Re: heap-buffer overflow when searching for regex @\*
Op 19-10-2021 om 00:10 schreef Paul Eggert: > Thanks for the bug report. I reproduced the problem with texinfo and installed > the attached Gnulib patch, which fixed things for me with texinfo. I didn't > quite > follow the 'nano' instructions but I hope this fixes the problem there too. Yes, using current gnulib, the issue is fixed for nano as well. Thanks! (Not that I would ever search for such a regex in nano. :) It was just to verify that the issue was in gnulib and not somehow caused by info itself.) Benno OpenPGP_signature Description: OpenPGP digital signature
Re: heap-buffer overflow when searching for regex @\*
Thanks for the bug report. I reproduced the problem with texinfo and installed the attached Gnulib patch, which fixed things for me with texinfo. I didn't quite follow the 'nano' instructions but I hope this fixes the problem there too. As this is a glibc bug I filed a bug report there too: https://sourceware.org/bugzilla/show_bug.cgi?id=28470 and I'll try to make sure it gets fixed there too.From f14df82a3f36f833ad1174d293c9c2e33f2a2bea Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Mon, 18 Oct 2021 14:50:16 -0700 Subject: [PATCH] regex: fix buffer read overrrun * config/srclist.txt: Remove posix/regexec.c for now. * lib/regexec.c (re_search_internal): Fix buffer read overrun reported by Benno Schulenberg in: https://lists.gnu.org/r/bug-gnulib/2021-10/msg00035.html --- ChangeLog | 7 +++ config/srclist.txt | 2 +- lib/regexec.c | 2 +- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 87fd99f6a..a017453dc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2021-10-18 Paul Eggert + + regex: fix buffer read overrrun + * lib/regexec.c (re_search_internal): + Fix buffer read overrun reported by Benno Schulenberg in: + https://lists.gnu.org/r/bug-gnulib/2021-10/msg00035.html + 2021-10-15 Paul Eggert nproc: port better to macOS 10.14 diff --git a/config/srclist.txt b/config/srclist.txt index 16b61721a..83e251def 100644 --- a/config/srclist.txt +++ b/config/srclist.txt @@ -70,7 +70,7 @@ $LIBCSRC posix/regex.c lib $LIBCSRC posix/regex.h lib $LIBCSRC posix/regex_internal.c lib $LIBCSRC posix/regex_internal.h lib -$LIBCSRC posix/regexec.c lib +#$LIBCSRC posix/regexec.c lib #$LIBCSRC stdlib/canonicalize lib/canonicalize-lgpl.c #$LIBCSRC sysdeps/generic/eloop-threshold.h lib $LIBCSRC time/timegm.c lib diff --git a/lib/regexec.c b/lib/regexec.c index 83e9aaf8c..a955aa218 100644 --- a/lib/regexec.c +++ b/lib/regexec.c @@ -760,7 +760,7 @@ re_search_internal (const regex_t *preg, const char *string, Idx length, } /* If MATCH_FIRST is out of the buffer, leave it as '\0'. Note that MATCH_FIRST must not be smaller than 0. */ - ch = (match_first >= length + ch = (mctx.input.valid_len <= offset ? 0 : re_string_byte_at (&mctx.input, offset)); if (fastmap[ch]) break; -- 2.31.1
heap-buffer overflow when searching for regex @\*
Hi, When compiling the 'info' program or GNU nano with -fsanitize=address, then searching in either of the programs for the regex "@\*" (without the quotes) causes an abortion in gnulib's re_search_internal() at lib/regexec.c:764. To reproduce, configure texinfo-6.8 with CFLAGS="-g -O0 -march=native -fsanitize=address", compile, and then run 'info/ginfo texinfo 2>TRAIL' and search for "@\*". In other words, type: /@\*. Then type five times Shift+}. Result: info aborts. See the attached output. To reproduce with nano, first run 'makeinfo --plain doc/texinfo.texi >thetext' in the texinfo-6.8 directory, then configure nano-5.9 with the same