emacs-bug-tracker
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debbugs-tracker] bug#34140: closed (AddressSanitizer reported heap-buff

From: GNU bug Tracking System
Subject: [debbugs-tracker] bug#34140: closed (AddressSanitizer reported heap-buffer-overflow when ignoring case)
Date: Thu, 31 Jan 2019 21:36:02 +0000 
Your message dated Thu, 31 Jan 2019 13:34:53 -0800
with message-id <address@hidden>
and subject line Re: bug#34140: AddressSanitizer reported heap-buffer-overflow 
when ignoring case
has caused the debbugs.gnu.org bug report #34140,
regarding AddressSanitizer reported heap-buffer-overflow when ignoring case
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden)


-- 
34140: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140
GNU Bug Tracking System
Contact address@hidden with problems
--- Begin Message --- Subject: AddressSanitizer reported heap-buffer-overflow when ignoring case Date: Sun, 20 Jan 2019 13:18:38 +0800
Hi,

    Latest `grep` (git commit 1019e6e) compiled with asan may cause a heap-buffer-overflow when `-i` is specified.

    ./grep -i '\(\(\)*.\)*\(\)\(\)\1' /bin/chvt

=================================================================
==16206==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000dd8 at pc 0x0000004b43a6 bp 0x7ffe385a7e50 sp 0x7ffe385a7600
READ of size 6 at 0x602000000dd8 thread T0
    #0 0x4b43a5 in __interceptor_memcmp.part.283 (/home/hongxu/FOT/grep-O0/install/bin/grep+0x4b43a5)
    #1 0x588bfc in proceed_next_node /home/hongxu/FOT/grep-O0/lib/./regexec.c:1296:9
    #2 0x588bfc in set_regs /home/hongxu/FOT/grep-O0/lib/./regexec.c:1453
    #3 0x56ad33 in re_search_internal /home/hongxu/FOT/grep-O0/lib/./regexec.c:864:10
    #4 0x56c11f in re_search_stub /home/hongxu/FOT/grep-O0/lib/./regexec.c:425:12
    #5 0x56c92e in rpl_re_search /home/hongxu/FOT/grep-O0/lib/./regexec.c:289:10
    #6 0x5146f2 in EGexecute /home/hongxu/FOT/grep-O0/src/dfasearch.c:357:19
    #7 0x51c9f7 in grepbuf /home/hongxu/FOT/grep-O0/src/grep.c:1395:29
    #8 0x51ad7f in grep /home/hongxu/FOT/grep-O0/src/grep.c:1526:23
    #9 0x51ad7f in grepdesc /home/hongxu/FOT/grep-O0/src/grep.c:1849
    #10 0x518df9 in main /home/hongxu/FOT/grep-O0/src/grep.c
    #11 0x7f6ab0c75b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x41b489 in _start (/home/hongxu/FOT/grep-O0/install/bin/grep+0x41b489)

0x602000000dd8 is located 0 bytes to the right of 8-byte region [0x602000000dd0,0x602000000dd8)
allocated by thread T0 here:
    #0 0x4db7c0 in realloc (/home/hongxu/FOT/grep-O0/install/bin/grep+0x4db7c0)
    #1 0x566ee2 in re_string_allocate /home/hongxu/FOT/grep-O0/lib/./regex_internal.c:168:32
    #2 0x566ee2 in re_search_internal /home/hongxu/FOT/grep-O0/lib/./regexec.c:646
    #3 0x56c11f in re_search_stub /home/hongxu/FOT/grep-O0/lib/./regexec.c:425:12

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/hongxu/FOT/grep-O0/install/bin/grep+0x4b43a5) in __interceptor_memcmp.part.283
Shadow bytes around the buggy address:
  0x0c047fff8160: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8170: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8180: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8190: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff81a0: fa fa fd fa fa fa 00 06 fa fa fd fa fa fa fd fa
=>0x0c047fff81b0: fa fa fd fd fa fa fd fd fa fa 00[fa]fa fa fd fd
  0x0c047fff81c0: fa fa fd fa fa fa fd fd fa fa 00 00 fa fa fd fd
  0x0c047fff81d0: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa fd fa
  0x0c047fff81e0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff81f0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8200: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16206==ABORTING
[1]    16206 abort      ./grep -i '\(\(\)*.\)*\(\)\(\)\1' /bin/chvt


Best Regards,
Hongxu

Attachment: chvt
Description: Binary data


--- End Message ---
--- Begin Message --- Subject: Re: bug#34140: AddressSanitizer reported heap-buffer-overflow when ignoring case Date: Thu, 31 Jan 2019 13:34:53 -0800 User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 
On 1/25/19 4:24 PM, Paul Eggert wrote:

On 1/22/19 11:08 PM, address@hidden wrote:

Do you have an ETA on when the fix will get pushed to GNULIB?
Glibc is scheduled for release on February 1, and I plan to update glibc and Gnulib soon after it's released (which may be a bit later than Feb. 1).
This is done now and the fix is propagated into Gnulib and grep, so I'm marking the grep bug as done. If you're using a glibc version before glibc 2.30 (which will not be out for months) you may need to './configure --with-included-regex' to get the fix.

--- End Message ---
reply via email to
[Prev in Thread] Current Thread [Next in Thread]