Date: Thu, 12 Feb 2015 02:11:27 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 197555] [patch] bsdgrep segfaults with --color and overlapping patterns Message-ID: <bug-197555-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197555 Bug ID: 197555 Summary: [patch] bsdgrep segfaults with --color and overlapping patterns Product: Base System Version: 10.1-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: loadzero.dev@gmail.com Created attachment 152888 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=152888&action=edit add an assert to printline to aid debugging My machine details uname -a FreeBSD vagrant-freebsd-10 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 On my 10.1 x86-64 machine, /usr/bin/bsdgrep segfaults when I use it like this echo i860 | bsdgrep --color -e i860 -e i86 i860 i860 Segmentation fault (core dumped) With color disabled, it gives the correct output echo i860 | bsdgrep -e i860 -e i86 i860 this is the same binary from the 10.1 x86-64 release iso openssl md5 /usr/bin/bsdgrep MD5(/usr/bin/bsdgrep)= 46015e84adebfbaab878a40e8e99ecfd gdb shows this (for the released binary) echo i860 > /tmp/p gdb --args /usr/bin/bsdgrep --color -e i860 -e i86 /tmp/p Program received signal SIGSEGV, Segmentation fault. 0x00000008011cca60 in memchr () from /lib/libc.so.7 (gdb) bt #0 0x00000008011cca60 in memchr () from /lib/libc.so.7 #1 0x00000008011cc599 in fwrite () from /lib/libc.so.7 #2 0x00000008011cc43d in fwrite () from /lib/libc.so.7 #3 0x0000000000404d63 in ?? () #4 0x00000000004047ca in ?? () #5 0x00000000004038a5 in ?? () #6 0x00000000004023bf in ?? () #7 0x0000000800629000 in ?? () #8 0x0000000000000000 in ?? () I have built a debug binary from STABLE, here is the svn info svn info Path: . Working Copy Root Path: /usr/home/vagrant/stable/src URL: http://svn.freebsd.org/base/stable/10/usr.bin/grep Relative URL: ^/stable/10/usr.bin/grep Repository Root: http://svn.freebsd.org/base Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f Revision: 278579 Node Kind: directory Schedule: normal Last Changed Author: delphij Last Changed Rev: 278175 Last Changed Date: 2015-02-04 00:45:02 +0000 (Wed, 04 Feb 2015) gdb gives this backtrace Starting program: /usr/home/vagrant/stable/src/usr.bin/grep/bsdgrep --color -e i860 -e i86 /tmp/p i860 i860 Program received signal SIGSEGV, Segmentation fault. 0x00000008011d1a60 in memchr () from /lib/libc.so.7 (gdb) bt #0 0x00000008011d1a60 in memchr () from /lib/libc.so.7 #1 0x00000008011d1599 in fwrite () from /lib/libc.so.7 #2 0x00000008011d143d in fwrite () from /lib/libc.so.7 #3 0x00000000004062fc in printline (line=0x7fffffffe878, sep=58, matches=0x7fffffffe710, m=2) at util.c:469 #4 0x0000000000405eef in procline (l=0x7fffffffe878, nottext=0) at util.c:366 #5 0x0000000000405588 in procfile (fn=0x7fffffffed69 "/tmp/p") at util.c:231 #6 0x0000000000404292 in main (argc=7, argv=0x7fffffffeab8) at grep.c:738 (gdb) valgrind gives a similar result valgrind --db-attach=yes --track-origins=yes ./bsdgrep --color -e i860 -epi86 /tmp/ ==60168== Memcheck, a memory error detector ==60168== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al. ==60168== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info ==60168== Command: ./bsdgrep --color -e i860 -e i86 /tmp/p ==60168== i860 ==60168== Conditional jump or move depends on uninitialised value(s) ==60168== at 0x1020E54: memchr (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so) ==60168== by 0x1BC8598: ??? (in /lib/libc.so.7) ==60168== by 0x1BC843C: fwrite (in /lib/libc.so.7) ==60168== by 0x4062FB: printline (util.c:469) ==60168== by 0x405EEE: procline (util.c:366) ==60168== by 0x405587: procfile (util.c:231) ==60168== by 0x404291: main (grep.c:738) ==60168== Uninitialised value was created by a heap allocation ==60168== at 0x101D2B3: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so) ==60168== by 0x405814: grep_malloc (util.c:390) ==60168== by 0x402CBA: grep_open (file.c:285) ==60168== by 0x40535A: procfile (util.c:194) ==60168== by 0x404291: main (grep.c:738) ==60168== ==60168== After poking around in the code, it appears that the bug manifests inside printline util.c:469 i is 1 matches[i].rm_so is a reg_off_t (int) with value 0 a is a size_t with value 4 so fwrite gets handed a really large bogus size parameter of size_t (-4) 464 putchar(sep); 465 /* --color and -o */ 466 if ((oflag || color) && m > 0) { 467 for (i = 0; i < m; i++) { 468 if (!oflag) 469 fwrite(line->dat + a, matches[i].rm_so - a, 1, 470 stdout); 471 if (color) 472 fprintf(stdout, "\33[%sm\33[K", color); 473 474 fwrite(line->dat + matches[i].rm_so, It appears that printline is not expecting any overlapping matches, but it has been handed two with these offsets rm_so 0 rm_eo 4 rm_so 0 rm_eo 3 So, either the bug is in the handling printing of the matches, or in the generation of them. It possibly relates to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197531 I have attached a patch to aid in debugging. As a side note, I first ran into this bug on Mac OSX, where they are using a variant of bsdgrep as the the default grep -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-197555-8>