New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ASan heap-buffer-overflow src/dfa/tcmd.cc:175 in re2c::tcpool_t::make_add(re2c::tcmd_t*, int, int, re2c::tag_history_t const&, unsigned int, unsigned long) #238

Closed
fgeek opened this Issue Jan 3, 2019 · 2 comments

Comments

Projects
None yet
2 participants
@fgeek
Copy link

fgeek commented Jan 3, 2019

Tested commit 2f3e597 and reproducer re2c-2019-001.zip. Have a nice new year!

00000000  25 25 0a 30 30 30 30 30  30 30 30 30 00 00 30 08  |%%.000000000..0.|
00000010  05 30 00 30 30 25 7b 0a  20 20 72 65 32 63 3a 66  |.0.00%{.  re2c:f|
00000020  6c 61 67 73 3a 54 3d 38  30 30 30 20 20 3b 20 20  |lags:T=8000  ;  |
00000030  2f 2f 30 30 30 30 30 30  30 30 0a 23 70 30 72 7b  |//00000000.#p0r{|
00000040  33 33 33 33 7d 0a 20 23  70 7b 30 30 30 30 1e 13  |3333}. #p{0000..|
00000050  30 30 30 30 30 30 20 30  30 7d 23 70 30 72 7b 33  |000000 00}#p0r{3|
00000060  33 33 33 7d 23 70 59 72  0a 23 70 7b 30 30 30 30  |333}#pYr.#p{0000|
00000070  30 30 30 30 3c 30 30 30  30 30 30 08 0a 30 2f 30  |0000<000000..0/0|
00000080  0d 14 26 30 30 30 30 30  30 30 30 30 30 30 30 30  |..&0000000000000|
00000090  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
*
00000160  30 7d 0a 20 23 70 7b 30  30 30 30 1e 30 30 30 30  |0}. #p{0000.0000|
00000170  30 30 30 20 30 30 7d 0a  20 23 70 30 72 7b 33 33  |000 00}. #p0r{33|
00000180  33 33 7d 0a 20 23 70 7b  30 30 30 30 1e 13 30 30  |33}. #p{0000..00|
00000190  30 30 30 30 20 30 30 7d  0a 20 23 70 30 72 7b 33  |0000 00}. #p0r{3|
000001a0  33 33 33 7d 0a 20 23 70  59 72 0a 23 70 7b 30 30  |333}. #pYr.#p{00|
000001b0  30 30 20 00 30 30 30 30  30 30 20 30 30 7d 0a 20  |00 .000000 00}. |
000001c0  23 70 30 72 6f 30 3a 3d  e5 e5 30 30 30 30 30 30  |#p0ro0:=..000000|
000001d0  30 30 30 30 30 30 30 30  30 08 0a 2a 2f           |000000000..*/|
000001dd
=================================================================
==6485==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000018d00 at pc 0x55e8e9ce41ad bp 0x7ffc0a627830 sp 0x7ffc0a627828
WRITE of size 4 at 0x621000018d00 thread T0
    #0 0x55e8e9ce41ac in re2c::tcpool_t::make_add(re2c::tcmd_t*, int, int, re2c::tag_history_t const&, unsigned int, unsigned long) src/dfa/tcmd.cc:175
    #1 0x55e8e9cc85aa in final_actions src/dfa/find_state.cc:200
    #2 0x55e8e9cc85aa in re2c::find_state(re2c::determ_context_t&) src/dfa/find_state.cc:121
    #3 0x55e8e9c9b54d in re2c::dfa_t::dfa_t(re2c::nfa_t const&, re2c::opt_t const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, re2c::Warn&) src/dfa/determinization.cc:56
    #4 0x55e8e9d480e0 in ast_to_dfa src/compile.cc:69
    #5 0x55e8e9d480e0 in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) src/compile.cc:176
    #6 0x55e8e9b3ff7e in main src/main.cc:31
    #7 0x7f209d82f2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #8 0x55e8e9b41059 in _start (/home/hsalo/builds/re2c/2f3e597abce36fb7f41413373308b7f13fc98181/bin/re2c+0x1f059)

0x621000018d00 is located 0 bytes to the right of 4096-byte region [0x621000017d00,0x621000018d00)
allocated by thread T0 here:
    #0 0x7f209e50cd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x55e8e9ce3ccc in slab_allocator_t<4294967295u, 4096u, 8ul>::alloc(unsigned long) src/util/slab_allocator.h:50
    #2 0x55e8e9ce3ccc in re2c::tcpool_t::make_add(re2c::tcmd_t*, int, int, re2c::tag_history_t const&, unsigned int, unsigned long) src/dfa/tcmd.cc:168
    #3 0x55e8e9cc85aa in final_actions src/dfa/find_state.cc:200
    #4 0x55e8e9cc85aa in re2c::find_state(re2c::determ_context_t&) src/dfa/find_state.cc:121
    #5 0x55e8e9c9b54d in re2c::dfa_t::dfa_t(re2c::nfa_t const&, re2c::opt_t const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, re2c::Warn&) src/dfa/determinization.cc:56
    #6 0x55e8e9d480e0 in ast_to_dfa src/compile.cc:69
    #7 0x55e8e9d480e0 in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) src/compile.cc:176
    #8 0x55e8e9b3ff7e in main src/main.cc:31
    #9 0x7f209d82f2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-buffer-overflow src/dfa/tcmd.cc:175 in re2c::tcpool_t::make_add(re2c::tcmd_t*, int, int, re2c::tag_history_t const&, unsigned int, unsigned long)
Shadow bytes around the buggy address:
  0x0c427fffb150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffb1a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb1b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb1c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb1d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb1e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb1f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6485==ABORTING

skvadrik added a commit that referenced this issue Jan 4, 2019

Fixed out-of-bounds write caused by misuse of slab allocator in case …
…of large allocation size.

This fixes bug #238.
Found by american fuzzy lop (thanks to Henri Salo).
@skvadrik

This comment has been minimized.

Copy link
Owner

skvadrik commented Jan 4, 2019

Pushed a fix: fa91229

@fgeek Happy new year to you as well, and thanks for all the bug reports!

skvadrik added a commit that referenced this issue Jan 4, 2019

@fgeek

This comment has been minimized.

Copy link

fgeek commented Jan 5, 2019

Fix confirmed.

@fgeek fgeek closed this Jan 5, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment