emacs-bug-tracker
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debbugs-tracker] bug#31935: closed (2 crashes in diffutills commit vers

From: GNU bug Tracking System
Subject: [debbugs-tracker] bug#31935: closed (2 crashes in diffutills commit version 576645c)
Date: Sat, 29 Dec 2018 07:16:02 +0000 
Your message dated Fri, 28 Dec 2018 23:15:33 -0800
with message-id <address@hidden>
and subject line Re: [bug-diffutils] bug#31935: bug#31935: bug#31935: 2 crashes 
in diffutills commit version 576645c
has caused the debbugs.gnu.org bug report #31935,
regarding 2 crashes in diffutills commit version 576645c
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden)


-- 
31935: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=31935
GNU Bug Tracking System
Contact address@hidden with problems
--- Begin Message --- Subject: 2 crashes in diffutills commit version 576645c Date: Fri, 22 Jun 2018 14:49:47 +0800
Hello,

    We found with our fuzzer 2 crashes on diffutils version 576645c: one is a heap-buffer-overflow at util.c:1249, another is an invalid read resulting from `output_1_line' at util.c:1274.
    The executing command is: `./diff -a --strip-trailing-cr $file add.wasm` where $file is the poc file (I attached them as  *.input.txt); "add.wasm" is also attached however it seems that content of the comparison file is not important.

    The Address Sanitizer outputs (attached as "*.err.SIG06") are:

    =================================================================
==8310==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6210000000ff at pc 0x00000055108a bp 0x7ffdc5af8650 sp 0x7ffdc5af8648
READ of size 1 at 0x6210000000ff thread T0
    #0 0x551089 in print_1_line_nl /home/hongxu/FOT/diffutils-fuzz/src/util.c:1249:44
    #1 0x544366 in print_normal_hunk /home/hongxu/FOT/diffutils-fuzz/src/normal.c:66:11
    #2 0x550883 in print_script /home/hongxu/FOT/diffutils-fuzz/src/util.c:1195:7
    #3 0x51351f in diff_2_files /home/hongxu/FOT/diffutils-fuzz/src/analyze.c:665:5
    #4 0x5297a7 in compare_files /home/hongxu/FOT/diffutils-fuzz/src/diff.c:1434:11
    #5 0x52546a in main /home/hongxu/FOT/diffutils-fuzz/src/diff.c:800:18
    #6 0x7f7a0e14fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #7 0x41d709 in _start (/home/hongxu/FOT/diffutils-fuzz/install/bin/diff+0x41d709)

0x6210000000ff is located 1 bytes to the left of 4096-byte region [0x621000000100,0x621000001100)
allocated by thread T0 here:
    #0 0x4d2d60 in malloc (/home/hongxu/FOT/diffutils-fuzz/install/bin/diff+0x4d2d60)
    #1 0x583120 in xmalloc /home/hongxu/FOT/diffutils-fuzz/lib/xmalloc.c:41:13

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hongxu/FOT/diffutils-fuzz/src/util.c:1249:44 in print_1_line_nl
Shadow bytes around the buggy address:
  0x0c427fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c427fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c427fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8310==ABORTING

and:

ASAN:DEADLYSIGNAL
=================================================================
==8313==ERROR: AddressSanitizer: SEGV on unknown address 0x6210000100d4 (pc 0x7f367ca57c40 bp 0x000000000400 sp 0x7ffeebd7e358 T0)
==8313==The signal is caused by a READ memory access.
    #0 0x7f367ca57c3f  /build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:370
    #1 0x7f367c954993 in _IO_file_xsputn /build/glibc-OTsEL5/glibc-2.27/libio/fileops.c:1258
    #2 0x7f367c95351f in fwrite_unlocked /build/glibc-OTsEL5/glibc-2.27/libio/iofwrite_u.c:43
    #3 0x551dc4 in output_1_line /home/hongxu/FOT/diffutils-fuzz/src/util.c:1274:28
    #4 0x550d24 in print_1_line_nl /home/hongxu/FOT/diffutils-fuzz/src/util.c:1249:3
    #5 0x544366 in print_normal_hunk /home/hongxu/FOT/diffutils-fuzz/src/normal.c:66:11
    #6 0x550883 in print_script /home/hongxu/FOT/diffutils-fuzz/src/util.c:1195:7
    #7 0x51351f in diff_2_files /home/hongxu/FOT/diffutils-fuzz/src/analyze.c:665:5
    #8 0x5297a7 in compare_files /home/hongxu/FOT/diffutils-fuzz/src/diff.c:1434:11
    #9 0x52546a in main /home/hongxu/FOT/diffutils-fuzz/src/diff.c:800:18
    #10 0x7f367c8eab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x41d709 in _start (/home/hongxu/FOT/diffutils-fuzz/install/bin/diff+0x41d709)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:370
==8313==ABORTING

glibc version is 2.27 and it's a Ubuntu 18.04 LTS (Linux C10 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux) machine.


Best Regards,
Hongxu

Attachment: hbo_util.c:1249_1.input.txt
Description: Text document

Attachment: hbo_util.c:1249_2.input.txt
Description: Text document

Attachment: hbo_util.c:1249_2.err.SIG06
Description: Binary data

Attachment: hbo_util.c:1249_1.err.SIG06
Description: Binary data

Attachment: read_util.c:1274:28_1.err.SIG06
Description: Binary data

Attachment: read_util.c:1274:28_1.input.txt
Description: Text document

Attachment: read_util.c:1274:28_2.err.SIG06
Description: Binary data

Attachment: read_util.c:1274:28_2.input.txt
Description: Text document

Attachment: add.wasm
Description: Binary data


--- End Message ---
--- Begin Message --- Subject: Re: [bug-diffutils] bug#31935: bug#31935: bug#31935: 2 crashes in diffutills commit version 576645c Date: Fri, 28 Dec 2018 23:15:33 -0800 
On Fri, Dec 28, 2018 at 9:20 PM Jim Meyering <address@hidden> wrote:
>
> On Fri, Dec 28, 2018 at 7:11 PM Paul Eggert <address@hidden> wrote:
> >
> > Jim Meyering wrote:
> > > There are still numerous unguarded [-1] references, so this updated
> > > patch is doubtless still incomplete:
> >
> > The real bug was elsewhere, I think. I installed the attached patch. This 
> > patch
> > lacks your test case, which didn't work for me because there is no
> > require_valgrind_ in diffutils. Is require_valgrind_ from coreutils or from 
> > some
> > other location?
>
> Thanks. Nice patch.
> I've pushed the two test-related patches.

I noticed that the new test would fail when built with ASAN, so will push this:

Attachment: umr-test-vs-asan.diff
Description: Binary data


--- End Message ---
reply via email to
[Prev in Thread] Current Thread [Next in Thread]