GNU bug report logs - #34140
AddressSanitizer reported heap-buffer-overflow when ignoring case

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Paul Eggert <eggert <at> cs.ucla.edu>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#34140: closed (AddressSanitizer reported heap-buffer-overflow
 when ignoring case)
Date: Thu, 31 Jan 2019 21:36:02 +0000

[Message part 1 (text/plain, inline)]

Your message dated Thu, 31 Jan 2019 13:34:53 -0800
with message-id <ff3b8f65-3e55-5342-f533-8358643f770b <at> cs.ucla.edu>
and subject line Re: bug#34140: AddressSanitizer reported heap-buffer-overflow when ignoring case
has caused the debbugs.gnu.org bug report #34140,
regarding AddressSanitizer reported heap-buffer-overflow when ignoring case
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
34140: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Hongxu Chen <leftcopy.chx <at> gmail.com>
To: bug-grep <at> gnu.org
Subject: AddressSanitizer reported heap-buffer-overflow when ignoring case
Date: Sun, 20 Jan 2019 13:18:38 +0800

[Message part 3 (text/plain, inline)]

Hi,

    Latest `grep` (git commit 1019e6e) compiled with asan may cause a
heap-buffer-overflow when `-i` is specified.

    ./grep -i '\(\(\)*.\)*\(\)\(\)\1' /bin/chvt

=================================================================
==16206==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000dd8 at pc 0x0000004b43a6 bp 0x7ffe385a7e50 sp 0x7ffe385a7600
READ of size 6 at 0x602000000dd8 thread T0
    #0 0x4b43a5 in __interceptor_memcmp.part.283
(/home/hongxu/FOT/grep-O0/install/bin/grep+0x4b43a5)
    #1 0x588bfc in proceed_next_node
/home/hongxu/FOT/grep-O0/lib/./regexec.c:1296:9
    #2 0x588bfc in set_regs /home/hongxu/FOT/grep-O0/lib/./regexec.c:1453
    #3 0x56ad33 in re_search_internal
/home/hongxu/FOT/grep-O0/lib/./regexec.c:864:10
    #4 0x56c11f in re_search_stub
/home/hongxu/FOT/grep-O0/lib/./regexec.c:425:12
    #5 0x56c92e in rpl_re_search
/home/hongxu/FOT/grep-O0/lib/./regexec.c:289:10
    #6 0x5146f2 in EGexecute /home/hongxu/FOT/grep-O0/src/dfasearch.c:357:19
    #7 0x51c9f7 in grepbuf /home/hongxu/FOT/grep-O0/src/grep.c:1395:29
    #8 0x51ad7f in grep /home/hongxu/FOT/grep-O0/src/grep.c:1526:23
    #9 0x51ad7f in grepdesc /home/hongxu/FOT/grep-O0/src/grep.c:1849
    #10 0x518df9 in main /home/hongxu/FOT/grep-O0/src/grep.c
    #11 0x7f6ab0c75b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x41b489 in _start
(/home/hongxu/FOT/grep-O0/install/bin/grep+0x41b489)

0x602000000dd8 is located 0 bytes to the right of 8-byte region
[0x602000000dd0,0x602000000dd8)
allocated by thread T0 here:
    #0 0x4db7c0 in realloc
(/home/hongxu/FOT/grep-O0/install/bin/grep+0x4db7c0)
    #1 0x566ee2 in re_string_allocate
/home/hongxu/FOT/grep-O0/lib/./regex_internal.c:168:32
    #2 0x566ee2 in re_search_internal
/home/hongxu/FOT/grep-O0/lib/./regexec.c:646
    #3 0x56c11f in re_search_stub
/home/hongxu/FOT/grep-O0/lib/./regexec.c:425:12

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/hongxu/FOT/grep-O0/install/bin/grep+0x4b43a5) in
__interceptor_memcmp.part.283
Shadow bytes around the buggy address:
  0x0c047fff8160: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8170: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8180: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8190: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff81a0: fa fa fd fa fa fa 00 06 fa fa fd fa fa fa fd fa
=>0x0c047fff81b0: fa fa fd fd fa fa fd fd fa fa 00[fa]fa fa fd fd
  0x0c047fff81c0: fa fa fd fa fa fa fd fd fa fa 00 00 fa fa fd fd
  0x0c047fff81d0: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa fd fa
  0x0c047fff81e0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff81f0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8200: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16206==ABORTING
[1]    16206 abort      ./grep -i '\(\(\)*.\)*\(\)\(\)\1' /bin/chvt


Best Regards,
Hongxu

[Message part 4 (text/html, inline)]

[chvt (application/octet-stream, attachment)]

[Message part 6 (message/rfc822, inline)]

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: arnold <at> skeeve.com, leftcopy.chx <at> gmail.com
Cc: 34140-done <at> debbugs.gnu.org
Subject: Re: bug#34140: AddressSanitizer reported heap-buffer-overflow when
 ignoring case
Date: Thu, 31 Jan 2019 13:34:53 -0800

On 1/25/19 4:24 PM, Paul Eggert wrote:
> On 1/22/19 11:08 PM, arnold <at> skeeve.com wrote:
>> Do you have an ETA on when the fix will get pushed to GNULIB?
>
> Glibc is scheduled for release on February 1, and I plan to update 
> glibc and Gnulib soon after it's released (which may be a bit later 
> than Feb. 1). 

This is done now and the fix is propagated into Gnulib and grep, so I'm 
marking the grep bug as done. If you're using a glibc version before 
glibc 2.30 (which will not be out for months) you may need to 
'./configure --with-included-regex' to get the fix.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.