* Re: bug#34142: AddressSanitizer reported heap-buffer-overflow
[not found] <CAJPBKOHEQt0GJ2nF0fTZL9Ld4=sGZiUvrejieSgD9taxGT62ww@mail.gmail.com>
@ 2019-01-20 9:15 ` Assaf Gordon
0 siblings, 0 replies; only message in thread
From: Assaf Gordon @ 2019-01-20 9:15 UTC (permalink / raw)
To: Hongxu Chen, 34142, bug-gnulib@gnu.org List
(forwarding to gnulib)
Hello,
Hongxu Chen reported a heap-buffer-overflow in gnulib's regexec code.
It can be reproduced with current sed using:
git clone git://git.sv.gnu.org/sed.git
cd sed
./bootstrap && ./configure
make build-asan
echo 00000000000000000000000000 | ./sed/sed -E -e 's/(.*)*\1//'
The above 'sed' invocation is a simplified variation of Hongxu's report.
Details below:
On 2019-01-19 11:09 p.m., Hongxu Chen wrote:
>
> =================================================================
> ==13920==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x606000000233 at pc 0x0000004b4136 bp 0x7ffc475e3930 sp 0x7ffc475e30e0
> READ of size 26 at 0x606000000233 thread T0
> #0 0x4b4135 in __interceptor_memcmp.part.283
> (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135)
> #1 0x5b274c in proceed_next_node
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:1296:9
> #2 0x597a4c in set_regs /home/hongxu/FOT/sed-O0/./lib/regexec.c:1453:18
> #3 0x569a4f in re_search_internal
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:864:10
> #4 0x56acd7 in re_search_stub
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:425:12
> #5 0x56b061 in rpl_re_search
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:289:10
> #6 0x52f572 in match_regex /home/hongxu/FOT/sed-O0/sed/regexp.c:358:11
> #7 0x5292d1 in do_subst /home/hongxu/FOT/sed-O0/sed/execute.c:1015:8
> #8 0x5233a2 in execute_program
> /home/hongxu/FOT/sed-O0/sed/execute.c:1543:15
> #9 0x520cba in process_files
> /home/hongxu/FOT/sed-O0/sed/execute.c:1680:16
> #10 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17
> #11 0x7f1dc2297b96 in __libc_start_main
> /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
> #12 0x41b219 in _start
> (/home/hongxu/FOT/sed-O0/install/bin/sed+0x41b219)
>
> 0x606000000233 is located 0 bytes to the right of 51-byte region
> [0x606000000200,0x606000000233)
> allocated by thread T0 here:
> #0 0x4db0d0 in malloc (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4db0d0)
> #1 0x5624f4 in xmalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:41:13
> #2 0x5627c4 in xzalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:86:18
> #3 0x520e16 in line_init /home/hongxu/FOT/sed-O0/sed/execute.c:281:15
> #4 0x5209ad in process_files
> /home/hongxu/FOT/sed-O0/sed/execute.c:1654:3
> #5 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17
> #6 0x7f1dc2297b96 in __libc_start_main
> /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow
> (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135) in
> __interceptor_memcmp.part.283
> Shadow bytes around the buggy address:
> 0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c0c7fff8000: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> 0x0c0c7fff8010: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
> 0x0c0c7fff8020: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
> 0x0c0c7fff8030: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> =>0x0c0c7fff8040: 00 00 00 00 00 00[03]fa fa fa fa fa 00 00 00 00
> 0x0c0c7fff8050: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
> 0x0c0c7fff8060: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> 0x0c0c7fff8070: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
> 0x0c0c7fff8080: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
> 0x0c0c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==13920==ABORTING
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-01-20 9:15 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <CAJPBKOHEQt0GJ2nF0fTZL9Ld4=sGZiUvrejieSgD9taxGT62ww@mail.gmail.com>
2019-01-20 9:15 ` bug#34142: AddressSanitizer reported heap-buffer-overflow Assaf Gordon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).