140 has a similar case.</div><br clear=3D"all"><div><div = dir=3D"ltr" class=3D"gmail_signature"><div dir=3D"ltr"><div><div dir=3D"ltr= "><font color=3D"#313131" face=3D"Arial, sans-serif"><span style=3D"font-si= ze:12px">Best Regards,</span></font><div><font color=3D"#313131" face=3D"Ar= ial, sans-serif"><span style=3D"font-size:12px">Hongxu</span></font></div><= /div></div></div></div></div></div></div></div></div></div></div> --0000000000000a9594057fdd98a5-- --0000000000000a9597057fdd98a7 Content-Type: application/octet-stream; name="c02.sed" Content-Disposition: attachment; filename="c02.sed" Content-Transfer-Encoding: base64 Content-ID: <f_jr4hzhog0> X-Attachment-Id: f_jr4hzhog0 czCJMDA7czBcKC4uKlwpKlwxXChcKVxTMDA= --0000000000000a9597057fdd98a7--
Hongxu Chen <leftcopy.chx@HIDDEN>
:bug-sed@HIDDEN
.
Full text available.bug-sed@HIDDEN
:bug#34142
; Package sed
.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.