GNU bug report logs - #22127
Segfault / null pointer access in function str_append_modified()

Previous Next

Package: sed;

Reported by: Hanno Böck <hanno <at> hboeck.de>

Date: Thu, 10 Dec 2015 01:02:07 UTC

Severity: normal

Tags: fixed

Done: Assaf Gordon <assafgordon <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #8 received at 22127 <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: Hanno Böck <hanno <at> hboeck.de>
Cc: 22127 <at> debbugs.gnu.org
Subject: Re: bug#22127: Segfault / null pointer access in function
 str_append_modified()
Date: Thu, 17 Dec 2015 18:56:51 -0800

[Message part 1 (text/plain, inline)]
On Wed, Dec 9, 2015 at 3:42 AM, Hanno Böck <hanno <at> hboeck.de> wrote:
> Hi,
>
> With a malformed input (see attachmend) sed can crash in the function
> str_append_modified()
>
> Test:
> echo|./sed -f sed-nullptr-str_append_modified
>
> Seems to be a null pointer access.
> This only seems to happen in the git code of sed and not in 4.2.2.
>
> This is the stack trace from address sanitizer:
> ==21489==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd77e298c16 bp 0x611000009c86 sp 0x7fffe46649d0 T0)
>     #0 0x7fd77e298c15 in wcrtomb /var/tmp/portage/sys-libs/glibc-2.22-r1/work/glibc-2.22/wcsmbs/wcrtomb.c:89
>     #1 0x5029ca in str_append_modified /mnt/ram/sed-plain/sed/execute.c:273:11
>     #2 0x4faa8c in append_replacement /mnt/ram/sed-plain/sed/execute.c:992:11
>     #3 0x4faa8c in do_subst /mnt/ram/sed-plain/sed/execute.c:1078
>     #4 0x4faa8c in execute_program /mnt/ram/sed-plain/sed/execute.c:1513
>     #5 0x4faa8c in process_files /mnt/ram/sed-plain/sed/execute.c:1681
>     #6 0x4e1365 in main /mnt/ram/sed-plain/sed/sed.c:362:17
>     #7 0x7fd77e21b62f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r1/work/glibc-2.22/csu/libc-start.c:289
>     #8 0x4191a8 in _start (/tmp/sed+0x4191a8)
>
>
> This was found with the help of american fuzzy lop.

Thank you for the report.
I've reduced it to the following one-liner (demonstrating
failure with an ASAN-enabled binary), and have attached
a patch:

$ echo > k; LC_ALL=en_US.utf8 sed/sed $(printf 's/^/\\L\233\375\134\200/') k
=================================================================
==3335==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60600000edb2 at pc 0x000000446933 bp 0x7ffd73a42ee0 sp
0x7ffd73a42690
WRITE of size 6 at 0x60600000edb2 thread T0
    #0 0x446932 in __interceptor_wcrtomb
../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:2751
    #1 0x4dc393 in str_append_modified /home/j/w/co/sed/sed/execute.c:273
    #2 0x4e08e2 in append_replacement /home/j/w/co/sed/sed/execute.c:992
    #3 0x4e1272 in do_subst /home/j/w/co/sed/sed/execute.c:1078
    #4 0x4e2d09 in execute_program /home/j/w/co/sed/sed/execute.c:1513
    #5 0x4e359a in process_files /home/j/w/co/sed/sed/execute.c:1681
    #6 0x4d446a in main /home/j/w/co/sed/sed/sed.c:362
    #7 0x7f5541c7f57f in __libc_start_main (/lib64/libc.so.6+0x2057f)
    #8 0x406d18 in _start (/home/j/w/co/sed/sed/sed+0x406d18)

0x60600000edb2 is located 0 bytes to the right of 50-byte region
[0x60600000ed80,0x60600000edb2)
allocated by thread T0 here:
    #0 0x4a2050 in __interceptor_calloc
../../../../libsanitizer/asan/asan_malloc_linux.cc:54
    #1 0x4e59d3 in ck_malloc /home/j/w/co/sed/sed/utils.c:398
    #2 0x4dc4e9 in line_init /home/j/w/co/sed/sed/execute.c:288
    #3 0x4dc75f in line_reset /home/j/w/co/sed/sed/execute.c:306
    #4 0x4e0d37 in do_subst /home/j/w/co/sed/sed/execute.c:1023
    #5 0x4e2d09 in execute_program /home/j/w/co/sed/sed/execute.c:1513
    #6 0x4e359a in process_files /home/j/w/co/sed/sed/execute.c:1681
    #7 0x4d446a in main /home/j/w/co/sed/sed/sed.c:362
    #8 0x7f5541c7f57f in __libc_start_main (/lib64/libc.so.6+0x2057f)

SUMMARY: AddressSanitizer: heap-buffer-overflow
../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:2751
in __interceptor_wcrtomb
Shadow bytes around the buggy address:
  0x0c0c7fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fff9db0: 00 00 00 00 00 00[02]fa fa fa fa fa 00 00 00 00
  0x0c0c7fff9dc0: 00 00 02 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff9dd0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fff9de0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
  0x0c0c7fff9df0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

[0001-sed-fix-a-heap-clobbering-buffer-overrun.patch (text/x-patch, attachment)]
This bug report was last modified 8 years and 100 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.