Package: sed;
Reported by: Raimar Falke <i-gnu-org <at> rf.risimo.net>
Date: Tue, 9 Jun 2020 06:16:02 UTC
Severity: normal
To reply to this bug, email your comments to 41773 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
bug-sed <at> gnu.org
:bug#41773
; Package sed
.
(Tue, 09 Jun 2020 06:16:02 GMT) Full text and rfc822 format available.Raimar Falke <i-gnu-org <at> rf.risimo.net>
:bug-sed <at> gnu.org
.
(Tue, 09 Jun 2020 06:16:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Raimar Falke <i-gnu-org <at> rf.risimo.net> To: bug-sed <at> gnu.org Subject: Fuzzer created crash Date: Tue, 9 Jun 2020 07:31:22 +0200
Hello I was playing around with https://github.com/google/AFL and found indeed a crash. > cat sed_min_result /0*\(\|\|.\)\+\(\(\)\)\1/s000 > echo "foo\nbar" | sed -f sed_min_result sed: regexec.c:1361: pop_fail_stack: Assertion `num >= 0' failed. Aborted (core dumped) > echo "foo" | sed -f sed_min_result > sed --version sed (GNU sed) 4.5 ... > Backtrace using gdb: #0 __GI_raise (sig=sig <at> entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007f5ae0a85895 in __GI_abort () at abort.c:79 #2 0x00007f5ae0a85769 in __assert_fail_base (fmt=0x7f5ae0bece88 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7f5ae0beabda "num >= 0", file=0x7f5ae0beabd0 "regexec.c", line=1361, function=<optimized out>) at assert.c:92 #3 0x00007f5ae0a93a26 in __GI___assert_fail (assertion=0x7f5ae0beabda "num >= 0", file=0x7f5ae0beabd0 "regexec.c", line=1361, function=0x7f5ae0bef100 <__PRETTY_FUNCTION__.13516> "pop_fail_stack") at assert.c:101 #4 0x00007f5ae0b3be88 in pop_fail_stack (pidx=0x7ffc95a01dec, nregs=4, regs=0x5555ec88eeb0, eps_via_nodes=0x7ffc95a01df0, fs=<optimized out>, fs=<optimized out>) at regexec.c:1361 #5 pop_fail_stack (pidx=pidx <at> entry=0x7ffc95a01dec, nregs=nregs <at> entry=4, regs=regs <at> entry=0x5555ec88eeb0, eps_via_nodes=eps_via_nodes <at> entry=0x7ffc95a01df0, fs=<optimized out>, fs=<optimized out>) at regexec.c:1357 #6 0x00007f5ae0b3e567 in set_regs (preg=preg <at> entry=0x5555ec887f60, mctx=mctx <at> entry=0x7ffc95a01f60, nmatch=nmatch <at> entry=4, pmatch=pmatch <at> entry=0x5555ec88eeb0, fl_backtrack=<optimized out>) at regexec.c:1465 #7 0x00007f5ae0b40b5a in re_search_internal (preg=preg <at> entry=0x5555ec887f60, string=string <at> entry=0x5555ec887f20 "foo\\nbar", length=length <at> entry=8, start=<optimized out>, start <at> entry=0, last_start=<optimized out>, last_start <at> entry=8, stop=stop <at> entry=8, nmatch=4, pmatch=0x5555ec88eeb0, eflags=0) at regexec.c:861 #8 0x00007f5ae0b454e9 in re_search_stub (bufp=bufp <at> entry=0x5555ec887f60, string=string <at> entry=0x5555ec887f20 "foo\\nbar", length=length <at> entry=8, start=start <at> entry=0, range=range <at> entry=8, stop=stop <at> entry=8, regs=0x5555ec70c300 <regs>, ret_len=false) at regexec.c:424 #9 0x00007f5ae0b45e14 in __re_search (bufp=bufp <at> entry=0x5555ec887f60, string=string <at> entry=0x5555ec887f20 "foo\\nbar", length=length <at> entry=8, start=start <at> entry=0, range=range <at> entry=8, regs=regs <at> entry=0x5555ec70c300 <regs>) at regexec.c:289 #10 0x00005555ec6f84d2 in match_regex (regex=0x5555ec887f60, buf=0x5555ec887f20 "foo\\nbar", buflen=8, buf_start_offset=buf_start_offset <at> entry=0, regarray=regarray <at> entry=0x5555ec70c300 <regs>, regsize=1) at sed/regexp.c:418 #11 0x00005555ec6f6d2e in do_subst (sub=0x5555ec8858c0) at sed/execute.c:1022 #12 execute_program (vec=vec <at> entry=0x5555ec885890, input=input <at> entry=0x7ffc95a03260) at sed/execute.c:1509 #13 0x00005555ec6f7cab in process_files (the_program=0x5555ec885890, argv=<optimized out>) at sed/execute.c:1679 #14 0x00005555ec6f2a54 in main (argc=3, argv=0x7ffc95a03478) at sed/sed.c:401 Using sed from git (master branch 36e24f199f32) also dumps a core: > echo "foo\nbar" | .../sed/sed/sed -f sed_min_result Segmentation fault (core dumped) > echo "foo" | .../sed/sed/sed -f sed_min_result > .../sed/sed/sed --version .../sed/sed/sed (GNU sed) 4.8.4-36e2-dirty ... > This time it is not an assert but "pop_fail_stack" is also involved: Backtrace using gdb: #0 __memmove_avx_unaligned () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:142 #1 0x00000000004ae823 in memcpy (__len=64, __src=<optimized out>, __dest=0x2457a00) at /usr/include/bits/string_fortified.h:34 #2 pop_fail_stack (fs=<optimized out>, fs=<optimized out>, eps_via_nodes=0x7ffe4409d0f0, regs=0x2457a00, nregs=<optimized out>, pidx=<synthetic pointer>) at lib/regexec.c:1351 #3 set_regs (preg=preg <at> entry=0x244cf60, mctx=mctx <at> entry=0x7ffe4409d290, nmatch=nmatch <at> entry=4, pmatch=pmatch <at> entry=0x2457a00, fl_backtrack=<optimized out>) at lib/regexec.c:1451 #4 0x00000000004d585d in re_search_internal (preg=preg <at> entry=0x244cf60, string=string <at> entry=0x244cf20 "foo\\nbar", length=length <at> entry=8, start=<optimized out>, start <at> entry=0, last_start=<optimized out>, last_start <at> entry=8, stop=stop <at> entry=8, nmatch=4, pmatch=0x2457a00, eflags=0) at lib/regexec.c:849 #5 0x00000000004f1886 in re_search_stub (ret_len=false, regs=0x502700 <regs>, stop=4, range=-5252860, start=<optimized out>, length=4, string=0x4 <error: Cannot access memory at address 0x4>, bufp=0x244cf60) at lib/regexec.c:425 #6 rpl_re_search (bufp=bufp <at> entry=0x244cf60, string=string <at> entry=0x244cf20 "foo\\nbar", length=length <at> entry=8, start=start <at> entry=0, range=range <at> entry=8, regs=regs <at> entry=0x502700 <regs>) at lib/regexec.c:289 #7 0x0000000000431bc0 in match_regex (regex=0x244cf60, buf=0x244cf20 "foo\\nbar", buflen=8, buf_start_offset=buf_start_offset <at> entry=0, regarray=regarray <at> entry=0x502700 <regs>, regsize=1) at sed/regexp.c:358 #8 0x000000000042508e in do_subst (sub=0x244a8c0) at sed/execute.c:1015 #9 execute_program (vec=vec <at> entry=0x244a890, input=input <at> entry=0x7ffe4409e5c0) at sed/execute.c:1543 #10 0x000000000042e8ed in process_files (the_program=0x244a890, argv=<optimized out>) at sed/execute.c:1680 #11 0x000000000040417b in main (argc=3, argv=0x7ffe4409e7e8) at sed/sed.c:399 Cheers, Raimar -- email: i-gnu-org <at> rf.risimo.net "Of course, someone who knows more about this will correct me if I'm wrong, and someone who knows less will correct me if I'm right." -- David Palmer (palmer <at> tybalt.caltech.edu)
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.