GNU bug report logs - #32271
heap buffer overflow in regexp.c, line 286

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 32271 in the body.
You can then email your comments to 32271 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: project-repo <bugs <at> feusi.co>
To: bug-sed <at> gnu.org
Subject: heap buffer overflow in regexp.c, line 286
Date: Wed, 25 Jul 2018 16:34:25 +0200

[Message part 1 (text/plain, inline)]

Hi,
I let the fuzzer run again and it came up with a second heap buffer
overflow. This time in regexp.c, line 286. Here is a backtrace as
supplied by the address sanitizer:

=================================================================
==7428==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000b2f at pc 0x7fee3354c574 bp 0x7ffd9adf2120 sp 0x7ffd9adf18d0
READ of size 238 at 0x611000000b2f thread T0
    #0 0x7fee3354c573  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x40573)
    #1 0x55aabd6d7025 in match_regex sed/regexp.c:286
    #2 0x55aabd6cd5a5 in do_subst sed/execute.c:1098
    #3 0x55aabd6cd5a5 in execute_program sed/execute.c:1507
    #4 0x55aabd6d4d5a in process_files sed/execute.c:1677
    #5 0x55aabd6ac5a2 in main sed/sed.c:377
    #6 0x7fee33173a86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
    #7 0x55aabd6ad1c9 in _start (/home/jefeus/sed/sed/sed+0xc1c9)

0x611000000b2f is located 0 bytes to the right of 239-byte region [0x611000000a40,0x611000000b2f)
allocated by thread T0 here:
    #0 0x7fee335e5fd0 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0)
    #1 0x55aabd6dd3ea in ck_realloc sed/utils.c:418

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x40573) 
Shadow bytes around the buggy address:
  0x0c227fff8110: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 fa
  0x0c227fff8140: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8160: 00 00 00 00 00[07]fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 07 fa fa
  0x0c227fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7428==ABORTING

This bug can be reproduced by running "sed -f min file-min". Where min
and file-min are the files attached.

cheers,
project-repo

[min (text/plain, attachment)]

[file-min (text/plain, attachment)]

Message #8 received at 32271 <at> debbugs.gnu.org (full text, mbox):

From: Assaf Gordon <assafgordon <at> gmail.com>
To: project-repo <bugs <at> feusi.co>, 32271 <at> debbugs.gnu.org
Subject: Re: bug#32271: heap buffer overflow in regexp.c, line 286
Date: Wed, 25 Jul 2018 11:16:20 -0600

Hello,

On 25/07/18 08:34 AM, project-repo wrote:
> I let the fuzzer run again and it came up with a second heap buffer
> overflow. This time in regexp.c, line 286. Here is a backtrace as
> supplied by the address sanitizer:

Thanks again.

I can reproduce it locally.

It will take me couple of days to get to the bottom of it,
will send updates soon.

regards,
 - assaf

Message #11 received at 32271 <at> debbugs.gnu.org (full text, mbox):

From: Assaf Gordon <assafgordon <at> gmail.com>
To: project-repo <bugs <at> feusi.co>, 32271 <at> debbugs.gnu.org
Subject: Re: bug#32271: heap buffer overflow in regexp.c, line 286
Date: Fri, 27 Jul 2018 04:13:03 -0600

[Message part 1 (text/plain, inline)]

Hello,

On 25/07/18 08:34 AM, project-repo wrote:
> I let the fuzzer run again and it came up with a second heap buffer
> overflow. This time in regexp.c, line 286. Here is a backtrace as
> supplied by the address sanitizer:
> 
> =================================================================
> ==7428==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000b2f at pc 0x7fee3354c574 bp 0x7ffd9adf2120 sp 0x7ffd9adf18d0
> READ of size 238 at 0x611000000b2f thread T0
>      #0 0x7fee3354c573  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x40573)
>      #1 0x55aabd6d7025 in match_regex sed/regexp.c:286
>      #2 0x55aabd6cd5a5 in do_subst sed/execute.c:1098
>      #3 0x55aabd6cd5a5 in execute_program sed/execute.c:1507
>      #4 0x55aabd6d4d5a in process_files sed/execute.c:1677
>      #5 0x55aabd6ac5a2 in main sed/sed.c:377
>      #6 0x7fee33173a86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
>      #7 0x55aabd6ad1c9 in _start (/home/jefeus/sed/sed/sed+0xc1c9)

Once again, great work - you indirectly found a 15-year-old bug,
in addition to the above heap buffer overflow.

