GNU bug report logs - #34140
AddressSanitizer reported heap-buffer-overflow when ignoring case

Previous Next

Package: grep;

Reported by: Hongxu Chen <leftcopy.chx <at> gmail.com>

Date: Sun, 20 Jan 2019 05:20:02 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Hongxu Chen <leftcopy.chx <at> gmail.com>
Subject: bug#34140: closed (Re: bug#34140: AddressSanitizer reported
 heap-buffer-overflow when ignoring case)
Date: Thu, 31 Jan 2019 21:36:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#34140: AddressSanitizer reported heap-buffer-overflow when ignoring case

which was filed against the grep package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 34140 <at> debbugs.gnu.org.

-- 
34140: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Paul Eggert <eggert <at> cs.ucla.edu>
To: arnold <at> skeeve.com, leftcopy.chx <at> gmail.com
Cc: 34140-done <at> debbugs.gnu.org
Subject: Re: bug#34140: AddressSanitizer reported heap-buffer-overflow when
 ignoring case
Date: Thu, 31 Jan 2019 13:34:53 -0800

On 1/25/19 4:24 PM, Paul Eggert wrote:
> On 1/22/19 11:08 PM, arnold <at> skeeve.com wrote:
>> Do you have an ETA on when the fix will get pushed to GNULIB?
>
> Glibc is scheduled for release on February 1, and I plan to update 
> glibc and Gnulib soon after it's released (which may be a bit later 
> than Feb. 1). 

This is done now and the fix is propagated into Gnulib and grep, so I'm 
marking the grep bug as done. If you're using a glibc version before 
glibc 2.30 (which will not be out for months) you may need to 
'./configure --with-included-regex' to get the fix.



[Message part 3 (message/rfc822, inline)]
From: Hongxu Chen <leftcopy.chx <at> gmail.com>
To: bug-grep <at> gnu.org
Subject: AddressSanitizer reported heap-buffer-overflow when ignoring case
Date: Sun, 20 Jan 2019 13:18:38 +0800

[Message part 4 (text/plain, inline)]
Hi,

    Latest `grep` (git commit 1019e6e) compiled with asan may cause a
heap-buffer-overflow when `-i` is specified.

    ./grep -i '\(\(\)*.\)*\(\)\(\)\1' /bin/chvt

=================================================================
==16206==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000dd8 at pc 0x0000004b43a6 bp 0x7ffe385a7e50 sp 0x7ffe385a7600
READ of size 6 at 0x602000000dd8 thread T0
    #0 0x4b43a5 in __interceptor_memcmp.part.283
(/home/hongxu/FOT/grep-O0/install/bin/grep+0x4b43a5)
    #1 0x588bfc in proceed_next_node
/home/hongxu/FOT/grep-O0/lib/./regexec.c:1296:9
    #2 0x588bfc in set_regs /home/hongxu/FOT/grep-O0/lib/./regexec.c:1453
    #3 0x56ad33 in re_search_internal
/home/hongxu/FOT/grep-O0/lib/./regexec.c:864:10
    #4 0x56c11f in re_search_stub
/home/hongxu/FOT/grep-O0/lib/./regexec.c:425:12
    #5 0x56c92e in rpl_re_search
/home/hongxu/FOT/grep-O0/lib/./regexec.c:289:10
    #6 0x5146f2 in EGexecute /home/hongxu/FOT/grep-O0/src/dfasearch.c:357:19
    #7 0x51c9f7 in grepbuf /home/hongxu/FOT/grep-O0/src/grep.c:1395:29
    #8 0x51ad7f in grep /home/hongxu/FOT/grep-O0/src/grep.c:1526:23
    #9 0x51ad7f in grepdesc /home/hongxu/FOT/grep-O0/src/grep.c:1849
    #10 0x518df9 in main /home/hongxu/FOT/grep-O0/src/grep.c
    #11 0x7f6ab0c75b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x41b489 in _start
(/home/hongxu/FOT/grep-O0/install/bin/grep+0x41b489)

0x602000000dd8 is located 0 bytes to the right of 8-byte region
[0x602000000dd0,0x602000000dd8)
allocated by thread T0 here:
    #0 0x4db7c0 in realloc
(/home/hongxu/FOT/grep-O0/install/bin/grep+0x4db7c0)
    #1 0x566ee2 in re_string_allocate
/home/hongxu/FOT/grep-O0/lib/./regex_internal.c:168:32
    #2 0x566ee2 in re_search_internal
/home/hongxu/FOT/grep-O0/lib/./regexec.c:646
    #3 0x56c11f in re_search_stub
/home/hongxu/FOT/grep-O0/lib/./regexec.c:425:12

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/hongxu/FOT/grep-O0/install/bin/grep+0x4b43a5) in
__interceptor_memcmp.part.283
Shadow bytes around the buggy address:
  0x0c047fff8160: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8170: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8180: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8190: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff81a0: fa fa fd fa fa fa 00 06 fa fa fd fa fa fa fd fa
=>0x0c047fff81b0: fa fa fd fd fa fa fd fd fa fa 00[fa]fa fa fd fd
  0x0c047fff81c0: fa fa fd fa fa fa fd fd fa fa 00 00 fa fa fd fd
  0x0c047fff81d0: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa fd fa
  0x0c047fff81e0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff81f0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8200: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16206==ABORTING
[1]    16206 abort      ./grep -i '\(\(\)*.\)*\(\)\(\)\1' /bin/chvt


Best Regards,
Hongxu

[Message part 5 (text/html, inline)]
[chvt (application/octet-stream, attachment)]
This bug report was last modified 6 years and 167 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.