From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 44057 invoked by alias); 17 Jan 2017 21:24:34 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-regex-owner@sourceware.org Received: (qmail 43541 invoked by uid 48); 17 Jan 2017 21:24:20 -0000 From: "eggert at gnu dot org" To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/11053] Wrong results with backreferences Date: Tue, 17 Jan 2017 21:24:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: 2.11 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: eggert at gnu dot org X-Bugzilla-Status: ASSIGNED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: bonzini at gnu dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security+ X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-01/txt/msg00000.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=3D11053 --- Comment #4 from Paul Eggert --- This bug causes GNU coreutils Bug#22793 "grep -E assertion failure with back references"; see . I'm adding comments to both = bug reports so that the connection between the two bugs is clearer. Although this bug's current assignee is Paolo Bonzini (the original reporte= r), I think Paolo is pretty busy doing other stuff. Is someone else available to work on regex bugs? I suspect the fix for this bug will not be trivial. --=20 You are receiving this mail because: You are on the CC list for the bug. >>From glibc-bugs-regex-return-708-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Tue Jan 17 22:02:06 2017 Return-Path: Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 2143 invoked by alias); 17 Jan 2017 22:02:06 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 1971 invoked by uid 48); 17 Jan 2017 22:01:53 -0000 From: "eggert at gnu dot org" To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/11053] Wrong results with backreferences Date: Tue, 17 Jan 2017 22:02:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: 2.11 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: eggert at gnu dot org X-Bugzilla-Status: ASSIGNED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: bonzini at gnu dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security+ X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-01/txt/msg00001.txt.bz2 Content-length: 573 https://sourceware.org/bugzilla/show_bug.cgi?id=3D11053 --- Comment #5 from Paul Eggert --- Created attachment 9758 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D9758&action=3Dedit C code to reproduce the bug I attached a slightly-simpler C-language reproducer for the bug, derived fr= om the attachment in Bug#17356. If I compile and run this program, it outputs "a.out: regexec.c:1375: pop_fail_stack: Assertion `num >=3D 0' failed." and= then aborts. --=20 You are receiving this mail because: You are on the CC list for the bug. >>From glibc-bugs-regex-return-709-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Tue Feb 14 18:54:37 2017 Return-Path: Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 1150 invoked by alias); 14 Feb 2017 18:54:37 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 964 invoked by uid 48); 14 Feb 2017 18:54:24 -0000 From: "fweimer at redhat dot com" To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/21163] New: Assertion failure in pop_fail_stack when executing a malformed regexp Date: Tue, 14 Feb 2017 18:54:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: 2.24 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: fweimer at redhat dot com X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security- X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone flagtypes.name Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-02/txt/msg00000.txt.bz2 Content-length: 1141 https://sourceware.org/bugzilla/show_bug.cgi?id=3D21163 Bug ID: 21163 Summary: Assertion failure in pop_fail_stack when executing a malformed regexp Product: glibc Version: 2.24 Status: NEW Severity: normal Priority: P2 Component: regex Assignee: unassigned at sourceware dot org Reporter: fweimer at redhat dot com CC: drepper.fsp at gmail dot com Target Milestone: --- Flags: security- Debian bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D779392 Reproducer from the Debian bug: #include #include #include int main(int argc, char **argv) { int rc; regex_t preg; regmatch_t pmatch[2]; rc =3D regcomp(&preg, "()*)|\\1)*", REG_EXTENDED); assert(rc =3D=3D 0); regexec(&preg, "", 2, pmatch, 0); regfree(&preg); return 0; } This was assigned CVE-2015-8985 even though it is debatable whether this is= a security bug. --=20 You are receiving this mail because: You are on the CC list for the bug. >>From glibc-bugs-regex-return-710-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Tue Feb 14 18:55:56 2017 Return-Path: Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 3146 invoked by alias); 14 Feb 2017 18:55:56 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 2776 invoked by uid 48); 14 Feb 2017 18:55:43 -0000 From: "fweimer at redhat dot com" To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/21163] Assertion failure in pop_fail_stack when executing a malformed regexp (CVE-2015-8985) Date: Tue, 14 Feb 2017 18:55:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: 2.24 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: fweimer at redhat dot com X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security- X-Bugzilla-Changed-Fields: short_desc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-02/txt/msg00001.txt.bz2 Content-length: 604 https://sourceware.org/bugzilla/show_bug.cgi?id=3D21163 Florian Weimer changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Assertion failure in |Assertion failure in |pop_fail_stack when |pop_fail_stack when |executing a malformed |executing a malformed |regexp |regexp (CVE-2015-8985) --=20 You are receiving this mail because: You are on the CC list for the bug. >>From glibc-bugs-regex-return-711-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Wed Feb 15 08:13:38 2017 Return-Path: Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 33184 invoked by alias); 15 Feb 2017 08:13:38 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 33049 invoked by uid 48); 15 Feb 2017 08:13:25 -0000 From: "vapier at gentoo dot org" To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/21163] Assertion failure in pop_fail_stack when executing a malformed regexp (CVE-2015-8985) Date: Wed, 15 Feb 2017 08:13:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: 2.24 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: vapier at gentoo dot org X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security- X-Bugzilla-Changed-Fields: see_also Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-02/txt/msg00002.txt.bz2 Content-length: 469 https://sourceware.org/bugzilla/show_bug.cgi?id=3D21163 Mike Frysinger changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.gentoo.org/sho | |w_bug.cgi?id=3D609386 --=20 You are receiving this mail because: You are on the CC list for the bug. >>From glibc-bugs-regex-return-712-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Wed Mar 15 17:34:53 2017 Return-Path: Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 106215 invoked by alias); 15 Mar 2017 17:34:53 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 106107 invoked by uid 48); 15 Mar 2017 17:34:47 -0000 From: "fweimer at redhat dot com" To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/14780] [PATCH] handle malloc() and realloc() failures in regcomp() Date: Wed, 15 Mar 2017 17:34:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: fweimer at redhat dot com X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security- X-Bugzilla-Changed-Fields: bug_status Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-03/txt/msg00000.txt.bz2 Content-length: 375 https://sourceware.org/bugzilla/show_bug.cgi?id=3D14780 Florian Weimer changed: What |Removed |Added ---------------------------------------------------------------------------- Status|WAITING |NEW --=20 You are receiving this mail because: You are on the CC list for the bug. >>From glibc-bugs-regex-return-713-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Fri Apr 28 01:30:50 2017 Return-Path: Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 28897 invoked by alias); 28 Apr 2017 01:30:36 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 28284 invoked by uid 48); 28 Apr 2017 01:30:02 -0000 From: "boehme.marcel at gmail dot com" To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/21442] New: Crash in re_search_stub Date: Fri, 28 Apr 2017 01:30:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: boehme.marcel at gmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-04/txt/msg00000.txt.bz2 Content-length: 7168 https://sourceware.org/bugzilla/show_bug.cgi?id=3D21442 Bug ID: 21442 Summary: Crash in re_search_stub Product: glibc Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: regex Assignee: unassigned at sourceware dot org Reporter: boehme.marcel at gmail dot com CC: drepper.fsp at gmail dot com Target Milestone: --- Dear all, We found a null pointer dereference resulting in a segmentation fault, that might be a bug in diffutils or a bug in GLIBC depending on the perspective = one takes. The patch can be in GLIBC (introducing a simple null pointer check) = or in Diffutils (preventing the null pointer dereference