GNU bug report logs - #32082
heap buffer overflow in sed/execute.c, line 992

Previous Next

Package: sed;

Reported by: bugs <at> feusi.co

Date: Sat, 7 Jul 2018 14:01:03 UTC

Severity: normal

Tags: fixed

Done: Assaf Gordon <assafgordon <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: bugs <at> feusi.co
Subject: bug#32082: closed (Re: bug#32082: heap buffer overflow in
 sed/execute.c, line 992)
Date: Wed, 11 Jul 2018 06:53:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#32082: heap buffer overflow in sed/execute.c, line 992

which was filed against the sed package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 32082 <at> debbugs.gnu.org.

-- 
32082: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=32082
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Assaf Gordon <assafgordon <at> gmail.com>
To: Jim Meyering <jim <at> meyering.net>
Cc: bugs <at> feusi.co, 32082-done <at> debbugs.gnu.org
Subject: Re: bug#32082: heap buffer overflow in sed/execute.c, line 992
Date: Wed, 11 Jul 2018 00:51:57 -0600

tags 32082 fixed
stop

>> On Sat, Jul 7, 2018 at 9:28 PM, Assaf Gordon <assafgordon <at> gmail.com>  >> wrote:>>> On 07/07/18 05:01 AM, bugs <at> feusi.co wrote:>>>>>>>> I am 
working on a project in which I use the afl fuzzer to fuzz>>>> different 
open-source software. In doing so, I discovered a>>>> heap buffer 
overflow in sed/execute.c, line 992.>>> Attached is a suggested fix.

pushed here:
https://git.savannah.gnu.org/cgit/sed.git/commit/?id=c52a676e




[Message part 3 (message/rfc822, inline)]
From: bugs <at> feusi.co
To: bug-sed <at> gnu.org
Subject: heap buffer overflow in sed/execute.c, line 992
Date: Sat, 7 Jul 2018 13:01:14 +0200

[Message part 4 (text/plain, inline)]
Hi,
I am working on a project in which I use the afl fuzzer to fuzz
different open-source software. In doing so, I discovered a
heap buffer overflow in sed/execute.c, line 992. Following is a
detailed backtrace:

=================================================================
==18674==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000fb8 at pc 0x55d4f61c3909 bp 0x7ffc4fa90580 sp 0x7ffc4fa90578
READ of size 8 at 0x602000000fb8 thread T0
    #0 0x55d4f61c3908 in append_replacement sed/execute.c:992
    #1 0x55d4f61c3908 in do_subst sed/execute.c:1071
    #2 0x55d4f61c3908 in execute_program sed/execute.c:1507
    #3 0x55d4f61c516a in process_files sed/execute.c:1677
    #4 0x55d4f619c649 in main sed/sed.c:377
    #5 0x7f15904d2a86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
    #6 0x55d4f619d119 in _start (/home/jefeus/sed/sed/sed+0xc119)

Address 0x602000000fb8 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow sed/execute.c:992 in append_replacement
Shadow bytes around the buggy address:
  0x0c047fff81a0: fa fa 00 00 fa fa 00 00 fa fa 01 fa fa fa fd fd
  0x0c047fff81b0: fa fa 00 00 fa fa 00 00 fa fa 01 fa fa fa 00 00
  0x0c047fff81c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff81d0: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa fd fa
  0x0c047fff81e0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 fa
=>0x0c047fff81f0: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
  0x0c047fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18674==ABORTING

To reproduce this bug run sed with:
sed -f <script-file> <input-file>
Where <script-file> and <input-file> are the two files attached.
These files demonstrate how this bug can be used to print undefined
memory. By replacing the first line in <input-file> with a long string
of "A"s, a segmentation fault can be produced.

I was able to reproduce this bug with the current git version, the
debian version and on arch linux.

cheers,
project-repo

[script-file (text/plain, attachment)]
[input-file (application/octet-stream, attachment)]
This bug report was last modified 6 years and 318 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.