From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-gnulib-bounces+normalperson=yhbt.net@gnu.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-ASN: AS22989 209.51.188.0/24
X-Spam-Status: No, score=-3.9 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS
	shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by dcvr.yhbt.net (Postfix) with ESMTPS id 97FAA1F453
	for <normalperson@yhbt.net>; Sun, 20 Jan 2019 09:15:50 +0000 (UTC)
Received: from localhost ([127.0.0.1]:37408 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnulib-bounces+normalperson=yhbt.net@gnu.org>)
	id 1gl9Cm-00051B-U1
	for normalperson@yhbt.net; Sun, 20 Jan 2019 04:15:48 -0500
Received: from eggs.gnu.org ([209.51.188.92]:57718)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <assafgordon@gmail.com>) id 1gl9Ci-00050u-OB
	for bug-gnulib@gnu.org; Sun, 20 Jan 2019 04:15:45 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <assafgordon@gmail.com>) id 1gl9Ch-00018o-MW
	for bug-gnulib@gnu.org; Sun, 20 Jan 2019 04:15:44 -0500
Received: from mail-pf1-x435.google.com ([2607:f8b0:4864:20::435]:34337)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <assafgordon@gmail.com>)
	id 1gl9Ch-0000vO-GT
	for bug-gnulib@gnu.org; Sun, 20 Jan 2019 04:15:43 -0500
Received: by mail-pf1-x435.google.com with SMTP id h3so8737177pfg.1
	for <bug-gnulib@gnu.org>; Sun, 20 Jan 2019 01:15:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:subject:to:references:message-id:date:user-agent:mime-version
	:in-reply-to:content-language:content-transfer-encoding;
	bh=q/Lp0AsiataOEfiZRL7IasK0bOqKKMb/vmJNoxCVkVU=;
	b=GuZQR7dHt22zaN/XxyElvEEtVROzkR7ilAQhtM8zJ5BuLbAjgi688KlpoOmo1Kllc6
	Tz8Utl8kyxJykuXjz6eh97Xp/kd5SP4VCmAa/tK1DlWuhfxCJemM6ZNJEDWn9GUUbHzG
	6MgK/gciuTyYkUQh+lSVf21zhLEBfXcCddZRG8qk/jK+86vjNNA63qnb2F2gdwrG/bwm
	wrlt31rGDXBOfPoYEYyi8eTyNcyIiobwcy4cRoa/wO4g13XQOqCyXIz5PeZeDYr2JqIe
	sgYLgL4Drnpb1BDfQ2lL00Dwi1oYde7QxGCGa7MQD+15PS1aekyqBVgZhljNZlW10VYh
	jT1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:subject:to:references:message-id:date
	:user-agent:mime-version:in-reply-to:content-language
	:content-transfer-encoding;
	bh=q/Lp0AsiataOEfiZRL7IasK0bOqKKMb/vmJNoxCVkVU=;
	b=dWOoQbNHbSv8cZdn8fCnaFYCm4NIRX9G5PkVO0FuYFs2AHQ876M4KWvdVC2ulAXcF7
	SFUdtC1Wd5zzJLz1VuPAqXY1LmvKVqyj5N/xA38jortssz5iHCpNJhnUtbYivFiCb9Cl
	rPHnmp9YQjZBFtnSKPTgg1fAK5wV/fkvKQgtXgva6s9gj/4nHbN3AaEhK7K0om8cRNqu
	uR1qj/Y7pBczaj6BFGyRD8ChQuPgaa3qUKjw28Fp2mRGWl9Ttw5X0GGvgavoOvZbGvZ8
	Ei623SmNeokOjZxLo9bFXggX8Y0GKF3hAiCVHEKZuNpPs90tH5PNJnUab7YUlwopkm68
	Yypg==
X-Gm-Message-State: AJcUukerl1nukJC4+tEumnJegA2SKXOFf4/TRHdMkAWOG6wHytWsDP0K
	X3Gg2EhHDnlML08VJHAf/3fFpwzE
X-Google-Smtp-Source: ALg8bN4+kAfA17Zi0AlY2onzw8h49Zugfa/YJCbKUr2NpGVL6BjB3GJBN9QoFCbVFSXj0hYugylloA==
X-Received: by 2002:aa7:83c6:: with SMTP id j6mr8022346pfn.91.1547975710898;
	Sun, 20 Jan 2019 01:15:10 -0800 (PST)
Received: from tomato.housegordon.com (moose.housegordon.com. [184.68.105.38])
	by smtp.googlemail.com with ESMTPSA id
	t185sm13434103pgd.90.2019.01.20.01.15.09
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sun, 20 Jan 2019 01:15:09 -0800 (PST)
From: Assaf Gordon <assafgordon@gmail.com>
Subject: Re: bug#34142: AddressSanitizer reported heap-buffer-overflow
To: Hongxu Chen <leftcopy.chx@gmail.com>, 34142@debbugs.gnu.org,
	"bug-gnulib@gnu.org List" <bug-gnulib@gnu.org>
References: <CAJPBKOHEQt0GJ2nF0fTZL9Ld4=sGZiUvrejieSgD9taxGT62ww@mail.gmail.com>
Message-ID: <33466703-d85e-400d-3f19-f2ece6d9c32a@gmail.com>
Date: Sun, 20 Jan 2019 02:15:08 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
	Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <CAJPBKOHEQt0GJ2nF0fTZL9Ld4=sGZiUvrejieSgD9taxGT62ww@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 2607:f8b0:4864:20::435
X-BeenThere: bug-gnulib@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: Gnulib discussion list <bug-gnulib.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnulib>,
	<mailto:bug-gnulib-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnulib/>
List-Post: <mailto:bug-gnulib@gnu.org>
List-Help: <mailto:bug-gnulib-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnulib>,
	<mailto:bug-gnulib-request@gnu.org?subject=subscribe>
Errors-To: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org
Sender: "bug-gnulib" <bug-gnulib-bounces+normalperson=yhbt.net@gnu.org>

