bin/149425: BSD grep accesses incorrect memory area.

Shuichi KITAGUCHI ki at hh.iij4u.or.jp
Sun Aug 8 13:00:17 UTC 2010


>Number:         149425
>Category:       bin
>Synopsis:       BSD grep accesses incorrect memory area.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Aug 08 13:00:16 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Shuichi KITAGUCHI
>Release:        9.0-CURRENT
>Organization:
>Environment:
FreeBSD rhea.k.ysnb.net 9.0-CURRENT FreeBSD 9.0-CURRENT #0 r210927: Fri Aug  6 22:55:43 JST 2010     root at rhea.k.ysnb.net:/usr/obj/data/rhea/usr/src/sys/RHEA  amd64

>Description:
BSD grep accesses incorrect memory region and may abort.
Additionally, valgrind detectes some errors.
>How-To-Repeat:
1)grep aborts (allocated buffer is short)
% cd /usr/src/usr.bin/grep
% grep -r -B 2 char .
..
grep: (malloc) /data/rhea/usr/src/lib/libc/stdlib/malloc.c:3176: Failed assertion: "bin->runcur->magic == ARENA_RUN_MAGIC"
Abort

2)valgrind detects some errors. (take 1, 0 bytes file)
% cd /usr/src/usr.bin/grep
% make
% touch x
% valgrind -v ./grep a x
..
==3775== Invalid read of size 1
==3775==    at 0x25C8E9: memchr (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==3775==    by 0x4027C4: grep_fgetln (in /data/home/kit/tmp/g/grep)
==3775==    by 0x404156: procfile (in /data/home/kit/tmp/g/grep)
==3775==    by 0x4037DA: main (in /data/home/kit/tmp/g/grep)
..

3)valgrind detects some errors. (take 2, incorrect free)
% cd /usr/src/usr.bin/grep
% make
% valgrind -v ./grep -r -C 2 char .
..
==3716== Invalid free() / delete / delete[]
==3716==    at 0x25B260: free (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==3716==    by 0x4044FD: procfile (in /data/home/kit/tmp/grep/grep)
==3716==    by 0x4049CD: grep_tree (in /data/home/kit/tmp/grep/grep)
==3716==    by 0x403857: main (in /data/home/kit/tmp/grep/grep)
..

>Fix:
attached patch is to be fixed for 1) and 2).
I cannot resolve 3).

Patch attached with submission follows:

diff --git a/queue.c b/queue.c
index 5f4d4ef..1fd05c5 100644
--- a/queue.c
+++ b/queue.c
@@ -56,7 +56,7 @@ enqueue(struct str *x)
 	struct qentry *item;
 
 	item = grep_malloc(sizeof(struct qentry));
-	item->data.dat = grep_malloc(sizeof(char) * x->len);
+	item->data.dat = grep_malloc(sizeof(char) * x->len + 1);
 	item->data.len = x->len;
 	item->data.line_no = x->line_no;
 	item->data.off = x->off;

diff --git a/file.c b/file.c
index 7d9715f..ab658fc 100644
--- a/file.c
+++ b/file.c
@@ -132,6 +132,10 @@ grep_fgetln(struct file *f, size_t *len)
 			else if (stat(fname, &st) != 0)
 				err(2, NULL);
 
+			/* no need to allocate buffer. */
+			if (st.st_size == 0)
+				return (NULL);
+
 			bufsiz = (MAXBUFSIZ > (st.st_size * PREREAD_M)) ?
 			    (st.st_size / 2) : MAXBUFSIZ;
 


>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list