From owner-freebsd-bugs@FreeBSD.ORG Sun Nov 16 22:42:40 2014 Return-Path: Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B5A30266 for ; Sun, 16 Nov 2014 22:42:40 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 850653B9 for ; Sun, 16 Nov 2014 22:42:40 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id sAGMgeR3063598 for ; Sun, 16 Nov 2014 22:42:40 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 195086] New: Overflow a2p utility Date: Sun, 16 Nov 2014 22:42:40 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: up201407890@alunos.dcc.fc.up.pt X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Nov 2014 22:42:40 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195086 Bug ID: 195086 Summary: Overflow a2p utility Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: Needs Triage Severity: Affects Many People Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: up201407890@alunos.dcc.fc.up.pt Hello. My name is Federico Manuel Bento, and i have found what it _appears_ to be a buffer overflow on the a2p (awk2perl) utility. It comes by default on several different systems. Tested on Fedora 20, Fedora 19, Debian, and works probably on every UNIX-likes including BSD's, AIX, etc. Eg: [saken@zippy ~]$ python -c "print 'A' * 2048" | a2p >/dev/null [saken@zippy ~]$ python -c "print 'A' * 2049" | a2p >/dev/null [saken@zippy ~]$ python -c "print 'A' * 2050" | a2p >/dev/null Segmentation fault OR [saken@zippy ~]$ python -c "print 'A'*3000" > lel [saken@zippy ~]$ gdb a2p (gdb) r lel Starting program: /usr/bin/a2p lel [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x000000000040b7c5 in yyparse () (gdb) info reg rax 0x4141414141414141 8680820740569200760 rbx 0x1 1 rcx 0x0 0 rdx 0x67d724 6805284 rsi 0x67dab0 6806192 rdi 0x41414141 2021161080 rbp 0x6 0x6 rsp 0x7fffffffe1d0 0x7fffffffe1d0 r8 0x8 8 r9 0x5f 95 r10 0x0 0 r11 0x38e0174b60 244277791584 r12 0x6 6 r13 0x0 0 r14 0x0 0 r15 0x0 0 rip 0x40b7c5 0x40b7c5 eflags 0x10206 [ PF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 I'd assume this to be a pretty OLD bug. -- You are receiving this mail because: You are the assignee for the bug.