Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: heap-buffer-overflow src/ast/lex.cc:3413 in re2c::Scanner::set_sourceline() #232

Closed
fgeek opened this issue Dec 3, 2018 · 6 comments

Comments

@fgeek
Copy link

commented Dec 3, 2018

Tested commit: 8d5e57f
Tools: american fuzzy lop 2.52b, afl-utils
re2c-2018-12-03.txt
ps. Should I sent these via email or some other channel?

=================================================================
==21325==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62600000bd99 at pc 0x5575db11289c bp 0x7fff97747240 sp 0x7fff97747238
READ of size 1 at 0x62600000bd99 thread T0
    #0 0x5575db11289b in re2c::Scanner::set_sourceline() src/ast/lex.cc:3413
    #1 0x5575db11dd08 in re2c::Scanner::lex_code_in_braces() ../src/ast/lex.re:449
    #2 0x5575db127257 in re2c::Scanner::scan(re2c::conopt_t const*) ../src/ast/lex.re:240
    #3 0x5575db1355ee in yylex src/ast/parser.ypp:246
    #4 0x5575db1355ee in yyparse(re2c::context_t&) src/ast/parser.cc:1215
    #5 0x5575db13a773 in re2c::parse(re2c::Scanner&, std::vector<re2c::spec_t, std::allocator<re2c::spec_t> >&, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, re2c::AST const*, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, re2c::AST const*> > >&, re2c::Opt&) src/ast/parser.ypp:257
    #6 0x5575db0598ee in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) src/compile.cc:159
    #7 0x5575dae50a5c in main src/main.cc:31
    #8 0x7f1d699992e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #9 0x5575dae51bd9 in _start (/home/hsalo/builds/re2c/8d5e57f409bb6a342688a0e6a34c78d54186aedd/bin/re2c+0x1ebd9)

0x62600000bd99 is located 0 bytes to the right of 11417-byte region [0x626000009100,0x62600000bd99)
allocated by thread T0 here:
    #0 0x7f1d6a677d70 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2d70)
    #1 0x5575db0f4603 in re2c::Scanner::fill(unsigned int) src/ast/scanner.cc:47
    #2 0x5575db11aa04 in re2c::Scanner::lex_string(char) src/ast/lex.cc:2454
    #3 0x5575db11aa04 in re2c::Scanner::lex_code_in_braces() ../src/ast/lex.re:454
    #4 0x5575db127257 in re2c::Scanner::scan(re2c::conopt_t const*) ../src/ast/lex.re:240
    #5 0x5575db1355ee in yylex src/ast/parser.ypp:246
    #6 0x5575db1355ee in yyparse(re2c::context_t&) src/ast/parser.cc:1215
    #7 0x5575db13a773 in re2c::parse(re2c::Scanner&, std::vector<re2c::spec_t, std::allocator<re2c::spec_t> >&, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, re2c::AST const*, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, re2c::AST const*> > >&, re2c::Opt&) src/ast/parser.ypp:257
    #8 0x5575db0598ee in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) src/compile.cc:159
    #9 0x5575dae50a5c in main src/main.cc:31
    #10 0x7f1d699992e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-buffer-overflow src/ast/lex.cc:3413 in re2c::Scanner::set_sourceline()
Shadow bytes around the buggy address:
  0x0c4c7fff9760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff9770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff9780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff9790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff97a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4c7fff97b0: 00 00 00[01]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff97e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff97f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21325==ABORTING
@sergeyklay

This comment has been minimized.

Copy link
Contributor

commented Dec 4, 2018

I would like suggest to use GitHub Issues for all bug reports

@skvadrik

This comment has been minimized.

Copy link
Owner

commented Dec 4, 2018

@fgeek : I agree, if it's convenient for you, do post crashes found by AFL here. Github issues are easier to find and read than email archives for people coming from outside the project. And the bugs are different, e.g. this one needs more thinking than the previous ones.

Thanks for reporting, these crashes are really useful.

@fgeek

This comment has been minimized.

Copy link
Author

commented Dec 4, 2018

Roger that.

@fgeek

This comment has been minimized.

Copy link
Author

commented Dec 6, 2018

This crash might be related to same root-cause re2c-crashes-2018-12-06-001.txt

skvadrik added a commit that referenced this issue Dec 6, 2018

Lexer: use YYMAXFILL padding and don't forget to shift tag variables …
…in YYFILL.

This fixes bug #232, #233 and #234.
Found by american fuzzy lop (thanks to Henri Salo).
@skvadrik

This comment has been minimized.

Copy link
Owner

commented Dec 6, 2018

Pushed a fix: 2f3e597. This also fixes #233 and #234.

This is not the final fix to lexer buffering mechanism, but it should work. A better fix requires adding new simplified API for buffer refill, so it will take some time.

@fgeek

This comment has been minimized.

Copy link
Author

commented Dec 8, 2018

Fix confirmed.

@fgeek fgeek closed this Dec 8, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.