altogether). We alrea= dy reported the bug downstream at https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D26690. Below we provide a q= uick analysis. We think, it is actually an incorrect use of GLIBC. However, sinc= e it can be easily prevented in GLIBC, we thought we should report it here as we= ll. This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks al= so to Van-Thuan Pham. How to reproduce: $ diff -Ia -I\\ <(printf "") <(echo a) diff: \: Trailing backslash diff: stack overflow ASAN says: ASAN:DEADLYSIGNAL =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D74668=3D=3DERROR: AddressSanitizer: SEGV on unknown address 0x0000000= 000d8 (pc 0x7f0670589bad bp 0x000000000000 sp 0x7ffefbed15b0 T0) #0 0x7f0670589bac in re_search_stub /build/eglibc-MjiXCM/eglibc-2.19/posix/regexec.c:414 #1 0x7f067058a527 in re_search /build/eglibc-MjiXCM/eglibc-2.19/posix/regexec.c:312 #2 0x555bfc in analyze_hunk /home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/../../src/util.c:152= 2:8 #3 0x4f91dd in diff_2_files /home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/../../src/analyze.c:= 620:12 #4 0x528971 in compare_files /home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/../../src/diff.c:143= 4:11 #5 0x51882c in main /home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/../../src/diff.c:800= :18 #6 0x7f06704c4f44 in __libc_start_main /build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287 #7 0x41bac5 in _start (/home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/diff+0x41bac5) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /build/eglibc-MjiXCM/eglibc-2.19/posix/regexec.c:414 in re_search_stub This is our analysis: For the diff-tool the argument -I specifies the changed lines to exclude. For each such argument, the function add_regexp in diff.c is calle= d. This function uses re_compile_pattern to successfully compile the first pattern. However, it fails to compile the second pattern, giving the error =E2=80=9CTrailing backslash=E2=80=9D. In both cases, the function uses the = re_pattern_buffer *ignore_regexp. However, the failed compilation corrupts *ignore_regexp, setting ignore_regexp->buffer=3D0x0 and ignore_regexp->allocated=3D0. Later= , in function summarize_regexp_list, it is established that at least one pattern= was successfully compiled and ignore_regexp->fastmap is set, indicating that re_search is being called in utils.c:1501. Unfortunately, it is being calle= d on the corrupted ignore_regexp where ignore_regexp->buf =3D 0x0. GLIBC does not check for a null-pointer when derefencing the buffer in regexec.c:413. GDB says: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7af5056 in re_search_stub (bufp=3D0x6228a0 , string=3Dstring@entry=3D0x62a050 "a\n", length=3D1, start=3Dstart@entry=3D0= , range=3D1, stop=3D1, regs=3D0x0, ret_len=3D0) at regexec.c:413 413 in regexec.c (gdb) p *bufp $1 =3D {buffer =3D 0x0, allocated =3D 0, used =3D 224, syntax =3D 330310, f= astmap =3D 0x6271f0 "\330\036\335\367\377\177", translate =3D 0x0, re_nsub =3D 0, can_= be_null =3D 0, regs_allocated =3D 0, fastmap_accurate =3D 0, no_sub =3D 0, not_bol = =3D 0, not_eol =3D 0, newline_anchor =3D 1} (gdb) bt #0 0x00007ffff7af5056 in re_search_stub (bufp=3D0x6228a0 , string=3Dstring@entry=3D0x62a050 "a\n", length=3D1, start=3Dstart@entry=3D0= , range=3D1, stop=3D1, regs=3D0x0, ret_len=3D0) at regexec.c:413 #1 0x00007ffff7af5a70 in __re_search (bufp=3D, string=3Dstring@entry=3D0x62a050 "a\n", length=3D, start=3Dstart@entry=3D0, range=3D, regs=3Dregs@entry=3D0x0) = at regexec.c:317 #2 0x000000000040ce1e in analyze_hunk (hunk=3Dhunk@entry=3D0x627340, first0=3Dfirst0@entry=3D0x7fffffffdf80, last0=3Dlast0@entry=3D0x7fffffffdf8= 8, first1=3Dfirst1@entry=3D0x7fffffffdf90, last1=3Dlast1@entry=3D0x7fffffffdf9= 8) at util.c:1522 #3 0x000000000040507d in diff_2_files (cmp=3Dcmp@entry=3D0x7fffffffe060) at analyze.c:620 #4 0x00000000004071f7 in compare_files (parent=3Dparent@entry=3D0x0, name0=3D0x7fffffffe6ec "/dev/fd/63", name1=3D) at diff.c:1434 #5 0x000000000040387e in main (argc=3D, argv=3D) at diff.c:800 VALGRIND says: =3D=3D103798=3D=3D Memcheck, a memory error detector =3D=3D103798=3D=3D Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward= et al. =3D=3D103798=3D=3D Using Valgrind-3.11.0 and LibVEX; rerun with -h for copy= right info =3D=3D103798=3D=3D Command: src/diff -Ia -I\\ /dev/fd/63 /dev/fd/62 =3D=3D103798=3D=3D=20 src/diff: \: Trailing backslash =3D=3D103798=3D=3D Invalid read of size 4 =3D=3D103798=3D=3D at 0x4F21056: re_search_stub (regexec.c:413) =3D=3D103798=3D=3D by 0x4F21A6F: re_search (regexec.c:317) =3D=3D103798=3D=3D by 0x40CE1D: analyze_hunk (util.c:1522) =3D=3D103798=3D=3D by 0x40507C: diff_2_files (analyze.c:620) =3D=3D103798=3D=3D by 0x4071F6: compare_files (diff.c:1434) =3D=3D103798=3D=3D by 0x40387D: main (diff.c:800) =3D=3D103798=3D=3D Address 0xd8 is not stack'd, malloc'd or (recently) fre= e'd =3D=3D103798=3D=3D=20 diff: stack overflow =3D=3D103798=3D=3D=20 =3D=3D103798=3D=3D HEAP SUMMARY: =3D=3D103798=3D=3D in use at exit: 4,970 bytes in 25 blocks =3D=3D103798=3D=3D total heap usage: 75 allocs, 50 frees, 28,030 bytes al= located =3D=3D103798=3D=3D=20 =3D=3D103798=3D=3D LEAK SUMMARY: =3D=3D103798=3D=3D definitely lost: 136 bytes in 5 blocks =3D=3D103798=3D=3D indirectly lost: 120 bytes in 6 blocks =3D=3D103798=3D=3D possibly lost: 0 bytes in 0 blocks =3D=3D103798=3D=3D still reachable: 4,714 bytes in 14 blocks =3D=3D103798=3D=3D suppressed: 0 bytes in 0 blocks =3D=3D103798=3D=3D Rerun with --leak-check=3Dfull to see details of leaked = memory =3D=3D103798=3D=3D=20 =3D=3D103798=3D=3D For counts of detected and suppressed errors, rerun with= : -v =3D=3D103798=3D=3D ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 f= rom 0) Best regards, - Marcel --- Marcel B=C3=B6hme Senior Research Fellow TSUNAMi Security Research Centre National University of Singapore --=20 You are receiving this mail because: You are on the CC list for the bug. >>From glibc-bugs-regex-return-714-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Mon May 01 13:50:19 2017 Return-Path: Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 89508 invoked by alias); 1 May 2017 13:50:19 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 89416 invoked by uid 48); 1 May 2017 13:50:14 -0000 From: "adhemerval.zanella at linaro dot org" To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/21442] Crash in re_search_stub Date: Mon, 01 May 2017 13:50:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: adhemerval.zanella at linaro dot org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-05/txt/msg00000.txt.bz2 Content-length: 1446 https://sourceware.org/bugzilla/show_bug.cgi?id=3D21442 Adhemerval Zanella changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |adhemerval.zanella at lina= ro dot o | |rg --- Comment #1 from Adhemerval Zanella --- Since re_exec is an GNU extension this API corner case should be documented= and afaik unfortunately they aren't (using the gnulib documentation [1]). For these cases I tend to follow, if possible, the POSIX inspired API. On P= OSIX regular expression API [2] states that: "[...] If the preg argument to regexec() or regfree() is not a compiled reg= ular expression returned by regcomp(), the result is undefined. [...]" So if I understood correctly the issue description, it is using an invalid regular expression buffer description on re_search (since the expression compilation failed). IMHO we should treat this as undefined (as POSIX counterpart) and let the user handle it correctly. In a short, I would say= we should close this as not a bug. [1] https://www.gnu.org/software/gnulib/manual/html_node/GNU-Searching.html [2] http://pubs.opengroup.org/onlinepubs/9699919799/ --=20 You are receiving this mail because: You are on the CC list for the bug. >>From glibc-bugs-regex-return-715-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Tue May 02 00:43:33 2017 Return-Path: Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 83386 invoked by alias); 2 May 2017 00:43:32 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 83289 invoked by uid 48); 2 May 2017 00:43:29 -0000 From: "boehme.marcel at gmail dot com" To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/21442] Crash in re_search_stub Date: Tue, 02 May 2017 00:43:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: boehme.marcel at gmail dot com X-Bugzilla-Status: RESOLVED X-Bugzilla-Resolution: INVALID X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status resolution Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-05/txt/msg00001.txt.bz2 Content-length: 537 https://sourceware.org/bugzilla/show_bug.cgi?id=3D21442 Marcel B=C3=B6hme changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |INVALID --- Comment #2 from Marcel B=C3=B6hme --- Agreed. Thanks! --=20 You are receiving this mail because: You are on the CC list for the bug. >>From glibc-bugs-regex-return-716-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Tue May 30 19:41:46 2017 Return-Path: Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 30618 invoked by alias); 30 May 2017 19:41:45 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 30414 invoked by uid 48); 30 May 2017 19:41:41 -0000 From: "fweimer at redhat dot com" To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/21442] