GNU bug report logs - #39166
[PATCH] sed: handle very long input lines with R

Previous Next

Package: sed;

Reported by: Tobias Stoeckmann <tobias <at> stoeckmann.org>

Date: Fri, 17 Jan 2020 21:29:02 UTC

Severity: normal

Tags: patch

Done: Jim Meyering <jim <at> meyering.net>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 39166 in the body.
You can then email your comments to 39166 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-sed <at> gnu.org:
bug#39166; Package sed. (Fri, 17 Jan 2020 21:29:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tobias Stoeckmann <tobias <at> stoeckmann.org>:
New bug report received and forwarded. Copy sent to bug-sed <at> gnu.org. (Fri, 17 Jan 2020 21:29:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Tobias Stoeckmann <tobias <at> stoeckmann.org>
To: bug-sed <at> gnu.org
Subject: [PATCH] sed: handle very long input lines with R
Date: Fri, 17 Jan 2020 21:28:28 +0100
It is possible to trigger an out of boundary memory access when
using the sed command R with an input file containing very long
lines.

The problem is that the line length of parsed file is returned as
a size_t by ck_getdelim, but temporarily stored in an int and
then converted back into a size_t. On systems like amd64, on which
this problem can be triggered, size_t and int have different sizes.

If the input line is longer than 2 GB (which is parseable on amd64
or other 64 bit systems), this means that the temporarily stored
int turns negative. Converting the negative int back into a size_t
will lead to an excessively large size_t, as the conversion leads to
a lot of leading 1 bits.

Eventually ck_fwrite is called with this huge size_t which in turn
will lead to an out of boundary access on amd64 systems -- after all
the parsed text was just a bit above 2 GB, not near SIZE_MAX.

You can trigger this issue with GNU sed on OpenBSD like this:

$ dd if=/dev/zero bs=1M count=2049 | tr '\0' 'e' > long.txt
$ sed Rlong.txt /etc/fstab
Segmentation fault (core dumped)
$ _

I was unable to trigger the bug on a Linux system with glibc due to
a bug in glibc's fwrite implementation -- it leads to a short write
and sed treats that correctly as an error.

Signed-off-by: Tobias Stoeckmann <tobias <at> stoeckmann.org>
---
 sed/execute.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sed/execute.c b/sed/execute.c
index 8f43f2e..f94b125 100644
--- a/sed/execute.c
+++ b/sed/execute.c
@@ -1518,7 +1518,7 @@ execute_program (struct vector *vec, struct input *input)
                   struct append_queue *aq;
                   size_t buflen;
                   char *text = NULL;
-                  int result;
+                  size_t result;
 
                   result = ck_getdelim (&text, &buflen, buffer_delimiter,
                                         cur_cmd->x.inf->fp);
-- 
2.25.0





Reply sent to Jim Meyering <jim <at> meyering.net>:
You have taken responsibility. (Sat, 18 Jan 2020 16:15:01 GMT) Full text and rfc822 format available.

Notification sent to Tobias Stoeckmann <tobias <at> stoeckmann.org>:
bug acknowledged by developer. (Sat, 18 Jan 2020 16:15:02 GMT) Full text and rfc822 format available.

Message #10 received at 39166-done <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: Tobias Stoeckmann <tobias <at> stoeckmann.org>
Cc: 39166-done <at> debbugs.gnu.org
Subject: Re: bug#39166: [PATCH] sed: handle very long input lines with R
Date: Sat, 18 Jan 2020 08:14:23 -0800
[Message part 1 (text/plain, inline)]
On Fri, Jan 17, 2020 at 1:29 PM Tobias Stoeckmann <tobias <at> stoeckmann.org> wrote:
> It is possible to trigger an out of boundary memory access when
> using the sed command R with an input file containing very long
> lines.

Thank you for another fine patch.
I've adjusted the commit log and will push the attached later today.
[sed-2G-R.diff (application/octet-stream, attachment)]

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sun, 16 Feb 2020 12:24:04 GMT) Full text and rfc822 format available.

This bug report was last modified 4 years and 42 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.