Package: sed;
Reported by: Raimar Falke <i-gnu-org <at> rf.risimo.net>
Date: Tue, 9 Jun 2020 06:16:02 UTC
Severity: normal
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Raimar Falke <i-gnu-org <at> rf.risimo.net> To: bug-sed <at> gnu.org Subject: Fuzzer created crash Date: Tue, 9 Jun 2020 07:31:22 +0200
Hello
I was playing around with https://github.com/google/AFL and found
indeed a crash.
> cat sed_min_result
/0*\(\|\|.\)\+\(\(\)\)\1/s000
> echo "foo\nbar" | sed -f sed_min_result
sed: regexec.c:1361: pop_fail_stack: Assertion `num >= 0' failed.
Aborted (core dumped)
> echo "foo" | sed -f sed_min_result
> sed --version
sed (GNU sed) 4.5
...
>
Backtrace using gdb:
#0 __GI_raise (sig=sig <at> entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007f5ae0a85895 in __GI_abort () at abort.c:79
#2 0x00007f5ae0a85769 in __assert_fail_base (fmt=0x7f5ae0bece88 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7f5ae0beabda "num >= 0", file=0x7f5ae0beabd0 "regexec.c", line=1361, function=<optimized out>) at assert.c:92
#3 0x00007f5ae0a93a26 in __GI___assert_fail (assertion=0x7f5ae0beabda "num >= 0", file=0x7f5ae0beabd0 "regexec.c", line=1361, function=0x7f5ae0bef100 <__PRETTY_FUNCTION__.13516> "pop_fail_stack") at assert.c:101
#4 0x00007f5ae0b3be88 in pop_fail_stack (pidx=0x7ffc95a01dec, nregs=4, regs=0x5555ec88eeb0, eps_via_nodes=0x7ffc95a01df0, fs=<optimized out>, fs=<optimized out>) at regexec.c:1361
#5 pop_fail_stack (pidx=pidx <at> entry=0x7ffc95a01dec, nregs=nregs <at> entry=4, regs=regs <at> entry=0x5555ec88eeb0, eps_via_nodes=eps_via_nodes <at> entry=0x7ffc95a01df0, fs=<optimized out>, fs=<optimized out>) at regexec.c:1357
#6 0x00007f5ae0b3e567 in set_regs (preg=preg <at> entry=0x5555ec887f60, mctx=mctx <at> entry=0x7ffc95a01f60, nmatch=nmatch <at> entry=4, pmatch=pmatch <at> entry=0x5555ec88eeb0, fl_backtrack=<optimized out>) at regexec.c:1465
#7 0x00007f5ae0b40b5a in re_search_internal (preg=preg <at> entry=0x5555ec887f60, string=string <at> entry=0x5555ec887f20 "foo\\nbar", length=length <at> entry=8, start=<optimized out>, start <at> entry=0, last_start=<optimized out>, last_start <at> entry=8, stop=stop <at> entry=8,
nmatch=4, pmatch=0x5555ec88eeb0, eflags=0) at regexec.c:861
#8 0x00007f5ae0b454e9 in re_search_stub (bufp=bufp <at> entry=0x5555ec887f60, string=string <at> entry=0x5555ec887f20 "foo\\nbar", length=length <at> entry=8, start=start <at> entry=0, range=range <at> entry=8, stop=stop <at> entry=8, regs=0x5555ec70c300 <regs>, ret_len=false)
at regexec.c:424
#9 0x00007f5ae0b45e14 in __re_search (bufp=bufp <at> entry=0x5555ec887f60, string=string <at> entry=0x5555ec887f20 "foo\\nbar", length=length <at> entry=8, start=start <at> entry=0, range=range <at> entry=8, regs=regs <at> entry=0x5555ec70c300 <regs>) at regexec.c:289
#10 0x00005555ec6f84d2 in match_regex (regex=0x5555ec887f60, buf=0x5555ec887f20 "foo\\nbar", buflen=8, buf_start_offset=buf_start_offset <at> entry=0, regarray=regarray <at> entry=0x5555ec70c300 <regs>, regsize=1) at sed/regexp.c:418
#11 0x00005555ec6f6d2e in do_subst (sub=0x5555ec8858c0) at sed/execute.c:1022
#12 execute_program (vec=vec <at> entry=0x5555ec885890, input=input <at> entry=0x7ffc95a03260) at sed/execute.c:1509
#13 0x00005555ec6f7cab in process_files (the_program=0x5555ec885890, argv=<optimized out>) at sed/execute.c:1679
#14 0x00005555ec6f2a54 in main (argc=3, argv=0x7ffc95a03478) at sed/sed.c:401
Using sed from git (master branch 36e24f199f32) also dumps a core:
> echo "foo\nbar" | .../sed/sed/sed -f sed_min_result
Segmentation fault (core dumped)
> echo "foo" | .../sed/sed/sed -f sed_min_result
> .../sed/sed/sed --version
.../sed/sed/sed (GNU sed) 4.8.4-36e2-dirty
...