(forwarding to gnulib)

Hello,

Hongxu Chen reported a heap-buffer-overflow in gnulib's regexec code.

It can be reproduced with current sed using:

      git clone git://git.sv.gnu.org/sed.git
      cd sed
      ./bootstrap && ./configure
      make build-asan

      echo 00000000000000000000000000 | ./sed/sed -E -e 's/(.*)*\1//'

The above 'sed' invocation is a simplified variation of Hongxu's report.

Details below:

On 2019-01-19 11:09 p.m., Hongxu Chen wrote:
> 
>     =================================================================
> ==13920==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x606000000233 at pc 0x0000004b4136 bp 0x7ffc475e3930 sp 0x7ffc475e30e0
> READ of size 26 at 0x606000000233 thread T0
>      #0 0x4b4135 in __interceptor_memcmp.part.283
> (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135)
>      #1 0x5b274c in proceed_next_node
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:1296:9
>      #2 0x597a4c in set_regs /home/hongxu/FOT/sed-O0/./lib/regexec.c:1453:18
>      #3 0x569a4f in re_search_internal
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:864:10
>      #4 0x56acd7 in re_search_stub
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:425:12
>      #5 0x56b061 in rpl_re_search
> /home/hongxu/FOT/sed-O0/./lib/regexec.c:289:10
>      #6 0x52f572 in match_regex /home/hongxu/FOT/sed-O0/sed/regexp.c:358:11
>      #7 0x5292d1 in do_subst /home/hongxu/FOT/sed-O0/sed/execute.c:1015:8
>      #8 0x5233a2 in execute_program
> /home/hongxu/FOT/sed-O0/sed/execute.c:1543:15
>      #9 0x520cba in process_files
> /home/hongxu/FOT/sed-O0/sed/execute.c:1680:16
>      #10 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17
>      #11 0x7f1dc2297b96 in __libc_start_main
> /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
>      #12 0x41b219 in _start
> (/home/hongxu/FOT/sed-O0/install/bin/sed+0x41b219)
> 
> 0x606000000233 is located 0 bytes to the right of 51-byte region
> [0x606000000200,0x606000000233)
> allocated by thread T0 here:
>      #0 0x4db0d0 in malloc (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4db0d0)
>      #1 0x5624f4 in xmalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:41:13
>      #2 0x5627c4 in xzalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:86:18
>      #3 0x520e16 in line_init /home/hongxu/FOT/sed-O0/sed/execute.c:281:15
>      #4 0x5209ad in process_files
> /home/hongxu/FOT/sed-O0/sed/execute.c:1654:3
>      #5 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17
>      #6 0x7f1dc2297b96 in __libc_start_main
> /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow
> (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135) in
> __interceptor_memcmp.part.283
> Shadow bytes around the buggy address:
>    0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>    0x0c0c7fff8000: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
>    0x0c0c7fff8010: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
>    0x0c0c7fff8020: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
>    0x0c0c7fff8030: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> =>0x0c0c7fff8040: 00 00 00 00 00 00[03]fa fa fa fa fa 00 00 00 00
>    0x0c0c7fff8050: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
>    0x0c0c7fff8060: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
>    0x0c0c7fff8070: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
>    0x0c0c7fff8080: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
>    0x0c0c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>    Addressable:           00
>    Partially addressable: 01 02 03 04 05 06 07
>    Heap left redzone:       fa
>    Freed heap region:       fd
>    Stack left redzone:      f1
>    Stack mid redzone:       f2
>    Stack right redzone:     f3
>    Stack after return:      f5
>    Stack use after scope:   f8
>    Global redzone:          f9
>    Global init order:       f6
>    Poisoned by user:        f7
>    Container overflow:      fc
>    Array cookie:            ac
>    Intra object redzone:    bb
>    ASan internal:           fe
>    Left alloca redzone:     ca
>    Right alloca redzone:    cb
> ==13920==ABORTING