The two attached patches should explain it in detail.

As these changes are somewhat subtle, I encourage everyone to
double-check them...

comments welcomed,
 - assaf

[0001-sed-fix-extraneous-NUL-in-s-n-command.patch (text/x-patch, attachment)]

[0002-sed-fix-heap-buffer-overflow-from-multiline-EOL-rege.patch (text/x-patch, attachment)]

Message #14 received at 32271 <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: Assaf Gordon <assafgordon <at> gmail.com>
Cc: project-repo <bugs <at> feusi.co>, 32271 <at> debbugs.gnu.org
Subject: Re: bug#32271: heap buffer overflow in regexp.c, line 286
Date: Thu, 2 Aug 2018 17:15:43 +0200

On Fri, Jul 27, 2018 at 12:13 PM, Assaf Gordon <assafgordon <at> gmail.com> wrote:
> Hello,
>
> On 25/07/18 08:34 AM, project-repo wrote:
>>
>> I let the fuzzer run again and it came up with a second heap buffer
>> overflow. This time in regexp.c, line 286. Here is a backtrace as
>> supplied by the address sanitizer:
>>
>> =================================================================
>> ==7428==ERROR: AddressSanitizer: heap-buffer-overflow on address
>> 0x611000000b2f at pc 0x7fee3354c574 bp 0x7ffd9adf2120 sp 0x7ffd9adf18d0
>> READ of size 238 at 0x611000000b2f thread T0
>>      #0 0x7fee3354c573  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x40573)
>>      #1 0x55aabd6d7025 in match_regex sed/regexp.c:286
>>      #2 0x55aabd6cd5a5 in do_subst sed/execute.c:1098
>>      #3 0x55aabd6cd5a5 in execute_program sed/execute.c:1507
>>      #4 0x55aabd6d4d5a in process_files sed/execute.c:1677
>>      #5 0x55aabd6ac5a2 in main sed/sed.c:377
>>      #6 0x7fee33173a86 in __libc_start_main
>> (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
>>      #7 0x55aabd6ad1c9 in _start (/home/jefeus/sed/sed/sed+0xc1c9)
>
>
> Once again, great work - you indirectly found a 15-year-old bug,
> in addition to the above heap buffer overflow.
>
> The two attached patches should explain it in detail.
>
> As these changes are somewhat subtle, I encourage everyone to
> double-check them...

Fine work, yet again. Thank you!
I did spot one nit: the addition of two leading TAB bytes in the
latter patch. Should be 8 spaces, of course:

-        str_append(&s_accum, line.active + start, offset - start);$
+^I{$
+          str_append(&s_accum, line.active + start, offset - start);$
+          start = offset;$
+^I}$
$

And in the added test, an even smaller comment nit: add an "s" after file:
- will report "binary file differ"
+ will report "binary files differ"

Message #17 received at 32271 <at> debbugs.gnu.org (full text, mbox):

From: Assaf Gordon <assafgordon <at> gmail.com>
To: Jim Meyering <jim <at> meyering.net>
Cc: project-repo <bugs <at> feusi.co>, 32271 <at> debbugs.gnu.org
Subject: Re: bug#32271: heap buffer overflow in regexp.c, line 286
Date: Fri, 3 Aug 2018 19:58:46 -0600

tags 32271 fixed
close 32271
stop

On 02/08/18 09:15 AM, Jim Meyering wrote:
> On Fri, Jul 27, 2018 at 12:13 PM, Assaf Gordon <assafgordon <at> gmail.com> wrote:
>> On 25/07/18 08:34 AM, project-repo wrote:
>>>
>>> I let the fuzzer run again and it came up with a second heap buffer
>>> overflow. This time in regexp.c, line 286. Here is a backtrace as
>>> supplied by the address sanitizer:
>>>
>> The two attached patches should explain it in detail.
>>
>> As these changes are somewhat subtle, I encourage everyone to
>> double-check them...
> 
> Fine work, yet again. Thank you!
> I did spot one nit: the addition of two leading TAB bytes in the
> latter patch. Should be 8 spaces, of course:

Thanks for the review.

Pushed here:
https://git.savannah.gnu.org/cgit/sed.git/commit/?id=2cb09e14
https://git.savannah.gnu.org/cgit/sed.git/commit/?id=007a4176

-assaf

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.