[bug] more info about global memory overflow (old bug in todo.txt reported on Jul 2015)

[Dominique Pellé]

Hi

I looked at this old item in todo.txt:

===
Illegal memory access, requires ASAN to see. (Dominique Pelle, 2015 Jul 28)
===

I can still reproduce it with the latest vim-8.0.703
built with asan. I found this simpler way to reproduce it:

$ vim -u NONE -c'set re=1' -c"call setline(1,'xxxxx')" -c"/\n\@<=" 2>log
Vim: Caught deadly signal ABRT
Vim: preserving files...
Vim: Finished.
Aborted (core dumped)

And log contains:

=================================================================
==8289==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000000a8cce4 at pc 0x00000069a57b bp 0x7ffe999d3480 sp
0x7ffe999d3470
READ of size 1 at 0x000000a8cce4 thread T0
    #0 0x69a57a in utf_head_off /home/pel/sb/vim/src/mbyte.c:3809
    #1 0x78817b in regmatch /home/pel/sb/vim/src/regexp.c:5592
    #2 0x78026b in regtry /home/pel/sb/vim/src/regexp.c:4076
    #3 0x77fe00 in bt_regexec_both /home/pel/sb/vim/src/regexp.c:3961
    #4 0x77f2d5 in bt_regexec_multi /home/pel/sb/vim/src/regexp.c:3771
    #5 0x7c0141 in vim_regexec_multi /home/pel/sb/vim/src/regexp.c:8360
    #6 0x801112 in searchit /home/pel/sb/vim/src/search.c:716
    #7 0x80410f in do_search /home/pel/sb/vim/src/search.c:1443
    #8 0x53e068 in get_address /home/pel/sb/vim/src/ex_docmd.c:4562
    #9 0x52ed12 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2158
    #10 0x528f6f in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1089
    #11 0x527694 in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:689
    #12 0x9f65e4 in exe_commands /home/pel/sb/vim/src/main.c:2945
    #13 0x9ef5e0 in vim_main2 /home/pel/sb/vim/src/main.c:803
    #14 0x9eeb68 in main /home/pel/sb/vim/src/main.c:419
    #15 0x7fe5bb73d82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #16 0x411ce8 in _start (/home/pel/sb/vim/src/vim+0x411ce8)

0x000000a8cce4 is located 60 bytes to the left of global variable
'*.LC1' defined in 'regexp.c' (0xa8cd20) of size 7
  '*.LC1' is ascii string 'latin1'
0x000000a8cce4 is located 3 bytes to the right of global variable
'*.LC0' defined in 'regexp.c' (0xa8cce0) of size 1
  '*.LC0' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/pel/sb/vim/src/mbyte.c:3809 in utf_head_off
Shadow bytes around the buggy address:
  0x000080149940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080149950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080149960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080149970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080149980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080149990: 00 00 00 00 00 00 00 00 00 00 00 00[01]f9 f9 f9
  0x0000801499a0: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9
  0x0000801499b0: f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9 00 00 00 00
  0x0000801499c0: 00 00 07 f9 f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9
  0x0000801499d0: 02 f9 f9 f9 f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9
  0x0000801499e0: 00 00 03 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8289==ABORTING

It crashes at regexp.c:5592:

  5590 if (has_mbyte)
  5591     rp->rs_un.regsave.rs_u.pos.col -=
!!5592         (*mb_head_off)(regline, regline
  5593             + rp->rs_un.regsave.rs_u.pos.col - 1) + 1;

I see that at line 5592:
- rp->rs_un.regsave.rs_u.pos.col is equal to 5 (i.e. number
 of x in the line)
- regline is equal to an empty string "" which was set
  by reg_getline() at line 3694 to a constant string "".

  3685     static char_u *
  3686 reg_getline(linenr_T lnum)
  3687 {
  3688     /* when looking behind for a match/no-match lnum is negative.  But we
  3689      * can't go before line 1 */
  3690     if (rex.reg_firstlnum + lnum < 1)
  3691         return NULL;
  3692     if (lnum > rex.reg_maxline)
  3693         /* Must have matched the "\n" in the last line. */
!!3694         return (char_u *)"";
  3695     return ml_get_buf(rex.reg_buf, rex.reg_firstlnum + lnum, FALSE);
  3696 }

So asan detects the overflow (access beyond global constant
string "" of line 3694). Note that only asan detects overflow
in globals (valgrind does not detect such bug).

Not sure what's the clean way of fixing this.

Regards
Dominique

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.