GNU bug report logs - #32082
heap buffer overflow in sed/execute.c, line 992

Previous Next

Package: sed;

Reported by: bugs <at> feusi.co

Date: Sat, 7 Jul 2018 14:01:03 UTC

Severity: normal

Tags: fixed

Done: Assaf Gordon <assafgordon <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Assaf Gordon <assafgordon <at> gmail.com>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#32082: closed (heap buffer overflow in sed/execute.c, line 992)
Date: Wed, 11 Jul 2018 06:53:02 +0000

[Message part 1 (text/plain, inline)]
Your message dated Wed, 11 Jul 2018 00:51:57 -0600
with message-id <fe01babf-2fc8-8965-e264-03a5aab6d1ec <at> gmail.com>
and subject line Re: bug#32082: heap buffer overflow in sed/execute.c, line 992
has caused the debbugs.gnu.org bug report #32082,
regarding heap buffer overflow in sed/execute.c, line 992
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
32082: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=32082
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: bugs <at> feusi.co
To: bug-sed <at> gnu.org
Subject: heap buffer overflow in sed/execute.c, line 992
Date: Sat, 7 Jul 2018 13:01:14 +0200

[Message part 3 (text/plain, inline)]
Hi,
I am working on a project in which I use the afl fuzzer to fuzz
different open-source software. In doing so, I discovered a
heap buffer overflow in sed/execute.c, line 992. Following is a
detailed backtrace:

=================================================================
==18674==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000fb8 at pc 0x55d4f61c3909 bp 0x7ffc4fa90580 sp 0x7ffc4fa90578
READ of size 8 at 0x602000000fb8 thread T0
    #0 0x55d4f61c3908 in append_replacement sed/execute.c:992
    #1 0x55d4f61c3908 in do_subst sed/execute.c:1071
    #2 0x55d4f61c3908 in execute_program sed/execute.c:1507
    #3 0x55d4f61c516a in process_files sed/execute.c:1677
    #4 0x55d4f619c649 in main sed/sed.c:377
    #5 0x7f15904d2a86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
    #6 0x55d4f619d119 in _start (/home/jefeus/sed/sed/sed+0xc119)

Address 0x602000000fb8 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow sed/execute.c:992 in append_replacement
Shadow bytes around the buggy address:
  0x0c047fff81a0: fa fa 00 00 fa fa 00 00 fa fa 01 fa fa fa fd fd
  0x0c047fff81b0: fa fa 00 00 fa fa 00 00 fa fa 01 fa fa fa 00 00
  0x0c047fff81c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff81d0: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa fd fa
  0x0c047fff81e0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 fa
=>0x0c047fff81f0: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
  0x0c047fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18674==ABORTING

To reproduce this bug run sed with:
sed -f <script-file> <input-file>
Where <script-file> and <input-file> are the two files attached.
These files demonstrate how this bug can be used to print undefined
memory. By replacing the first line in <input-file> with a long string
of "A"s, a segmentation fault can be produced.

I was able to reproduce this bug with the current git version, the
debian version and on arch linux.

cheers,
project-repo

[script-file (text/plain, attachment)]
[input-file (application/octet-stream, attachment)]
[Message part 6 (message/rfc822, inline)]
From: Assaf Gordon <assafgordon <at> gmail.com>
To: Jim Meyering <jim <at> meyering.net>
Cc: bugs <at> feusi.co, 32082-done <at> debbugs.gnu.org
Subject: Re: bug#32082: heap buffer overflow in sed/execute.c, line 992
Date: Wed, 11 Jul 2018 00:51:57 -0600

tags 32082 fixed
stop

>> On Sat, Jul 7, 2018 at 9:28 PM, Assaf Gordon <assafgordon <at> gmail.com>  >> wrote:>>> On 07/07/18 05:01 AM, bugs <at> feusi.co wrote:>>>>>>>> I am 
working on a project in which I use the afl fuzzer to fuzz>>>> different 
open-source software. In doing so, I discovered a>>>> heap buffer 
overflow in sed/execute.c, line 992.>>> Attached is a suggested fix.

pushed here:
https://git.savannah.gnu.org/cgit/sed.git/commit/?id=c52a676e
This bug report was last modified 6 years and 318 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.