From owner-freebsd-bugs@FreeBSD.ORG Thu Feb 12 02:11:27 2015 Return-Path: Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CB4D06D2 for ; Thu, 12 Feb 2015 02:11:27 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AD2CA29 for ; Thu, 12 Feb 2015 02:11:27 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id t1C2BRHu062564 for ; Thu, 12 Feb 2015 02:11:27 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 197555] [patch] bsdgrep segfaults with --color and overlapping patterns Date: Thu, 12 Feb 2015 02:11:27 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 10.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: loadzero.dev@gmail.com X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2015 02:11:27 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197555 Bug ID: 197555 Summary: [patch] bsdgrep segfaults with --color and overlapping patterns Product: Base System Version: 10.1-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: loadzero.dev@gmail.com Created attachment 152888 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=152888&action=edit add an assert to printline to aid debugging My machine details uname -a FreeBSD vagrant-freebsd-10 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 On my 10.1 x86-64 machine, /usr/bin/bsdgrep segfaults when I use it like this echo i860 | bsdgrep --color -e i860 -e i86 i860 i860 Segmentation fault (core dumped) With color disabled, it gives the correct output echo i860 | bsdgrep -e i860 -e i86 i860 this is the same binary from the 10.1 x86-64 release iso openssl md5 /usr/bin/bsdgrep MD5(/usr/bin/bsdgrep)= 46015e84adebfbaab878a40e8e99ecfd gdb shows this (for the released binary) echo i860 > /tmp/p gdb --args /usr/bin/bsdgrep --color -e i860 -e i86 /tmp/p Program received signal SIGSEGV, Segmentation fault. 0x00000008011cca60 in memchr () from /lib/libc.so.7 (gdb) bt #0 0x00000008011cca60 in memchr () from /lib/libc.so.7 #1 0x00000008011cc599 in fwrite () from /lib/libc.so.7 #2 0x00000008011cc43d in fwrite () from /lib/libc.so.7 #3 0x0000000000404d63 in ?? () #4 0x00000000004047ca in ?? () #5 0x00000000004038a5 in ?? () #6 0x00000000004023bf in ?? () #7 0x0000000800629000 in ?? () #8 0x0000000000000000 in ?? () I have built a debug binary from STABLE, here is the svn info svn info Path: . Working Copy Root Path: /usr/home/vagrant/stable/src URL: http://svn.freebsd.org/base/stable/10/usr.bin/grep Relative URL: ^/stable/10/usr.bin/grep Repository Root: http://svn.freebsd.org/base Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f Revision: 278579 Node Kind: directory Schedule: normal Last Changed Author: delphij Last Changed Rev: 278175 Last Changed Date: 2015-02-04 00:45:02 +0000 (Wed, 04 Feb 2015) gdb gives this backtrace Starting program: /usr/home/vagrant/stable/src/usr.bin/grep/bsdgrep --color -e i860 -e i86 /tmp/p i860 i860 Program received signal SIGSEGV, Segmentation fault. 0x00000008011d1a60 in memchr () from /lib/libc.so.7 (gdb) bt #0 0x00000008011d1a60 in memchr () from /lib/libc.so.7 #1 0x00000008011d1599 in fwrite () from /lib/libc.so.7 #2 0x00000008011d143d in fwrite () from /lib/libc.so.7 #3 0x00000000004062fc in printline (line=0x7fffffffe878, sep=58, matches=0x7fffffffe710, m=2) at util.c:469 #4 0x0000000000405eef in procline (l=0x7fffffffe878, nottext=0) at util.c:366 #5 0x0000000000405588 in procfile (fn=0x7fffffffed69 "/tmp/p") at util.c:231 #6 0x0000000000404292 in main (argc=7, argv=0x7fffffffeab8) at grep.c:738 (gdb) valgrind gives a similar result valgrind --db-attach=yes --track-origins=yes ./bsdgrep --color -e i860 -epi86 /tmp/ ==60168== Memcheck, a memory error detector ==60168== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al. ==60168== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info ==60168== Command: ./bsdgrep --color -e i860 -e i86 /tmp/p ==60168== i860 ==60168== Conditional jump or move depends on uninitialised value(s) ==60168== at 0x1020E54: memchr (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so) ==60168== by 0x1BC8598: ??? (in /lib/libc.so.7) ==60168== by 0x1BC843C: fwrite (in /lib/libc.so.7) ==60168== by 0x4062FB: printline (util.c:469) ==60168== by 0x405EEE: procline (util.c:366) ==60168== by 0x405587: procfile (util.c:231) ==60168== by 0x404291: main (grep.c:738) ==60168== Uninitialised value was created by a heap allocation ==60168== at 0x101D2B3: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so) ==60168== by 0x405814: grep_malloc (util.c:390) ==60168== by 0x402CBA: grep_open (file.c:285) ==60168== by 0x40535A: procfile (util.c:194) ==60168== by 0x404291: main (grep.c:738) ==60168== ==60168== After poking around in the code, it appears that the bug manifests inside printline util.c:469 i is 1 matches[i].rm_so is a reg_off_t (int) with value 0 a is a size_t with value 4 so fwrite gets handed a really large bogus size parameter of size_t (-4) 464 putchar(sep); 465 /* --color and -o */ 466 if ((oflag || color) && m > 0) { 467 for (i = 0; i < m; i++) { 468 if (!oflag) 469 fwrite(line->dat + a, matches[i].rm_so - a, 1, 470 stdout); 471 if (color) 472 fprintf(stdout, "\33[%sm\33[K", color); 473 474 fwrite(line->dat + matches[i].rm_so, It appears that printline is not expecting any overlapping matches, but it has been handed two with these offsets rm_so 0 rm_eo 4 rm_so 0 rm_eo 3 So, either the bug is in the handling printing of the matches, or in the generation of them. It possibly relates to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197531 I have attached a patch to aid in debugging. As a side note, I first ran into this bug on Mac OSX, where they are using a variant of bsdgrep as the the default grep -- You are receiving this mail because: You are the assignee for the bug.