|
From: | GNU bug Tracking System |
Subject: | [debbugs-tracker] bug#31935: closed (2 crashes in diffutills commit version 576645c) |
Date: | Sat, 29 Dec 2018 07:16:02 +0000 |
Your message dated Fri, 28 Dec 2018 23:15:33 -0800 with message-id <address@hidden> and subject line Re: [bug-diffutils] bug#31935: bug#31935: bug#31935: 2 crashes in diffutills commit version 576645c has caused the debbugs.gnu.org bug report #31935, regarding 2 crashes in diffutills commit version 576645c to be marked as done. (If you believe you have received this mail in error, please contact address@hidden) -- 31935: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=31935 GNU Bug Tracking System Contact address@hidden with problems
--- Begin Message ---Subject: 2 crashes in diffutills commit version 576645c Date: Fri, 22 Jun 2018 14:49:47 +0800 Hello,We found with our fuzzer 2 crashes on diffutils version 576645c: one is a heap-buffer-overflow at util.c:1249, another is an invalid read resulting from `output_1_line' at util.c:1274.The executing command is: `./diff -a --strip-trailing-cr $file add.wasm` where $file is the poc file (I attached them as *.input.txt); "add.wasm" is also attached however it seems that content of the comparison file is not important.The Address Sanitizer outputs (attached as "*.err.SIG06") are:=================================================================
==8310==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6210000000ff at pc 0x00000055108a bp 0x7ffdc5af8650 sp 0x7ffdc5af8648
READ of size 1 at 0x6210000000ff thread T0
#0 0x551089 in print_1_line_nl /home/hongxu/FOT/diffutils-fuzz/src/util.c:1249:44
#1 0x544366 in print_normal_hunk /home/hongxu/FOT/diffutils-fuzz/src/normal.c:66:11
#2 0x550883 in print_script /home/hongxu/FOT/diffutils-fuzz/src/util.c:1195:7
#3 0x51351f in diff_2_files /home/hongxu/FOT/diffutils-fuzz/src/analyze.c:665:5
#4 0x5297a7 in compare_files /home/hongxu/FOT/diffutils-fuzz/src/diff.c:1434:11
#5 0x52546a in main /home/hongxu/FOT/diffutils-fuzz/src/diff.c:800:18
#6 0x7f7a0e14fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#7 0x41d709 in _start (/home/hongxu/FOT/diffutils-fuzz/install/bin/diff+0x41d709)
0x6210000000ff is located 1 bytes to the left of 4096-byte region [0x621000000100,0x621000001100)
allocated by thread T0 here:
#0 0x4d2d60 in malloc (/home/hongxu/FOT/diffutils-fuzz/install/bin/diff+0x4d2d60)
#1 0x583120 in xmalloc /home/hongxu/FOT/diffutils-fuzz/lib/xmalloc.c:41:13
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hongxu/FOT/diffutils-fuzz/src/util.c:1249:44 in print_1_line_nl
Shadow bytes around the buggy address:
0x0c427fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c427fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c427fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8310==ABORTINGand:ASAN:DEADLYSIGNAL
=================================================================
==8313==ERROR: AddressSanitizer: SEGV on unknown address 0x6210000100d4 (pc 0x7f367ca57c40 bp 0x000000000400 sp 0x7ffeebd7e358 T0)
==8313==The signal is caused by a READ memory access.
#0 0x7f367ca57c3f /build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:370
#1 0x7f367c954993 in _IO_file_xsputn /build/glibc-OTsEL5/glibc-2.27/libio/fileops.c:1258
#2 0x7f367c95351f in fwrite_unlocked /build/glibc-OTsEL5/glibc-2.27/libio/iofwrite_u.c:43
#3 0x551dc4 in output_1_line /home/hongxu/FOT/diffutils-fuzz/src/util.c:1274:28
#4 0x550d24 in print_1_line_nl /home/hongxu/FOT/diffutils-fuzz/src/util.c:1249:3
#5 0x544366 in print_normal_hunk /home/hongxu/FOT/diffutils-fuzz/src/normal.c:66:11
#6 0x550883 in print_script /home/hongxu/FOT/diffutils-fuzz/src/util.c:1195:7
#7 0x51351f in diff_2_files /home/hongxu/FOT/diffutils-fuzz/src/analyze.c:665:5
#8 0x5297a7 in compare_files /home/hongxu/FOT/diffutils-fuzz/src/diff.c:1434:11
#9 0x52546a in main /home/hongxu/FOT/diffutils-fuzz/src/diff.c:800:18
#10 0x7f367c8eab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#11 0x41d709 in _start (/home/hongxu/FOT/diffutils-fuzz/install/bin/diff+0x41d709)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:370
==8313==ABORTINGglibc version is 2.27 and it's a Ubuntu 18.04 LTS (Linux C10 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux) machine.Best Regards,Hongxuhbo_util.c:1249_1.input.txt
Description: Text documenthbo_util.c:1249_2.input.txt
Description: Text documenthbo_util.c:1249_2.err.SIG06
Description: Binary datahbo_util.c:1249_1.err.SIG06
Description: Binary dataread_util.c:1274:28_1.err.SIG06
Description: Binary dataread_util.c:1274:28_1.input.txt
Description: Text documentread_util.c:1274:28_2.err.SIG06
Description: Binary dataread_util.c:1274:28_2.input.txt
Description: Text documentadd.wasm
Description: Binary data
--- End Message ---
--- Begin Message ---Subject: Re: [bug-diffutils] bug#31935: bug#31935: bug#31935: 2 crashes in diffutills commit version 576645c Date: Fri, 28 Dec 2018 23:15:33 -0800 On Fri, Dec 28, 2018 at 9:20 PM Jim Meyering <address@hidden> wrote: > > On Fri, Dec 28, 2018 at 7:11 PM Paul Eggert <address@hidden> wrote: > > > > Jim Meyering wrote: > > > There are still numerous unguarded [-1] references, so this updated > > > patch is doubtless still incomplete: > > > > The real bug was elsewhere, I think. I installed the attached patch. This > > patch > > lacks your test case, which didn't work for me because there is no > > require_valgrind_ in diffutils. Is require_valgrind_ from coreutils or from > > some > > other location? > > Thanks. Nice patch. > I've pushed the two test-related patches. I noticed that the new test would fail when built with ASAN, so will push this:umr-test-vs-asan.diff
Description: Binary data
--- End Message ---
[Prev in Thread] | Current Thread | [Next in Thread] |