GNU bug report logs - #41773
Fuzzer created crash

Previous Next

Package: sed;

Reported by: Raimar Falke <i-gnu-org <at> rf.risimo.net>

Date: Tue, 9 Jun 2020 06:16:02 UTC

Severity: normal

To reply to this bug, email your comments to 41773 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-sed <at> gnu.org:
bug#41773; Package sed. (Tue, 09 Jun 2020 06:16:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Raimar Falke <i-gnu-org <at> rf.risimo.net>:
New bug report received and forwarded. Copy sent to bug-sed <at> gnu.org. (Tue, 09 Jun 2020 06:16:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Raimar Falke <i-gnu-org <at> rf.risimo.net>
To: bug-sed <at> gnu.org
Subject: Fuzzer created crash
Date: Tue, 9 Jun 2020 07:31:22 +0200

Hello

I was playing around with https://github.com/google/AFL and found
indeed a crash.

> cat sed_min_result
/0*\(\|\|.\)\+\(\(\)\)\1/s000
> echo "foo\nbar" | sed -f sed_min_result 
sed: regexec.c:1361: pop_fail_stack: Assertion `num >= 0' failed.
Aborted (core dumped)
> echo "foo" | sed -f sed_min_result 

> sed --version
sed (GNU sed) 4.5
...
> 

Backtrace using gdb:
#0  __GI_raise (sig=sig <at> entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f5ae0a85895 in __GI_abort () at abort.c:79
#2  0x00007f5ae0a85769 in __assert_fail_base (fmt=0x7f5ae0bece88 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7f5ae0beabda "num >= 0", file=0x7f5ae0beabd0 "regexec.c", line=1361, function=<optimized out>) at assert.c:92
#3  0x00007f5ae0a93a26 in __GI___assert_fail (assertion=0x7f5ae0beabda "num >= 0", file=0x7f5ae0beabd0 "regexec.c", line=1361, function=0x7f5ae0bef100 <__PRETTY_FUNCTION__.13516> "pop_fail_stack") at assert.c:101
#4  0x00007f5ae0b3be88 in pop_fail_stack (pidx=0x7ffc95a01dec, nregs=4, regs=0x5555ec88eeb0, eps_via_nodes=0x7ffc95a01df0, fs=<optimized out>, fs=<optimized out>) at regexec.c:1361
#5  pop_fail_stack (pidx=pidx <at> entry=0x7ffc95a01dec, nregs=nregs <at> entry=4, regs=regs <at> entry=0x5555ec88eeb0, eps_via_nodes=eps_via_nodes <at> entry=0x7ffc95a01df0, fs=<optimized out>, fs=<optimized out>) at regexec.c:1357
#6  0x00007f5ae0b3e567 in set_regs (preg=preg <at> entry=0x5555ec887f60, mctx=mctx <at> entry=0x7ffc95a01f60, nmatch=nmatch <at> entry=4, pmatch=pmatch <at> entry=0x5555ec88eeb0, fl_backtrack=<optimized out>) at regexec.c:1465
#7  0x00007f5ae0b40b5a in re_search_internal (preg=preg <at> entry=0x5555ec887f60, string=string <at> entry=0x5555ec887f20 "foo\\nbar", length=length <at> entry=8, start=<optimized out>, start <at> entry=0, last_start=<optimized out>, last_start <at> entry=8, stop=stop <at> entry=8, 
    nmatch=4, pmatch=0x5555ec88eeb0, eflags=0) at regexec.c:861
#8  0x00007f5ae0b454e9 in re_search_stub (bufp=bufp <at> entry=0x5555ec887f60, string=string <at> entry=0x5555ec887f20 "foo\\nbar", length=length <at> entry=8, start=start <at> entry=0, range=range <at> entry=8, stop=stop <at> entry=8, regs=0x5555ec70c300 <regs>, ret_len=false)
    at regexec.c:424
#9  0x00007f5ae0b45e14 in __re_search (bufp=bufp <at> entry=0x5555ec887f60, string=string <at> entry=0x5555ec887f20 "foo\\nbar", length=length <at> entry=8, start=start <at> entry=0, range=range <at> entry=8, regs=regs <at> entry=0x5555ec70c300 <regs>) at regexec.c:289
#10 0x00005555ec6f84d2 in match_regex (regex=0x5555ec887f60, buf=0x5555ec887f20 "foo\\nbar", buflen=8, buf_start_offset=buf_start_offset <at> entry=0, regarray=regarray <at> entry=0x5555ec70c300 <regs>, regsize=1) at sed/regexp.c:418
#11 0x00005555ec6f6d2e in do_subst (sub=0x5555ec8858c0) at sed/execute.c:1022
#12 execute_program (vec=vec <at> entry=0x5555ec885890, input=input <at> entry=0x7ffc95a03260) at sed/execute.c:1509
#13 0x00005555ec6f7cab in process_files (the_program=0x5555ec885890, argv=<optimized out>) at sed/execute.c:1679
#14 0x00005555ec6f2a54 in main (argc=3, argv=0x7ffc95a03478) at sed/sed.c:401

