bug-gnulib
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bug#34142: AddressSanitizer reported heap-buffer-overflow


From: Assaf Gordon
Subject: Re: bug#34142: AddressSanitizer reported heap-buffer-overflow
Date: Sun, 20 Jan 2019 02:15:08 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0

(forwarding to gnulib)

Hello,

Hongxu Chen reported a heap-buffer-overflow in gnulib's regexec code.

It can be reproduced with current sed using:

     git clone git://git.sv.gnu.org/sed.git
     cd sed
     ./bootstrap && ./configure
     make build-asan

     echo 00000000000000000000000000 | ./sed/sed -E -e 's/(.*)*\1//'

The above 'sed' invocation is a simplified variation of Hongxu's report.

Details below:

On 2019-01-19 11:09 p.m., Hongxu Chen wrote:

    =================================================================
==13920==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x606000000233 at pc 0x0000004b4136 bp 0x7ffc475e3930 sp 0x7ffc475e30e0
READ of size 26 at 0x606000000233 thread T0
     #0 0x4b4135 in __interceptor_memcmp.part.283
(/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135)
     #1 0x5b274c in proceed_next_node
/home/hongxu/FOT/sed-O0/./lib/regexec.c:1296:9
     #2 0x597a4c in set_regs /home/hongxu/FOT/sed-O0/./lib/regexec.c:1453:18
     #3 0x569a4f in re_search_internal
/home/hongxu/FOT/sed-O0/./lib/regexec.c:864:10
     #4 0x56acd7 in re_search_stub
/home/hongxu/FOT/sed-O0/./lib/regexec.c:425:12
     #5 0x56b061 in rpl_re_search
/home/hongxu/FOT/sed-O0/./lib/regexec.c:289:10
     #6 0x52f572 in match_regex /home/hongxu/FOT/sed-O0/sed/regexp.c:358:11
     #7 0x5292d1 in do_subst /home/hongxu/FOT/sed-O0/sed/execute.c:1015:8
     #8 0x5233a2 in execute_program
/home/hongxu/FOT/sed-O0/sed/execute.c:1543:15
     #9 0x520cba in process_files
/home/hongxu/FOT/sed-O0/sed/execute.c:1680:16
     #10 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17
     #11 0x7f1dc2297b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
     #12 0x41b219 in _start
(/home/hongxu/FOT/sed-O0/install/bin/sed+0x41b219)

0x606000000233 is located 0 bytes to the right of 51-byte region
[0x606000000200,0x606000000233)
allocated by thread T0 here:
     #0 0x4db0d0 in malloc (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4db0d0)
     #1 0x5624f4 in xmalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:41:13
     #2 0x5627c4 in xzalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:86:18
     #3 0x520e16 in line_init /home/hongxu/FOT/sed-O0/sed/execute.c:281:15
     #4 0x5209ad in process_files
/home/hongxu/FOT/sed-O0/sed/execute.c:1654:3
     #5 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17
     #6 0x7f1dc2297b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135) in
__interceptor_memcmp.part.283
Shadow bytes around the buggy address:
   0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c0c7fff8000: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
   0x0c0c7fff8010: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
   0x0c0c7fff8020: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
   0x0c0c7fff8030: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
=>0x0c0c7fff8040: 00 00 00 00 00 00[03]fa fa fa fa fa 00 00 00 00
   0x0c0c7fff8050: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
   0x0c0c7fff8060: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
   0x0c0c7fff8070: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
   0x0c0c7fff8080: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
   0x0c0c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:       fa
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
   Left alloca redzone:     ca
   Right alloca redzone:    cb
==13920==ABORTING




reply via email to

[Prev in Thread] Current Thread [Next in Thread]