>
This time it is not an assert but "pop_fail_stack" is also involved:
Backtrace using gdb:
#0 __memmove_avx_unaligned () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:142
#1 0x00000000004ae823 in memcpy (__len=64, __src=<optimized out>, __dest=0x2457a00) at /usr/include/bits/string_fortified.h:34
#2 pop_fail_stack (fs=<optimized out>, fs=<optimized out>, eps_via_nodes=0x7ffe4409d0f0, regs=0x2457a00, nregs=<optimized out>, pidx=<synthetic pointer>) at lib/regexec.c:1351
#3 set_regs (preg=preg <at> entry=0x244cf60, mctx=mctx <at> entry=0x7ffe4409d290, nmatch=nmatch <at> entry=4, pmatch=pmatch <at> entry=0x2457a00, fl_backtrack=<optimized out>) at lib/regexec.c:1451
#4 0x00000000004d585d in re_search_internal (preg=preg <at> entry=0x244cf60, string=string <at> entry=0x244cf20 "foo\\nbar", length=length <at> entry=8, start=<optimized out>, start <at> entry=0, last_start=<optimized out>, last_start <at> entry=8, stop=stop <at> entry=8, nmatch=4,
pmatch=0x2457a00, eflags=0) at lib/regexec.c:849
#5 0x00000000004f1886 in re_search_stub (ret_len=false, regs=0x502700 <regs>, stop=4, range=-5252860, start=<optimized out>, length=4, string=0x4 <error: Cannot access memory at address 0x4>, bufp=0x244cf60) at lib/regexec.c:425
#6 rpl_re_search (bufp=bufp <at> entry=0x244cf60, string=string <at> entry=0x244cf20 "foo\\nbar", length=length <at> entry=8, start=start <at> entry=0, range=range <at> entry=8, regs=regs <at> entry=0x502700 <regs>) at lib/regexec.c:289
#7 0x0000000000431bc0 in match_regex (regex=0x244cf60, buf=0x244cf20 "foo\\nbar", buflen=8, buf_start_offset=buf_start_offset <at> entry=0, regarray=regarray <at> entry=0x502700 <regs>, regsize=1) at sed/regexp.c:358
#8 0x000000000042508e in do_subst (sub=0x244a8c0) at sed/execute.c:1015
#9 execute_program (vec=vec <at> entry=0x244a890, input=input <at> entry=0x7ffe4409e5c0) at sed/execute.c:1543
#10 0x000000000042e8ed in process_files (the_program=0x244a890, argv=<optimized out>) at sed/execute.c:1680
#11 0x000000000040417b in main (argc=3, argv=0x7ffe4409e7e8) at sed/sed.c:399
Cheers,
Raimar
--
email: i-gnu-org <at> rf.risimo.net
"Of course, someone who knows more about this will correct me if I'm
wrong, and someone who knows less will correct me if I'm right."
-- David Palmer (palmer <at> tybalt.caltech.edu)
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.