Using sed from git (master branch 36e24f199f32) also dumps a core:

> echo "foo\nbar" | .../sed/sed/sed -f sed_min_result 
Segmentation fault (core dumped)
> echo "foo" | .../sed/sed/sed -f sed_min_result 

> .../sed/sed/sed --version
.../sed/sed/sed (GNU sed) 4.8.4-36e2-dirty
...
> 

This time it is not an assert but "pop_fail_stack" is also involved:

Backtrace using gdb:
#0  __memmove_avx_unaligned () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:142
#1  0x00000000004ae823 in memcpy (__len=64, __src=<optimized out>, __dest=0x2457a00) at /usr/include/bits/string_fortified.h:34
#2  pop_fail_stack (fs=<optimized out>, fs=<optimized out>, eps_via_nodes=0x7ffe4409d0f0, regs=0x2457a00, nregs=<optimized out>, pidx=<synthetic pointer>) at lib/regexec.c:1351
#3  set_regs (preg=preg <at> entry=0x244cf60, mctx=mctx <at> entry=0x7ffe4409d290, nmatch=nmatch <at> entry=4, pmatch=pmatch <at> entry=0x2457a00, fl_backtrack=<optimized out>) at lib/regexec.c:1451
#4  0x00000000004d585d in re_search_internal (preg=preg <at> entry=0x244cf60, string=string <at> entry=0x244cf20 "foo\\nbar", length=length <at> entry=8, start=<optimized out>, start <at> entry=0, last_start=<optimized out>, last_start <at> entry=8, stop=stop <at> entry=8, nmatch=4, 
    pmatch=0x2457a00, eflags=0) at lib/regexec.c:849
#5  0x00000000004f1886 in re_search_stub (ret_len=false, regs=0x502700 <regs>, stop=4, range=-5252860, start=<optimized out>, length=4, string=0x4 <error: Cannot access memory at address 0x4>, bufp=0x244cf60) at lib/regexec.c:425
#6  rpl_re_search (bufp=bufp <at> entry=0x244cf60, string=string <at> entry=0x244cf20 "foo\\nbar", length=length <at> entry=8, start=start <at> entry=0, range=range <at> entry=8, regs=regs <at> entry=0x502700 <regs>) at lib/regexec.c:289
#7  0x0000000000431bc0 in match_regex (regex=0x244cf60, buf=0x244cf20 "foo\\nbar", buflen=8, buf_start_offset=buf_start_offset <at> entry=0, regarray=regarray <at> entry=0x502700 <regs>, regsize=1) at sed/regexp.c:358
#8  0x000000000042508e in do_subst (sub=0x244a8c0) at sed/execute.c:1015
#9  execute_program (vec=vec <at> entry=0x244a890, input=input <at> entry=0x7ffe4409e5c0) at sed/execute.c:1543
#10 0x000000000042e8ed in process_files (the_program=0x244a890, argv=<optimized out>) at sed/execute.c:1680
#11 0x000000000040417b in main (argc=3, argv=0x7ffe4409e7e8) at sed/sed.c:399

Cheers,
	Raimar

-- 
 email: i-gnu-org <at> rf.risimo.net
 "Of course, someone who knows more about this will correct me if I'm
  wrong, and someone who knows less will correct me if I'm right."
    -- David Palmer (palmer <at> tybalt.caltech.edu)
This bug report was last modified 3 years and 322 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.