[bug #46832] Heap buffer overflow on long target lines

anonymous Wed, 06 Jan 2016 12:41:51 -0800

URL:
  <http://savannah.gnu.org/bugs/?46832>


                 Summary: Heap buffer overflow on long target lines
                 Project: make
            Submitted by: None
            Submitted on: Wed 06 Jan 2016 08:41:29 PM UTC
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
       Component Version: None
        Operating System: POSIX-Based
           Fixed Release: None
           Triage Status: None

    _______________________________________________________

Details:

When calling Make on targets with a long line it crashes with a heap
overflow.
With the latest release installed on my system (4.1) this happens with around
10.000 chars, in the git code this needs 65536 chars. Not sure if the
difference is a change in git or that I compiled it differently.

Reproduce:
(echo -n "0:"; for i in $(seq 1 65536); do echo -n a; done) > Makefile
make

This is the output from address sanitizer (on the git version):
=================================================================
==22862==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000cb5f at pc 0x0000004a27e8 bp 0x7ffdca6bdc90 sp 0x7ffdca6bd440
WRITE of size 65536 at 0x60200000cb5f thread T0
    #0 0x4a27e7 in __asan_memmove (/tmp/make+0x4a27e7)
    #1 0x55b536 in copy_string /mnt/ram/make/strcache.c:80:3
    #2 0x55b536 in add_string /mnt/ram/make/strcache.c:106
    #3 0x55b536 in add_hash /mnt/ram/make/strcache.c:175
    #4 0x55b2b4 in strcache_add /mnt/ram/make/strcache.c:202:10
    #5 0x54310d in parse_file_seq /mnt/ram/make/read.c:3353:11
    #6 0x4f645e in split_prereqs /mnt/ram/make/file.c:448:21
    #7 0x54549d in record_files /mnt/ram/make/read.c:1993:18
    #8 0x53efba in eval /mnt/ram/make/read.c:1402:3
    #9 0x538676 in eval_makefile /mnt/ram/make/read.c:446:3
    #10 0x5376ec in read_all_makefiles /mnt/ram/make/read.c:263:17
    #11 0x5255ea in main /mnt/ram/make/main.c:1991:16
    #12 0x7f46f874c62f in __libc_start_main
/var/tmp/portage/sys-libs/glibc-2.22-r1/work/glibc-2.22/csu/libc-start.c:289
    #13 0x41c4e8 in _start (/tmp/make+0x41c4e8)

0x60200000cb5f is located 0 bytes to the right of 15-byte region
[0x60200000cb50,0x60200000cb5f)
allocated by thread T0 here:
    #0 0x4b7b88 in malloc (/tmp/make+0x4b7b88)
    #1 0x531f54 in xmalloc /mnt/ram/make/misc.c:220:18
    #2 0x55b2b4 in strcache_add /mnt/ram/make/strcache.c:202:10
    #3 0x4f645e in split_prereqs /mnt/ram/make/file.c:448:21
    #4 0x54549d in record_files /mnt/ram/make/read.c:1993:18
    #5 0x53efba in eval /mnt/ram/make/read.c:1402:3
    #6 0x538676 in eval_makefile /mnt/ram/make/read.c:446:3
    #7 0x5376ec in read_all_makefiles /mnt/ram/make/read.c:263:17
    #8 0x5255ea in main /mnt/ram/make/main.c:1991:16
    #9 0x7f46f874c62f in __libc_start_main
/var/tmp/portage/sys-libs/glibc-2.22-r1/work/glibc-2.22/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow (/tmp/make+0x4a27e7) in
__asan_memmove
Shadow bytes around the buggy address:
  0x0c047fff9910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9960: fa fa fa fa fa fa fa fa fa fa 00[07]fa fa 02 fa
  0x0c047fff9970: fa fa 00 00 fa fa fd fa fa fa fd fa fa fa 00 02
  0x0c047fff9980: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 00 00
  0x0c047fff9990: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff99a0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff99b0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22862==ABORTING




    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Wed 06 Jan 2016 08:41:29 PM UTC  Name: Makefile  Size: 64kB   By: None
sample Makefile triggering bug
<http://savannah.gnu.org/bugs/download.php?file_id=35937>

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?46832>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/


_______________________________________________
Bug-make mailing list
Bug-make@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-make

[bug #46832] Heap buffer overflow on long target lines

Reply via email to