heap-buffer overflow when searching for regex @\*

Benno Schulenberg Sun, 17 Oct 2021 01:52:24 -0700

Hi,

When compiling the 'info' program or GNU nano with -fsanitize=address,
then searching in either of the programs for the regex "@\*" (without
the quotes) causes an abortion in gnulib's re_search_internal() at
lib/regexec.c:764.


To reproduce, configure texinfo-6.8 with CFLAGS="-g -O0 -march=native
-fsanitize=address", compile, and then run 'info/ginfo texinfo 2>TRAIL'
and search for "@\*".  In other words, type: /@\*<Enter>.  Then type
five times Shift+}.  Result: info aborts.  See the attached output.

To reproduce with nano, first run 'makeinfo --plain doc/texinfo.texi
>thetext' in the texinfo-6.8 directory, then configure nano-5.9 with
the same CFLAGS, compile, and then run 'src/nano +1 thetext 2>TRAIL'
and type: Ctrl+W Alt+R @\*<Enter>.  Type type six times Alt+W.  Result:
nano aborts.  See the attached output.

Problem still occurs when using a current checkout of gnulib.

Benno

=================================================================
==15833==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x6020000429f6 at pc 0x55571a3caf51 bp 0x7ffdbabfd5f0 sp 0x7ffdbabfd5e0
READ of size 1 at 0x6020000429f6 thread T0
    #0 0x55571a3caf50 in re_search_internal 
/home/ben/Programoj/texinfo-6.8/gnulib/lib/regexec.c:764
    #1 0x55571a3c88d8 in rpl_regexec 
/home/ben/Programoj/texinfo-6.8/gnulib/lib/regexec.c:219
    #2 0x55571a37a8f3 in extend_matches 
/home/ben/Programoj/texinfo-6.8/info/search.c:142
    #3 0x55571a37b1cf in regexp_search 
/home/ben/Programoj/texinfo-6.8/info/search.c:214
    #4 0x55571a38dfcd in info_search_in_node_internal 
/home/ben/Programoj/texinfo-6.8/info/session.c:3956
    #5 0x55571a38ed01 in info_search_internal 
/home/ben/Programoj/texinfo-6.8/info/session.c:4087
    #6 0x55571a392477 in info_search_next 
/home/ben/Programoj/texinfo-6.8/info/session.c:4688
    #7 0x55571a37e9b3 in info_read_and_dispatch 
/home/ben/Programoj/texinfo-6.8/info/session.c:252
    #8 0x55571a37e797 in info_session 
/home/ben/Programoj/texinfo-6.8/info/session.c:220
    #9 0x55571a365a26 in main /home/ben/Programoj/texinfo-6.8/info/info.c:1079
    #10 0x7fca41f5bbf6 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #11 0x55571a3457e9 in _start (/usr/local/bin/info+0x237e9)

0x6020000429f6 is located 0 bytes to the right of 6-byte region 
[0x6020000429f0,0x6020000429f6)
allocated by thread T0 here:
    #0 0x7fca42633f30 in realloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30)
    #1 0x55571a3a8c0e in re_string_realloc_buffers 
/home/ben/Programoj/texinfo-6.8/gnulib/lib/regex_internal.c:168
    #2 0x55571a3a82e9 in re_string_allocate 
/home/ben/Programoj/texinfo-6.8/gnulib/lib/regex_internal.c:61
    #3 0x55571a3ca27b in re_search_internal 
/home/ben/Programoj/texinfo-6.8/gnulib/lib/regexec.c:636
    #4 0x55571a3c88d8 in rpl_regexec 
/home/ben/Programoj/texinfo-6.8/gnulib/lib/regexec.c:219
    #5 0x55571a37a8f3 in extend_matches 
/home/ben/Programoj/texinfo-6.8/info/search.c:142
    #6 0x55571a37b1cf in regexp_search 
/home/ben/Programoj/texinfo-6.8/info/search.c:214
    #7 0x55571a38dfcd in info_search_in_node_internal 
/home/ben/Programoj/texinfo-6.8/info/session.c:3956
    #8 0x55571a38ed01 in info_search_internal 
/home/ben/Programoj/texinfo-6.8/info/session.c:4087
    #9 0x55571a392477 in info_search_next 
/home/ben/Programoj/texinfo-6.8/info/session.c:4688
    #10 0x55571a37e9b3 in info_read_and_dispatch 
/home/ben/Programoj/texinfo-6.8/info/session.c:252
    #11 0x55571a37e797 in info_session 
/home/ben/Programoj/texinfo-6.8/info/session.c:220
    #12 0x55571a365a26 in main /home/ben/Programoj/texinfo-6.8/info/info.c:1079
    #13 0x7fca41f5bbf6 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/home/ben/Programoj/texinfo-6.8/gnulib/lib/regexec.c:764 in re_search_internal
Shadow bytes around the buggy address:
  0x0c04800004e0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c04800004f0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c0480000500: fa fa fd fa fa fa fd fd fa fa fd fa fa fa 04 fa
  0x0c0480000510: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c0480000520: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa fd fa
=>0x0c0480000530: fa fa 00 fa fa fa 00 fa fa fa 00 00 fa fa[06]fa
  0x0c0480000540: fa fa fd fa fa fa fd fd fa fa 00 fa fa fa 00 fa
  0x0c0480000550: fa fa 00 00 fa fa fd fa fa fa fd fd fa fa 00 fa
  0x0c0480000560: fa fa 00 fa fa fa 00 00 fa fa fa fa fa fa fa fa
  0x0c0480000570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480000580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15833==ABORTING

