[Bug 197555] [patch] bsdgrep segfaults with --color and overlapping patterns

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu Feb 12 02:11:27 UTC 2015 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197555

            Bug ID: 197555
           Summary: [patch] bsdgrep segfaults with --color and overlapping
                    patterns
           Product: Base System
           Version: 10.1-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: loadzero.dev at gmail.com

Created attachment 152888
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=152888&action=edit
add an assert to printline to aid debugging

My machine details

uname -a

FreeBSD vagrant-freebsd-10 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue
Nov 11 21:02:49 UTC 2014    
root at releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

On my 10.1 x86-64 machine, /usr/bin/bsdgrep segfaults when I use it like this

echo i860 | bsdgrep --color -e i860 -e i86
i860
i860
Segmentation fault (core dumped)

With color disabled, it gives the correct output

echo i860 | bsdgrep -e i860 -e i86 
i860

this is the same binary from the 10.1 x86-64 release iso

openssl md5 /usr/bin/bsdgrep
MD5(/usr/bin/bsdgrep)= 46015e84adebfbaab878a40e8e99ecfd

gdb shows this (for the released binary)

echo i860 > /tmp/p
gdb --args /usr/bin/bsdgrep --color -e i860 -e i86 /tmp/p

Program received signal SIGSEGV, Segmentation fault.
0x00000008011cca60 in memchr () from /lib/libc.so.7
(gdb) bt
#0  0x00000008011cca60 in memchr () from /lib/libc.so.7
#1  0x00000008011cc599 in fwrite () from /lib/libc.so.7
#2  0x00000008011cc43d in fwrite () from /lib/libc.so.7
#3  0x0000000000404d63 in ?? ()
#4  0x00000000004047ca in ?? ()
#5  0x00000000004038a5 in ?? ()
#6  0x00000000004023bf in ?? ()
#7  0x0000000800629000 in ?? ()
#8  0x0000000000000000 in ?? ()

I have built a debug binary from STABLE, here is the svn info

svn info
Path: .
Working Copy Root Path: /usr/home/vagrant/stable/src
URL: http://svn.freebsd.org/base/stable/10/usr.bin/grep
Relative URL: ^/stable/10/usr.bin/grep
Repository Root: http://svn.freebsd.org/base
Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
Revision: 278579
Node Kind: directory
Schedule: normal
Last Changed Author: delphij
Last Changed Rev: 278175
Last Changed Date: 2015-02-04 00:45:02 +0000 (Wed, 04 Feb 2015)

gdb gives this backtrace

Starting program: /usr/home/vagrant/stable/src/usr.bin/grep/bsdgrep --color -e
i860 -e i86 /tmp/p
i860
i860

Program received signal SIGSEGV, Segmentation fault.
0x00000008011d1a60 in memchr () from /lib/libc.so.7
(gdb) bt
#0  0x00000008011d1a60 in memchr () from /lib/libc.so.7
#1  0x00000008011d1599 in fwrite () from /lib/libc.so.7
#2  0x00000008011d143d in fwrite () from /lib/libc.so.7
#3  0x00000000004062fc in printline (line=0x7fffffffe878, sep=58,
matches=0x7fffffffe710, m=2) at util.c:469
#4  0x0000000000405eef in procline (l=0x7fffffffe878, nottext=0) at util.c:366
#5  0x0000000000405588 in procfile (fn=0x7fffffffed69 "/tmp/p") at util.c:231
#6  0x0000000000404292 in main (argc=7, argv=0x7fffffffeab8) at grep.c:738
(gdb) 

valgrind gives a similar result

valgrind --db-attach=yes --track-origins=yes ./bsdgrep --color -e i860 -epi86
/tmp/ 
==60168== Memcheck, a memory error detector
==60168== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==60168== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==60168== Command: ./bsdgrep --color -e i860 -e i86 /tmp/p
==60168== 
i860
==60168== Conditional jump or move depends on uninitialised value(s)
==60168==    at 0x1020E54: memchr (in
/usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==60168==    by 0x1BC8598: ??? (in /lib/libc.so.7)
==60168==    by 0x1BC843C: fwrite (in /lib/libc.so.7)
==60168==    by 0x4062FB: printline (util.c:469)
==60168==    by 0x405EEE: procline (util.c:366)
==60168==    by 0x405587: procfile (util.c:231)
==60168==    by 0x404291: main (grep.c:738)
==60168==  Uninitialised value was created by a heap allocation
==60168==    at 0x101D2B3: malloc (in
/usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==60168==    by 0x405814: grep_malloc (util.c:390)
==60168==    by 0x402CBA: grep_open (file.c:285)
==60168==    by 0x40535A: procfile (util.c:194)
==60168==    by 0x404291: main (grep.c:738)
==60168== 
==60168==

After poking around in the code, it appears that the bug manifests inside
printline util.c:469

i is 1
matches[i].rm_so is a reg_off_t (int) with value 0
a is a size_t with value 4

so fwrite gets handed a really large bogus size parameter of size_t (-4)

464         putchar(sep);
465     /* --color and -o */
466     if ((oflag || color) && m > 0) {
467         for (i = 0; i < m; i++) {
468             if (!oflag)
469                 fwrite(line->dat + a, matches[i].rm_so - a, 1,
470                     stdout);
471             if (color) 
472                 fprintf(stdout, "\33[%sm\33[K", color);
473 
474                 fwrite(line->dat + matches[i].rm_so, 

It appears that printline is not expecting any overlapping matches, but it has
been handed two with these offsets

rm_so 0 rm_eo 4 
rm_so 0 rm_eo 3

So, either the bug is in the handling printing of the matches, or in the
generation of them. 
It possibly relates to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197531

I have attached a patch to aid in debugging.

As a side note, I first ran into this bug on Mac OSX, where they are using a
variant of bsdgrep as the the default grep

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list