From unknown Tue Jun 17 01:27:31 2025 X-Loop: help-debbugs@gnu.org Subject: bug#41773: Fuzzer created crash Resent-From: Raimar Falke Original-Sender: "Debbugs-submit" Resent-CC: bug-sed@gnu.org Resent-Date: Tue, 09 Jun 2020 06:16:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 41773 X-GNU-PR-Package: sed X-GNU-PR-Keywords: To: 41773@debbugs.gnu.org X-Debbugs-Original-To: bug-sed@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.15916833228440 (code B ref -1); Tue, 09 Jun 2020 06:16:02 +0000 Received: (at submit) by debbugs.gnu.org; 9 Jun 2020 06:15:22 +0000 Received: from localhost ([127.0.0.1]:58639 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jiXXd-0002C2-Ts for submit@debbugs.gnu.org; Tue, 09 Jun 2020 02:15:22 -0400 Received: from lists.gnu.org ([209.51.188.17]:54176) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jiWrf-000159-QW for submit@debbugs.gnu.org; Tue, 09 Jun 2020 01:32:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56246) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jiWrf-0008Ho-Jc for bug-sed@gnu.org; Tue, 09 Jun 2020 01:31:59 -0400 Received: from rf.risimo.net ([62.75.159.225]:43778) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jiWrd-00043Y-LN for bug-sed@gnu.org; Tue, 09 Jun 2020 01:31:58 -0400 Received: from stone.localdomain (rf.risimo.net [62.75.159.225]) by rf.risimo.net (Postfix) with ESMTP id 5F2E72E8 for ; Tue, 9 Jun 2020 05:31:23 +0000 (UTC) Date: Tue, 9 Jun 2020 07:31:22 +0200 From: Raimar Falke Message-ID: <20200609053122.GA9917@stone.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Location: Berlin, Germany, Europe, Earth User-Agent: Mutt/1.12.1 (2019-06-15) Received-SPF: none client-ip=62.75.159.225; envelope-from=i-gnu-org@rf.risimo.net; helo=rf.risimo.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/06/09 01:31:53 X-ACL-Warn: Detected OS = Linux 3.1-3.10 [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-Spam-Score: -2.3 (--) X-Mailman-Approved-At: Tue, 09 Jun 2020 02:15:21 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello I was playing around with https://github.com/google/AFL and found indeed a crash. > cat sed_min_result /0*\(\|\|.\)\+\(\(\)\)\1/s000 > echo "foo\nbar" | sed -f sed_min_result sed: regexec.c:1361: pop_fail_stack: Assertion `num >= 0' failed. Aborted (core dumped) > echo "foo" | sed -f sed_min_result > sed --version sed (GNU sed) 4.5 ... > Backtrace using gdb: #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007f5ae0a85895 in __GI_abort () at abort.c:79 #2 0x00007f5ae0a85769 in __assert_fail_base (fmt=0x7f5ae0bece88 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7f5ae0beabda "num >= 0", file=0x7f5ae0beabd0 "regexec.c", line=1361, function=) at assert.c:92 #3 0x00007f5ae0a93a26 in __GI___assert_fail (assertion=0x7f5ae0beabda "num >= 0", file=0x7f5ae0beabd0 "regexec.c", line=1361, function=0x7f5ae0bef100 <__PRETTY_FUNCTION__.13516> "pop_fail_stack") at assert.c:101 #4 0x00007f5ae0b3be88 in pop_fail_stack (pidx=0x7ffc95a01dec, nregs=4, regs=0x5555ec88eeb0, eps_via_nodes=0x7ffc95a01df0, fs=, fs=) at regexec.c:1361 #5 pop_fail_stack (pidx=pidx@entry=0x7ffc95a01dec, nregs=nregs@entry=4, regs=regs@entry=0x5555ec88eeb0, eps_via_nodes=eps_via_nodes@entry=0x7ffc95a01df0, fs=, fs=) at regexec.c:1357 #6 0x00007f5ae0b3e567 in set_regs (preg=preg@entry=0x5555ec887f60, mctx=mctx@entry=0x7ffc95a01f60, nmatch=nmatch@entry=4, pmatch=pmatch@entry=0x5555ec88eeb0, fl_backtrack=) at regexec.c:1465 #7 0x00007f5ae0b40b5a in re_search_internal (preg=preg@entry=0x5555ec887f60, string=string@entry=0x5555ec887f20 "foo\\nbar", length=length@entry=8, start=, start@entry=0, last_start=, last_start@entry=8, stop=stop@entry=8, nmatch=4, pmatch=0x5555ec88eeb0, eflags=0) at regexec.c:861 #8 0x00007f5ae0b454e9 in re_search_stub (bufp=bufp@entry=0x5555ec887f60, string=string@entry=0x5555ec887f20 "foo\\nbar", length=length@entry=8, start=start@entry=0, range=range@entry=8, stop=stop@entry=8, regs=0x5555ec70c300 , ret_len=false) at regexec.c:424 #9 0x00007f5ae0b45e14 in __re_search (bufp=bufp@entry=0x5555ec887f60, string=string@entry=0x5555ec887f20 "foo\\nbar", length=length@entry=8, start=start@entry=0, range=range@entry=8, regs=regs@entry=0x5555ec70c300 ) at regexec.c:289 #10 0x00005555ec6f84d2 in match_regex (regex=0x5555ec887f60, buf=0x5555ec887f20 "foo\\nbar", buflen=8, buf_start_offset=buf_start_offset@entry=0, regarray=regarray@entry=0x5555ec70c300 , regsize=1) at sed/regexp.c:418 #11 0x00005555ec6f6d2e in do_subst (sub=0x5555ec8858c0) at sed/execute.c:1022 #12 execute_program (vec=vec@entry=0x5555ec885890, input=input@entry=0x7ffc95a03260) at sed/execute.c:1509 #13 0x00005555ec6f7cab in process_files (the_program=0x5555ec885890, argv=) at sed/execute.c:1679 #14 0x00005555ec6f2a54 in main (argc=3, argv=0x7ffc95a03478) at sed/sed.c:401 Using sed from git (master branch 36e24f199f32) also dumps a core: > echo "foo\nbar" | .../sed/sed/sed -f sed_min_result Segmentation fault (core dumped) > echo "foo" | .../sed/sed/sed -f sed_min_result > .../sed/sed/sed --version .../sed/sed/sed (GNU sed) 4.8.4-36e2-dirty ... > This time it is not an assert but "pop_fail_stack" is also involved: Backtrace using gdb: #0 __memmove_avx_unaligned () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:142 #1 0x00000000004ae823 in memcpy (__len=64, __src=, __dest=0x2457a00) at /usr/include/bits/string_fortified.h:34 #2 pop_fail_stack (fs=, fs=, eps_via_nodes=0x7ffe4409d0f0, regs=0x2457a00, nregs=, pidx=) at lib/regexec.c:1351 #3 set_regs (preg=preg@entry=0x244cf60, mctx=mctx@entry=0x7ffe4409d290, nmatch=nmatch@entry=4, pmatch=pmatch@entry=0x2457a00, fl_backtrack=) at lib/regexec.c:1451 #4 0x00000000004d585d in re_search_internal (preg=preg@entry=0x244cf60, string=string@entry=0x244cf20 "foo\\nbar", length=length@entry=8, start=, start@entry=0, last_start=, last_start@entry=8, stop=stop@entry=8, nmatch=4, pmatch=0x2457a00, eflags=0) at lib/regexec.c:849 #5 0x00000000004f1886 in re_search_stub (ret_len=false, regs=0x502700 , stop=4, range=-5252860, start=, length=4, string=0x4 , bufp=0x244cf60) at lib/regexec.c:425 #6 rpl_re_search (bufp=bufp@entry=0x244cf60, string=string@entry=0x244cf20 "foo\\nbar", length=length@entry=8, start=start@entry=0, range=range@entry=8, regs=regs@entry=0x502700 ) at lib/regexec.c:289 #7 0x0000000000431bc0 in match_regex (regex=0x244cf60, buf=0x244cf20 "foo\\nbar", buflen=8, buf_start_offset=buf_start_offset@entry=0, regarray=regarray@entry=0x502700 , regsize=1) at sed/regexp.c:358 #8 0x000000000042508e in do_subst (sub=0x244a8c0) at sed/execute.c:1015 #9 execute_program (vec=vec@entry=0x244a890, input=input@entry=0x7ffe4409e5c0) at sed/execute.c:1543 #10 0x000000000042e8ed in process_files (the_program=0x244a890, argv=) at sed/execute.c:1680 #11 0x000000000040417b in main (argc=3, argv=0x7ffe4409e7e8) at sed/sed.c:399 Cheers, Raimar -- email: i-gnu-org@rf.risimo.net "Of course, someone who knows more about this will correct me if I'm wrong, and someone who knows less will correct me if I'm right." -- David Palmer (palmer@tybalt.caltech.edu)