GNU bug report logs - #32271
heap buffer overflow in regexp.c, line 286

Previous Next

Package: sed;

Reported by: project-repo <bugs <at> feusi.co>

Date: Wed, 25 Jul 2018 14:34:01 UTC

Severity: normal

Tags: fixed

Done: Assaf Gordon <assafgordon <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: project-repo <bugs <at> feusi.co>
To: 32271 <at> debbugs.gnu.org
Subject: bug#32271: heap buffer overflow in regexp.c, line 286
Date: Wed, 25 Jul 2018 16:34:25 +0200

[Message part 1 (text/plain, inline)]
Hi,
I let the fuzzer run again and it came up with a second heap buffer
overflow. This time in regexp.c, line 286. Here is a backtrace as
supplied by the address sanitizer:

=================================================================
==7428==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000b2f at pc 0x7fee3354c574 bp 0x7ffd9adf2120 sp 0x7ffd9adf18d0
READ of size 238 at 0x611000000b2f thread T0
    #0 0x7fee3354c573  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x40573)
    #1 0x55aabd6d7025 in match_regex sed/regexp.c:286
    #2 0x55aabd6cd5a5 in do_subst sed/execute.c:1098
    #3 0x55aabd6cd5a5 in execute_program sed/execute.c:1507
    #4 0x55aabd6d4d5a in process_files sed/execute.c:1677
    #5 0x55aabd6ac5a2 in main sed/sed.c:377
    #6 0x7fee33173a86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
    #7 0x55aabd6ad1c9 in _start (/home/jefeus/sed/sed/sed+0xc1c9)

0x611000000b2f is located 0 bytes to the right of 239-byte region [0x611000000a40,0x611000000b2f)
allocated by thread T0 here:
    #0 0x7fee335e5fd0 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0)
    #1 0x55aabd6dd3ea in ck_realloc sed/utils.c:418

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x40573) 
Shadow bytes around the buggy address:
  0x0c227fff8110: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 fa
  0x0c227fff8140: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8160: 00 00 00 00 00[07]fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 07 fa fa
  0x0c227fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7428==ABORTING

This bug can be reproduced by running "sed -f min file-min". Where min
and file-min are the files attached.

cheers,
project-repo

[min (text/plain, attachment)]
[file-min (text/plain, attachment)]
This bug report was last modified 6 years and 292 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.