=================================================================
==10934==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x60200008a7b6 at pc 0x564cedadcfce bp 0x7fff99479b10 sp 0x7fff99479b00
READ of size 1 at 0x60200008a7b6 thread T0
    #0 0x564cedadcfcd in re_search_internal 
/home/ben/Programoj/nano-5.9/lib/regexec.c:764
    #1 0x564cedada955 in rpl_regexec 
/home/ben/Programoj/nano-5.9/lib/regexec.c:219
    #2 0x564ceda9f171 in strstrwrapper 
/home/ben/Programoj/nano-5.9/src/utils.c:265
    #3 0x564ceda80b35 in findnextstr 
/home/ben/Programoj/nano-5.9/src/search.c:207
    #4 0x564ceda82038 in go_looking 
/home/ben/Programoj/nano-5.9/src/search.c:425
    #5 0x564ceda81cc1 in do_research 
/home/ben/Programoj/nano-5.9/src/search.c:380
    #6 0x564ceda81d72 in do_findnext 
/home/ben/Programoj/nano-5.9/src/search.c:396
    #7 0x564ceda6bb0c in process_a_keystroke 
/home/ben/Programoj/nano-5.9/src/nano.c:1621
    #8 0x564ceda7176c in main /home/ben/Programoj/nano-5.9/src/nano.c:2541
    #9 0x7f56dd4d1bf6 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #10 0x564ceda345b9 in _start (/home/ben/Programoj/nano-5.9/src/nano+0x235b9)

0x60200008a7b6 is located 0 bytes to the right of 6-byte region 
[0x60200008a7b0,0x60200008a7b6)
allocated by thread T0 here:
    #0 0x7f56dddd8f30 in realloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30)
    #1 0x564cedababdd in re_string_realloc_buffers 
/home/ben/Programoj/nano-5.9/lib/regex_internal.c:168
    #2 0x564cedaba2b8 in re_string_allocate 
/home/ben/Programoj/nano-5.9/lib/regex_internal.c:61
    #3 0x564cedadc2f8 in re_search_internal 
/home/ben/Programoj/nano-5.9/lib/regexec.c:636
    #4 0x564cedada955 in rpl_regexec 
/home/ben/Programoj/nano-5.9/lib/regexec.c:219
    #5 0x564ceda9f171 in strstrwrapper 
/home/ben/Programoj/nano-5.9/src/utils.c:265
    #6 0x564ceda80b35 in findnextstr 
/home/ben/Programoj/nano-5.9/src/search.c:207
    #7 0x564ceda82038 in go_looking 
/home/ben/Programoj/nano-5.9/src/search.c:425
    #8 0x564ceda81cc1 in do_research 
/home/ben/Programoj/nano-5.9/src/search.c:380
    #9 0x564ceda81d72 in do_findnext 
/home/ben/Programoj/nano-5.9/src/search.c:396
    #10 0x564ceda6bb0c in process_a_keystroke 
/home/ben/Programoj/nano-5.9/src/nano.c:1621
    #11 0x564ceda7176c in main /home/ben/Programoj/nano-5.9/src/nano.c:2541
    #12 0x7f56dd4d1bf6 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/home/ben/Programoj/nano-5.9/lib/regexec.c:764 in re_search_internal
Shadow bytes around the buggy address:
  0x0c04800094a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800094b0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800094c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800094d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800094e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c04800094f0: fa fa fd fa fa fa[06]fa fa fa fa fa fa fa fa fa
  0x0c0480009500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480009510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480009520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480009530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480009540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10934==ABORTING

OpenPGP_signature
Description: OpenPGP digital signature

heap-buffer overflow when searching for regex @\*

Reply via email to