GNU bug report logs -
#31935
2 crashes in diffutills commit version 576645c
Previous Next
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your message dated Fri, 28 Dec 2018 23:15:33 -0800
with message-id <CA+8g5KEkm6JoECh4wKri+jrQ+Ed3oWy=CKLcAOUnF6LhH_AEVg <at> mail.gmail.com>
and subject line Re: [bug-diffutils] bug#31935: bug#31935: bug#31935: 2 crashes in diffutills commit version 576645c
has caused the debbugs.gnu.org bug report #31935,
regarding 2 crashes in diffutills commit version 576645c
to be marked as done.
(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)
--
31935: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=31935
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
[Message part 3 (text/plain, inline)]
Hello,
We found with our fuzzer 2 crashes on diffutils version 576645c: one is
a heap-buffer-overflow at util.c:1249, another is an invalid read resulting
from `output_1_line' at util.c:1274.
The executing command is: `./diff -a --strip-trailing-cr $file
add.wasm` where $file is the poc file (I attached them as *.input.txt);
"add.wasm" is also attached however it seems that content of the comparison
file is not important.
The Address Sanitizer outputs (attached as "*.err.SIG06") are:
=================================================================
==8310==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6210000000ff at pc 0x00000055108a bp 0x7ffdc5af8650 sp 0x7ffdc5af8648
READ of size 1 at 0x6210000000ff thread T0
#0 0x551089 in print_1_line_nl
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1249:44
#1 0x544366 in print_normal_hunk
/home/hongxu/FOT/diffutils-fuzz/src/normal.c:66:11
#2 0x550883 in print_script
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1195:7
#3 0x51351f in diff_2_files
/home/hongxu/FOT/diffutils-fuzz/src/analyze.c:665:5
#4 0x5297a7 in compare_files
/home/hongxu/FOT/diffutils-fuzz/src/diff.c:1434:11
#5 0x52546a in main /home/hongxu/FOT/diffutils-fuzz/src/diff.c:800:18
#6 0x7f7a0e14fb96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#7 0x41d709 in _start
(/home/hongxu/FOT/diffutils-fuzz/install/bin/diff+0x41d709)
0x6210000000ff is located 1 bytes to the left of 4096-byte region
[0x621000000100,0x621000001100)
allocated by thread T0 here:
#0 0x4d2d60 in malloc
(/home/hongxu/FOT/diffutils-fuzz/install/bin/diff+0x4d2d60)
#1 0x583120 in xmalloc
/home/hongxu/FOT/diffutils-fuzz/lib/xmalloc.c:41:13
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1249:44 in print_1_line_nl
Shadow bytes around the buggy address:
0x0c427fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c427fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c427fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8310==ABORTING
and:
ASAN:DEADLYSIGNAL
=================================================================
==8313==ERROR: AddressSanitizer: SEGV on unknown address 0x6210000100d4 (pc
0x7f367ca57c40 bp 0x000000000400 sp 0x7ffeebd7e358 T0)
==8313==The signal is caused by a READ memory access.
#0 0x7f367ca57c3f
/build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:370
#1 0x7f367c954993 in _IO_file_xsputn
/build/glibc-OTsEL5/glibc-2.27/libio/fileops.c:1258
#2 0x7f367c95351f in fwrite_unlocked
/build/glibc-OTsEL5/glibc-2.27/libio/iofwrite_u.c:43
#3 0x551dc4 in output_1_line
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1274:28
#4 0x550d24 in print_1_line_nl
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1249:3
#5 0x544366 in print_normal_hunk
/home/hongxu/FOT/diffutils-fuzz/src/normal.c:66:11
#6 0x550883 in print_script
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1195:7
#7 0x51351f in diff_2_files
/home/hongxu/FOT/diffutils-fuzz/src/analyze.c:665:5
#8 0x5297a7 in compare_files
/home/hongxu/FOT/diffutils-fuzz/src/diff.c:1434:11
#9 0x52546a in main /home/hongxu/FOT/diffutils-fuzz/src/diff.c:800:18
#10 0x7f367c8eab96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#11 0x41d709 in _start
(/home/hongxu/FOT/diffutils-fuzz/install/bin/diff+0x41d709)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:370
==8313==ABORTING
glibc version is 2.27 and it's a Ubuntu 18.04 LTS (Linux C10
4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64
x86_64 GNU/Linux) machine.
Best Regards,
Hongxu
[Message part 4 (text/html, inline)]
[hbo_util.c:1249_1.input.txt (text/plain, attachment)]
[hbo_util.c:1249_2.input.txt (text/plain, attachment)]
[hbo_util.c:1249_2.err.SIG06 (application/octet-stream, attachment)]
[hbo_util.c:1249_1.err.SIG06 (application/octet-stream, attachment)]
[read_util.c:1274:28_1.err.SIG06 (application/octet-stream, attachment)]
[read_util.c:1274:28_1.input.txt (text/plain, attachment)]
[read_util.c:1274:28_2.err.SIG06 (application/octet-stream, attachment)]
[read_util.c:1274:28_2.input.txt (text/plain, attachment)]
[add.wasm (application/octet-stream, attachment)]
[Message part 14 (message/rfc822, inline)]
[Message part 15 (text/plain, inline)]
On Fri, Dec 28, 2018 at 9:20 PM Jim Meyering <jim <at> meyering.net> wrote:
>
> On Fri, Dec 28, 2018 at 7:11 PM Paul Eggert <eggert <at> cs.ucla.edu> wrote:
> >
> > Jim Meyering wrote:
> > > There are still numerous unguarded [-1] references, so this updated
> > > patch is doubtless still incomplete:
> >
> > The real bug was elsewhere, I think. I installed the attached patch. This patch
> > lacks your test case, which didn't work for me because there is no
> > require_valgrind_ in diffutils. Is require_valgrind_ from coreutils or from some
> > other location?
>
> Thanks. Nice patch.
> I've pushed the two test-related patches.
I noticed that the new test would fail when built with ASAN, so will push this:
[umr-test-vs-asan.diff (application/octet-stream, attachment)]
This bug report was last modified 6 years and 204 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.