GNU bug report logs - #42946
grep: invalid read in pop_fail_stack

Previous Next

To reply to this bug, email your comments to 42946 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Luca Borzacchiello <borzacchiello <at> diag.uniroma1.it>
To: bug-grep <at> gnu.org
Subject: grep: invalid read in pop_fail_stack
Date: Thu, 20 Aug 2020 11:02:33 +0200

[Message part 1 (text/plain, inline)]

Dear maintainer,
running grep 3.4 with the attached inputs, cause an invalid read in
pop_fail_stack.
the bug is confirmed for grep 3.3.75-afc5 (git version).

I used the following command line:
grep -f ./crashing_inp ./la_divin.txt

this is the output of valgrind:
==7468== Memcheck, a memory error detector
==7468== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==7468== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==7468== Command: ./src/build/bin/grep -f ./crashing_inp ./la_divin.txt
==7468==
==7468== Invalid read of size 8
==7468==    at 0x128629: pop_fail_stack.isra.0 (regexec.c:1350)
==7468==    by 0x12A61C: set_regs (regexec.c:1451)
==7468==    by 0x12C411: re_search_internal (regexec.c:849)
==7468==    by 0x130FFD: re_search_stub (regexec.c:425)
==7468==    by 0x1316C3: rpl_re_search (regexec.c:289)
==7468==    by 0x10DF0C: EGexecute (dfasearch.c:476)
==7468==    by 0x10C7C5: main (grep.c:2905)
==7468==  Address 0x4b33460 is 16 bytes after a block of size 192 free'd
==7468==    at 0x483CA3F: free (in
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==7468==    by 0x12B86C: sift_states_backward (regexec.c:1606)
==7468==    by 0x12CCFD: prune_impossible_nodes (regexec.c:943)
==7468==    by 0x12CCFD: re_search_internal (regexec.c:813)
==7468==    by 0x130FFD: re_search_stub (regexec.c:425)
==7468==    by 0x1316C3: rpl_re_search (regexec.c:289)
==7468==    by 0x10DF0C: EGexecute (dfasearch.c:476)
==7468==    by 0x10C7C5: main (grep.c:2905)
==7468==  Block was alloc'd at
==7468==    at 0x483DFAF: realloc (in
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==7468==    by 0x125ACC: re_node_set_add_intersect (regex_internal.c:1064)
==7468==    by 0x12D223: add_epsilon_src_nodes (regexec.c:1792)
==7468==    by 0x12D223: update_cur_sifted_state (regexec.c:1739)
==7468==    by 0x12B630: sift_states_backward (regexec.c:1570)
==7468==    by 0x12CCFD: prune_impossible_nodes (regexec.c:943)
==7468==    by 0x12CCFD: re_search_internal (regexec.c:813)
==7468==    by 0x130FFD: re_search_stub (regexec.c:425)
==7468==    by 0x1316C3: rpl_re_search (regexec.c:289)
==7468==    by 0x10DF0C: EGexecute (dfasearch.c:476)
==7468==    by 0x10C7C5: main (grep.c:2905)
==7468==
==7468== Invalid read of size 8
==7468==    at 0x12862F: memcpy (string_fortified.h:34)
==7468==    by 0x12862F: pop_fail_stack.isra.0 (regexec.c:1351)
==7468==    by 0x12A61C: set_regs (regexec.c:1451)
==7468==    by 0x12C411: re_search_internal (regexec.c:849)
==7468==    by 0x130FFD: re_search_stub (regexec.c:425)
==7468==    by 0x1316C3: rpl_re_search (regexec.c:289)
==7468==    by 0x10DF0C: EGexecute (dfasearch.c:476)
==7468==    by 0x10C7C5: main (grep.c:2905)
==7468==  Address 0x4b33470 is 32 bytes before a block of size 96 in arena
"client"
==7468==
==7468== Invalid read of size 8
==7468==    at 0x4842A7C: memmove (in
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==7468==    by 0x12863A: memcpy (string_fortified.h:34)
==7468==    by 0x12863A: pop_fail_stack.isra.0 (regexec.c:1351)
==7468==    by 0x12A61C: set_regs (regexec.c:1451)
==7468==    by 0x12C411: re_search_internal (regexec.c:849)
==7468==    by 0x130FFD: re_search_stub (regexec.c:425)
==7468==    by 0x1316C3: rpl_re_search (regexec.c:289)
==7468==    by 0x10DF0C: EGexecute (dfasearch.c:476)
==7468==    by 0x10C7C5: main (grep.c:2905)
==7468==  Address 0xa0 is not stack'd, malloc'd or (recently) free'd
==7468==
grep: stack overflow
==7468==
==7468== HEAP SUMMARY:
==7468==     in use at exit: 57,775 bytes in 369 blocks
==7468==   total heap usage: 1,337 allocs, 968 frees, 169,874 bytes
allocated
==7468==
==7468== LEAK SUMMARY:
==7468==    definitely lost: 232 bytes in 1 blocks
==7468==    indirectly lost: 736 bytes in 14 blocks
==7468==      possibly lost: 128 bytes in 1 blocks
==7468==    still reachable: 56,679 bytes in 353 blocks
==7468==         suppressed: 0 bytes in 0 blocks
==7468== Rerun with --leak-check=full to see details of leaked memory
==7468==
==7468== For lists of detected and suppressed errors, rerun with: -s
==7468== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)

--
Regards,
Luca Borzacchiello

[Message part 2 (text/html, inline)]

[la_divin.txt (text/plain, attachment)]

[crashing_inp (application/octet-stream, attachment)]

Message #10 received at 42946 <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Luca Borzacchiello <borzacchiello <at> diag.uniroma1.it>
Cc: 42946 <at> debbugs.gnu.org
Subject: Re: bug#42946: grep: invalid read in pop_fail_stack
Date: Mon, 21 Sep 2020 12:57:50 -0700

On 8/20/20 2:02 AM, Luca Borzacchiello via Bug reports for GNU grep wrote:

> running grep 3.4 with the attached inputs, cause an invalid read in
> pop_fail_stack.

Thanks for reporting that. This appears to be a duplicate of these longstanding 
grep bug reports:

https://bugs.gnu.org/22793
https://bugs.gnu.org/32806
https://bugs.gnu.org/34238

so I have merged your bug report to join the throng.

The actual bug is in glibc, and is reported here:

https://sourceware.org/bugzilla/show_bug.cgi?id=11053

This bug been unfixed since 2009 so a fix is not likely soon, unfortunately. A 
patch would be welcome of course.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.