CFLAGS, compile, and then run 'src/nano +1 thetext 2>TRAIL' and type: Ctrl+W Alt+R @\*. Type type six times Alt+W. Result: nano aborts. See the attached output. Problem still occurs when using a current checkout of gnulib. Benno = ==15833==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602429f6 at pc 0x55571a3caf51 bp 0x7ffdbabfd5f0 sp 0x7ffdbabfd5e0 READ of size 1 at 0x602429f6 thread T0 #0 0x55571a3caf50 in re_search_internal /home/ben/Programoj/texinfo-6.8/gnulib/lib/regexec.c:764 #1 0x55571a3c88d8 in rpl_regexec /home/ben/Programoj/texinfo-6.8/gnulib/lib/regexec.c:219 #2 0x55571a37a8f3 in extend_matches /home/ben/Programoj/texinfo-6.8/info/search.c:142 #3 0x55571a37b1cf in regexp_search /home/ben/Programoj/texinfo-6.8/info/search.c:214 #4 0x55571a38dfcd in info_search_in_node_internal /home/ben/Programoj/texinfo-6.8/info/session.c:3956 #5 0x55571a38ed01 in info_search_internal /home/ben/Programoj/texinfo-6.8/info/session.c:4087 #6 0x55571a392477 in info_search_next /home/ben/Programoj/texinfo-6.8/info/session.c:4688 #7 0x55571a37e9b3 in info_read_and_dispatch /home/ben/Programoj/texinfo-6.8/info/session.c:252 #8 0x55571a37e797 in info_session /home/ben/Programoj/texinfo-6.8/info/session.c:220 #9 0x55571a365a26 in main /home/ben/Programoj/texinfo-6.8/info/info.c:1079 #10 0x7fca41f5bbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #11 0x55571a3457e9 in _start (/usr/local/bin/info+0x237e9) 0x602429f6 is located 0 bytes to the right of 6-byte region [0x602429f0,0x602429f6) allocated by thread T0 here: #0 0x7fca42633f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30) #1 0x55571a3a8c0e in re_string_realloc_buffers /home/ben/Programoj/texinfo-6.8/gnulib/lib/regex_internal.c:168 #2 0x55571a3a82e9 in re_string_allocate /home/ben/Programoj/texinfo-6.8/gnulib/lib/regex_internal.c:61 #3 0x55571a3ca27b in re_search_internal /home/ben/Programoj/texinfo-6.8/gnulib/lib/regexec.c:636 #4 0x55571a3c88d8 in rpl_regexec /home/ben/Programoj/texinfo-6.8/gnulib/lib/regexec.c:219 #5 0x55571a37a8f3 in extend_matches /home/ben/Programoj/texinfo-6.8/info/search.c:142 #6 0x55571a37b1cf in regexp_search /home/ben/Programoj/texinfo-6.8/info/search.c:214 #7 0x55571a38dfcd in info_search_in_node_internal /home/ben/Programoj/texinfo-6.8/info/session.c:3956 #8 0x55571a38ed01 in info_search_internal /home/ben/Programoj/texinfo-6.8/info/session.c:4087 #9 0x55571a392477 in info_search_next /home/ben/Programoj/texinfo-6.8/info/session.c:4688 #10 0x55571a37e9b3 in info_read_and_dispatch /home/ben/Programoj/texinfo-6.8/info/session.c:252 #11 0x55571a37e797 in info_session /home/ben/Programoj/texinfo-6.8/info/session.c:220 #12 0x55571a365a26 in main /home/ben/Programoj/texinfo-6.8/info/info.c:1079 #13 0x7fca41f5bbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ben/Programoj/texinfo-6.8/gnulib/lib/regexec.c:764 in re_search_internal Shadow bytes around the buggy address: 0x0c0484e0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c0484f0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa 0x0c048500: fa fa fd fa fa fa fd fd fa fa fd fa fa fa 04 fa 0x0c048510: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c048520: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa fd fa =>0x0c048530: fa fa 00 fa fa fa 00 fa fa fa 00 00 fa fa[06]fa 0x0c048540: fa fa fd fa fa fa fd fd fa fa 00 fa fa fa 00 fa 0x0c048550: fa fa 00 00 fa fa fd fa fa fa fd fd fa fa 00 fa 0x0c048560: fa fa 00 fa fa fa 00 00 fa fa fa fa fa fa fa fa 0x0c048570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c048580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init o