[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-gawk] out of bounds heap read in yyerror
|
From: |
Hanno Böck |
|
Subject: |
Re: [bug-gawk] out of bounds heap read in yyerror |
|
Date: |
Sun, 25 Oct 2015 09:03:36 +0100 |
Hi,
On Sun, 11 Oct 2015 20:53:11 +0300
Aharon Robbins <address@hidden> wrote:
> Thanks for the report. Here is the fix, which I have committed
> and pushed.
Thanks for the fix.
However using the latest git head code with the fix the same input file
will trigger another bug and it seems even more severe: a strcpy
writing several bytes out of bounds.
Here's the Address Sanitizer trace:
==16734==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60400000dd35 at pc 0x00000045b998 bp 0x7fff5e029190 sp 0x7fff5e028940
WRITE of size 36 at 0x60400000dd35 thread T0
#0 0x45b997 in __interceptor_strcpy (/tmp/gawk/gawk+0x45b997)
#1 0x51fef3 in strcpy /usr/include/bits/string3.h:110:10
#2 0x51fef3 in yyerror /tmp/gawk/awkgram.y:2333
#3 0x4f9f0b in yyparse /tmp/gawk/awkgram.c:4223:7
#4 0x52b9c6 in parse_program /tmp/gawk/awkgram.y:2502:8
#5 0x661e4d in main /tmp/gawk/main.c:445:6
#6 0x7f6fffe4262f in __libc_start_main
/var/tmp/portage/sys-libs/glibc-2.22-r1/work/glibc-2.22/csu/libc-start.c:289
#7 0x422578 in _start (/tmp/gawk/gawk+0x422578)
0x60400000dd35 is located 0 bytes to the right of 37-byte region
[0x60400000dd10,0x60400000dd35)
allocated by thread T0 here:
#0 0x4bdc18 in malloc (/tmp/gawk/gawk+0x4bdc18)
#1 0x5212c7 in emalloc_real /tmp/gawk/./awk.h:1820:17
#2 0x4f9f0b in yyparse /tmp/gawk/awkgram.c:4223:7
#3 0x52b9c6 in parse_program /tmp/gawk/awkgram.y:2502:8
#4 0x7f6fffe4262f in __libc_start_main
/var/tmp/portage/sys-libs/glibc-2.22-r1/work/glibc-2.22/csu/libc-start.c:289
SUMMARY: AddressSanitizer: heap-buffer-overflow (/tmp/gawk/gawk+0x45b997) in
__interceptor_strcpy
Shadow bytes around the buggy address:
0x0c087fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff9ba0: fa fa 00 00 00 00[05]fa fa fa fd fd fd fd fd fd
0x0c087fff9bb0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
0x0c087fff9bc0: fa fa 00 00 00 00 00 07 fa fa 00 00 00 00 05 fa
0x0c087fff9bd0: fa fa 00 00 00 00 00 07 fa fa 00 00 00 00 05 fa
0x0c087fff9be0: fa fa 00 00 00 00 06 fa fa fa 00 00 00 00 00 01
0x0c087fff9bf0: fa fa 00 00 00 00 01 fa fa fa 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==16734==ABORTING
--
Hanno Böck
http://hboeck.de/
mail/jabber: address@hidden
GPG: BBB51E42
pgpF_7UHsZgbP.pgp
Description: OpenPGP digital signature