GNU bug report logs -
#29666
Segfault at changing location
Previous Next
Reported by: Jeremy Feusi <jeremy <at> feusi.co>
Date: Mon, 11 Dec 2017 20:50:02 UTC
Severity: normal
Done: Jim Meyering <jim <at> meyering.net>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your message dated Sat, 16 Dec 2017 11:43:43 -0800
with message-id <CA+8g5KFg81Ug0n8hu9vJiydjTFT9irdODEgUuJK-YKcPzNh-6g <at> mail.gmail.com>
and subject line Re: bug#29666: Segfault at changing location
has caused the debbugs.gnu.org bug report #29666,
regarding Segfault at changing location
to be marked as done.
(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)
--
29666: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=29666
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
[Message part 3 (text/plain, inline)]
Hi,
I am working on a project for school in which I use afl to find bugs in
software and I decided to fuzz grep. In doing so I discovered a
segfault. When using gdb, the location of the segfault varies, which
puzzles me and so I cannot include any further information.
The command to obtain this bug is:
grep -o -E -f <seg-file>
where <seg-file> is the file attached.
I am using grep 3.1 on arch linux.
cheers
Jeremy
[seg-file (application/octet-stream, attachment)]
[Message part 5 (message/rfc822, inline)]
On Tue, Dec 12, 2017 at 9:47 AM, Jim Meyering <jim <at> meyering.net> wrote:
> On Mon, Dec 11, 2017 at 12:44 PM, Jeremy Feusi <jeremy <at> feusi.co> wrote:
...
> Thank you for the report.
>
> This has been an issue since about grep-2.6.1.
> It gave a proper diagnostic until 2.5.4:
>
> $ grep-2.5.4/bin/grep -E -f <(printf %080000d 0|tr 0 '(')
> grep-2.5.4/bin/grep: Unmatched ( or \(
> [Exit 2]
>
> Starting in approximately 2.6.1 (I don't have 2.6.0 handy) it
> would fail like this:
>
> $ grep-2.6.1/bin/grep -E -f <(printf %080000d 0|tr 0 '(')
> Segmentation fault (core dumped)
>
> Using the latest with -P works fine:
>
> $ grep -P -f <(printf %080000d 0|tr 0 '(')
> grep: parentheses are too deeply nested
> [Exit 2]
>
> Here's a nearly-complete patch to make grep diagnose the generic
> "stack overflow" problem:
I found the root cause and filed a glibc bug for that (link below).
Here are the updated commit log and NEWS entry:
grep: diagnose stack overflow rather than segfaulting
* bootstrap.conf (gnulib_modules): Add c-stack.
* src/grep.c: Include "c-stack.h".
(main): Call c_stack_action (NULL);
* tests/stack-overflow: New file.
* tests/Makefile.am (TESTS): Add name of new file.
* NEWS (Improvements): Mention it.
Interestingly, this bug does not afflict grep-2.5.4 or prior,
so it appeared to have been introduced with grep-2.6. However,
the origin is in glibc's regexp compiler, and I tracked it to
stack-aware parsing that was removed from glibc's regexp in 2002.
However, grep-2.5.4 was released in 2009. That version worked
(and still works, now) because it included and (by default) used
an old copy of glibc's regexp code.
Jeremy Feusi reported the grep segfault in https://bugs.gnu.org/29666.
I reported the glibc regexp bug in
https://sourceware.org/bugzilla/show_bug.cgi?id=22620
** Improvements
grep now diagnoses stack overflow. Before grep-2.6, the included
regexp code would detect it. Since 2.6, grep defaulted to using
glibc's regexp, which lost that capability.
Here's the pushed commit:
https://git.savannah.gnu.org/cgit/grep.git/commit/?id=51ef8adb2f7eeb073ba98be4f6baf56817e4d358
This bug report was last modified 7 years and 218 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.