bug#34142: AddressSanitizer reported heap-buffer-overflow

bug-sed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#34142: AddressSanitizer reported heap-buffer-overflow

From:	Hongxu Chen
Subject:	bug#34142: AddressSanitizer reported heap-buffer-overflow
Date:	Sun, 20 Jan 2019 14:09:48 +0800

Hi,

    When latest sed (4.7.4-f8503-dirty) is compiled with ASan, it report a
heap-buffer-overflow when executing the following command.

      echo '0000000000000000000000000000' | ./sed -f c02.sed

   =================================================================
==13920==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x606000000233 at pc 0x0000004b4136 bp 0x7ffc475e3930 sp 0x7ffc475e30e0
READ of size 26 at 0x606000000233 thread T0
    #0 0x4b4135 in __interceptor_memcmp.part.283
(/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135)
    #1 0x5b274c in proceed_next_node
/home/hongxu/FOT/sed-O0/./lib/regexec.c:1296:9
    #2 0x597a4c in set_regs /home/hongxu/FOT/sed-O0/./lib/regexec.c:1453:18
    #3 0x569a4f in re_search_internal
/home/hongxu/FOT/sed-O0/./lib/regexec.c:864:10
    #4 0x56acd7 in re_search_stub
/home/hongxu/FOT/sed-O0/./lib/regexec.c:425:12
    #5 0x56b061 in rpl_re_search
/home/hongxu/FOT/sed-O0/./lib/regexec.c:289:10
    #6 0x52f572 in match_regex /home/hongxu/FOT/sed-O0/sed/regexp.c:358:11
    #7 0x5292d1 in do_subst /home/hongxu/FOT/sed-O0/sed/execute.c:1015:8
    #8 0x5233a2 in execute_program
/home/hongxu/FOT/sed-O0/sed/execute.c:1543:15
    #9 0x520cba in process_files
/home/hongxu/FOT/sed-O0/sed/execute.c:1680:16
    #10 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17
    #11 0x7f1dc2297b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x41b219 in _start
(/home/hongxu/FOT/sed-O0/install/bin/sed+0x41b219)

0x606000000233 is located 0 bytes to the right of 51-byte region
[0x606000000200,0x606000000233)
allocated by thread T0 here:
    #0 0x4db0d0 in malloc (/home/hongxu/FOT/sed-O0/install/bin/sed+0x4db0d0)
    #1 0x5624f4 in xmalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:41:13
    #2 0x5627c4 in xzalloc /home/hongxu/FOT/sed-O0/lib/xmalloc.c:86:18
    #3 0x520e16 in line_init /home/hongxu/FOT/sed-O0/sed/execute.c:281:15
    #4 0x5209ad in process_files
/home/hongxu/FOT/sed-O0/sed/execute.c:1654:3
    #5 0x5300dc in main /home/hongxu/FOT/sed-O0/sed/sed.c:382:17
    #6 0x7f1dc2297b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/hongxu/FOT/sed-O0/install/bin/sed+0x4b4135) in
__interceptor_memcmp.part.283
Shadow bytes around the buggy address:
  0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff8000: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c7fff8010: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c7fff8020: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fff8030: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
=>0x0c0c7fff8040: 00 00 00 00 00 00[03]fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8050: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff8060: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c7fff8070: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8080: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13920==ABORTING
[1]    13917 done       echo '0000000000000000000000000000' |
       13920 abort      ./sed -f c02.sed

c02.sed is attached (it seems ok when executing with the c02.sed content
directly, `echo '0000000000000000000000000000' | ./sed -f
"s000;s0\(..*\)*\1\(\)\S00"`).

This seems an issue in lib/regexec.c since we found GNU debbugs #34140 has
a similar case.

Best Regards,
Hongxu

c02.sed
Description: Binary data

[Prev in Thread]

Current Thread

[Next in Thread]

bug#34142: AddressSanitizer reported heap-buffer-overflow, Hongxu Chen <=
- bug#34142: AddressSanitizer reported heap-buffer-overflow, Assaf Gordon, 2019/01/20
- bug#34142: AddressSanitizer reported heap-buffer-overflow, Assaf Gordon, 2019/01/20

Prev by Date: bug#34141: Stackoverflow triggered at lib/regexec.c:1948
Next by Date: bug#34133: Huge memory usage and output size when using "H" and "G"
Previous by thread: bug#34141: Stackoverflow triggered at lib/regexec.c:1948
Next by thread: bug#34142: AddressSanitizer reported heap-buffer-overflow
Index(es):
- Date
- Thread