bug#22127: Segfault / null pointer access in function str_append

bug-sed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#22127: Segfault / null pointer access in function str_append_modifie

From:	Jim Meyering
Subject:	bug#22127: Segfault / null pointer access in function str_append_modified()
Date:	Thu, 17 Dec 2015 18:56:51 -0800

On Wed, Dec 9, 2015 at 3:42 AM, Hanno Böck <address@hidden> wrote:
> Hi,
>
> With a malformed input (see attachmend) sed can crash in the function
> str_append_modified()
>
> Test:
> echo|./sed -f sed-nullptr-str_append_modified
>
> Seems to be a null pointer access.
> This only seems to happen in the git code of sed and not in 4.2.2.
>
> This is the stack trace from address sanitizer:
> ==21489==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 
> 0x7fd77e298c16 bp 0x611000009c86 sp 0x7fffe46649d0 T0)
>     #0 0x7fd77e298c15 in wcrtomb 
> /var/tmp/portage/sys-libs/glibc-2.22-r1/work/glibc-2.22/wcsmbs/wcrtomb.c:89
>     #1 0x5029ca in str_append_modified /mnt/ram/sed-plain/sed/execute.c:273:11
>     #2 0x4faa8c in append_replacement /mnt/ram/sed-plain/sed/execute.c:992:11
>     #3 0x4faa8c in do_subst /mnt/ram/sed-plain/sed/execute.c:1078
>     #4 0x4faa8c in execute_program /mnt/ram/sed-plain/sed/execute.c:1513
>     #5 0x4faa8c in process_files /mnt/ram/sed-plain/sed/execute.c:1681
>     #6 0x4e1365 in main /mnt/ram/sed-plain/sed/sed.c:362:17
>     #7 0x7fd77e21b62f in __libc_start_main 
> /var/tmp/portage/sys-libs/glibc-2.22-r1/work/glibc-2.22/csu/libc-start.c:289
>     #8 0x4191a8 in _start (/tmp/sed+0x4191a8)
>
>
> This was found with the help of american fuzzy lop.

Thank you for the report.
I've reduced it to the following one-liner (demonstrating
failure with an ASAN-enabled binary), and have attached
a patch:

$ echo > k; LC_ALL=en_US.utf8 sed/sed $(printf 's/^/\\L\233\375\134\200/') k
=================================================================
==3335==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60600000edb2 at pc 0x000000446933 bp 0x7ffd73a42ee0 sp
0x7ffd73a42690
WRITE of size 6 at 0x60600000edb2 thread T0
    #0 0x446932 in __interceptor_wcrtomb
../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:2751
    #1 0x4dc393 in str_append_modified /home/j/w/co/sed/sed/execute.c:273
    #2 0x4e08e2 in append_replacement /home/j/w/co/sed/sed/execute.c:992
    #3 0x4e1272 in do_subst /home/j/w/co/sed/sed/execute.c:1078
    #4 0x4e2d09 in execute_program /home/j/w/co/sed/sed/execute.c:1513
    #5 0x4e359a in process_files /home/j/w/co/sed/sed/execute.c:1681
    #6 0x4d446a in main /home/j/w/co/sed/sed/sed.c:362
    #7 0x7f5541c7f57f in __libc_start_main (/lib64/libc.so.6+0x2057f)
    #8 0x406d18 in _start (/home/j/w/co/sed/sed/sed+0x406d18)

0x60600000edb2 is located 0 bytes to the right of 50-byte region
[0x60600000ed80,0x60600000edb2)
allocated by thread T0 here:
    #0 0x4a2050 in __interceptor_calloc
../../../../libsanitizer/asan/asan_malloc_linux.cc:54
    #1 0x4e59d3 in ck_malloc /home/j/w/co/sed/sed/utils.c:398
    #2 0x4dc4e9 in line_init /home/j/w/co/sed/sed/execute.c:288
    #3 0x4dc75f in line_reset /home/j/w/co/sed/sed/execute.c:306
    #4 0x4e0d37 in do_subst /home/j/w/co/sed/sed/execute.c:1023
    #5 0x4e2d09 in execute_program /home/j/w/co/sed/sed/execute.c:1513
    #6 0x4e359a in process_files /home/j/w/co/sed/sed/execute.c:1681
    #7 0x4d446a in main /home/j/w/co/sed/sed/sed.c:362
    #8 0x7f5541c7f57f in __libc_start_main (/lib64/libc.so.6+0x2057f)

SUMMARY: AddressSanitizer: heap-buffer-overflow
../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:2751
in __interceptor_wcrtomb
Shadow bytes around the buggy address:
  0x0c0c7fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fff9db0: 00 00 00 00 00 00[02]fa fa fa fa fa 00 00 00 00
  0x0c0c7fff9dc0: 00 00 02 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff9dd0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fff9de0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
  0x0c0c7fff9df0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0001-sed-fix-a-heap-clobbering-buffer-overrun.patch
Description: Text Data

[Prev in Thread]

Current Thread

[Next in Thread]

bug#22127: Segfault / null pointer access in function str_append_modified(), Hanno Böck, 2015/12/09
- bug#22127: Segfault / null pointer access in function str_append_modified(), Jim Meyering <=

Prev by Date: bug#22127: Segfault / null pointer access in function str_append_modified()
Next by Date: bug#22237: sed no longer removes high-ascii characters as it did formerly.
Previous by thread: bug#22127: Segfault / null pointer access in function str_append_modified()
Next by thread: bug#22237: sed no longer removes high-ascii characters as it did formerly.
Index(es):
- Date
- Thread