bug#41773: Fuzzer created crash

bug-sed
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#41773: Fuzzer created crash

From:	Raimar Falke
Subject:	bug#41773: Fuzzer created crash
Date:	Tue, 9 Jun 2020 07:31:22 +0200
User-agent:	Mutt/1.12.1 (2019-06-15)
Hello

I was playing around with https://github.com/google/AFL and found
indeed a crash.

> cat sed_min_result
/0*\(\|\|.\)\+\(\(\)\)\1/s000
> echo "foo\nbar" | sed -f sed_min_result 
sed: regexec.c:1361: pop_fail_stack: Assertion `num >= 0' failed.
Aborted (core dumped)
> echo "foo" | sed -f sed_min_result 

> sed --version
sed (GNU sed) 4.5
...
> 

Backtrace using gdb:
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f5ae0a85895 in __GI_abort () at abort.c:79
#2  0x00007f5ae0a85769 in __assert_fail_base (fmt=0x7f5ae0bece88 "%s%s%s:%u: 
%s%sAssertion `%s' failed.\n%n", assertion=0x7f5ae0beabda "num >= 0", 
file=0x7f5ae0beabd0 "regexec.c", line=1361, function=<optimized out>) at 
assert.c:92
#3  0x00007f5ae0a93a26 in __GI___assert_fail (assertion=0x7f5ae0beabda "num >= 
0", file=0x7f5ae0beabd0 "regexec.c", line=1361, function=0x7f5ae0bef100 
<__PRETTY_FUNCTION__.13516> "pop_fail_stack") at assert.c:101
#4  0x00007f5ae0b3be88 in pop_fail_stack (pidx=0x7ffc95a01dec, nregs=4, 
regs=0x5555ec88eeb0, eps_via_nodes=0x7ffc95a01df0, fs=<optimized out>, 
fs=<optimized out>) at regexec.c:1361
#5  pop_fail_stack (pidx=pidx@entry=0x7ffc95a01dec, nregs=nregs@entry=4, 
regs=regs@entry=0x5555ec88eeb0, 
eps_via_nodes=eps_via_nodes@entry=0x7ffc95a01df0, fs=<optimized out>, 
fs=<optimized out>) at regexec.c:1357
#6  0x00007f5ae0b3e567 in set_regs (preg=preg@entry=0x5555ec887f60, 
mctx=mctx@entry=0x7ffc95a01f60, nmatch=nmatch@entry=4, 
pmatch=pmatch@entry=0x5555ec88eeb0, fl_backtrack=<optimized out>) at 
regexec.c:1465
#7  0x00007f5ae0b40b5a in re_search_internal (preg=preg@entry=0x5555ec887f60, 
string=string@entry=0x5555ec887f20 "foo\\nbar", length=length@entry=8, 
start=<optimized out>, start@entry=0, last_start=<optimized out>, 
last_start@entry=8, stop=stop@entry=8, 
    nmatch=4, pmatch=0x5555ec88eeb0, eflags=0) at regexec.c:861
#8  0x00007f5ae0b454e9 in re_search_stub (bufp=bufp@entry=0x5555ec887f60, 
string=string@entry=0x5555ec887f20 "foo\\nbar", length=length@entry=8, 
start=start@entry=0, range=range@entry=8, stop=stop@entry=8, 
regs=0x5555ec70c300 <regs>, ret_len=false)
    at regexec.c:424
#9  0x00007f5ae0b45e14 in __re_search (bufp=bufp@entry=0x5555ec887f60, 
string=string@entry=0x5555ec887f20 "foo\\nbar", length=length@entry=8, 
start=start@entry=0, range=range@entry=8, regs=regs@entry=0x5555ec70c300 
<regs>) at regexec.c:289
#10 0x00005555ec6f84d2 in match_regex (regex=0x5555ec887f60, buf=0x5555ec887f20 
"foo\\nbar", buflen=8, buf_start_offset=buf_start_offset@entry=0, 
regarray=regarray@entry=0x5555ec70c300 <regs>, regsize=1) at sed/regexp.c:418
#11 0x00005555ec6f6d2e in do_subst (sub=0x5555ec8858c0) at sed/execute.c:1022
#12 execute_program (vec=vec@entry=0x5555ec885890, 
input=input@entry=0x7ffc95a03260) at sed/execute.c:1509
#13 0x00005555ec6f7cab in process_files (the_program=0x5555ec885890, 
argv=<optimized out>) at sed/execute.c:1679
#14 0x00005555ec6f2a54 in main (argc=3, argv=0x7ffc95a03478) at sed/sed.c:401

Using sed from git (master branch 36e24f199f32) also dumps a core:

> echo "foo\nbar" | .../sed/sed/sed -f sed_min_result 
Segmentation fault (core dumped)
> echo "foo" | .../sed/sed/sed -f sed_min_result 

> .../sed/sed/sed --version
.../sed/sed/sed (GNU sed) 4.8.4-36e2-dirty
...
> 

This time it is not an assert but "pop_fail_stack" is also involved:

Backtrace using gdb:
#0  __memmove_avx_unaligned () at 
../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:142
#1  0x00000000004ae823 in memcpy (__len=64, __src=<optimized out>, 
__dest=0x2457a00) at /usr/include/bits/string_fortified.h:34
#2  pop_fail_stack (fs=<optimized out>, fs=<optimized out>, 
eps_via_nodes=0x7ffe4409d0f0, regs=0x2457a00, nregs=<optimized out>, 
pidx=<synthetic pointer>) at lib/regexec.c:1351
#3  set_regs (preg=preg@entry=0x244cf60, mctx=mctx@entry=0x7ffe4409d290, 
nmatch=nmatch@entry=4, pmatch=pmatch@entry=0x2457a00, fl_backtrack=<optimized 
out>) at lib/regexec.c:1451
#4  0x00000000004d585d in re_search_internal (preg=preg@entry=0x244cf60, 
string=string@entry=0x244cf20 "foo\\nbar", length=length@entry=8, 
start=<optimized out>, start@entry=0, last_start=<optimized out>, 
last_start@entry=8, stop=stop@entry=8, nmatch=4, 
    pmatch=0x2457a00, eflags=0) at lib/regexec.c:849
#5  0x00000000004f1886 in re_search_stub (ret_len=false, regs=0x502700 <regs>, 
stop=4, range=-5252860, start=<optimized out>, length=4, string=0x4 <error: 
Cannot access memory at address 0x4>, bufp=0x244cf60) at lib/regexec.c:425
#6  rpl_re_search (bufp=bufp@entry=0x244cf60, string=string@entry=0x244cf20 
"foo\\nbar", length=length@entry=8, start=start@entry=0, range=range@entry=8, 
regs=regs@entry=0x502700 <regs>) at lib/regexec.c:289
#7  0x0000000000431bc0 in match_regex (regex=0x244cf60, buf=0x244cf20 
"foo\\nbar", buflen=8, buf_start_offset=buf_start_offset@entry=0, 
regarray=regarray@entry=0x502700 <regs>, regsize=1) at sed/regexp.c:358
#8  0x000000000042508e in do_subst (sub=0x244a8c0) at sed/execute.c:1015
#9  execute_program (vec=vec@entry=0x244a890, input=input@entry=0x7ffe4409e5c0) 
at sed/execute.c:1543
#10 0x000000000042e8ed in process_files (the_program=0x244a890, argv=<optimized 
out>) at sed/execute.c:1680
#11 0x000000000040417b in main (argc=3, argv=0x7ffe4409e7e8) at sed/sed.c:399

Cheers,
        Raimar

-- 
 email: i-gnu-org@rf.risimo.net
 "Of course, someone who knows more about this will correct me if I'm
  wrong, and someone who knows less will correct me if I'm right."
    -- David Palmer (palmer@tybalt.caltech.edu)
[Prev in Thread]
Current Thread
[Next in Thread]
bug#41773: Fuzzer created crash, Raimar Falke <=
Next by Date: bug#42133: Error in 2nd example at www.gnu.org/software/sed/
Next by thread: bug#42133: Error in 2nd example at www.gnu.org/software/sed/
Index(es):
- Date
- Thread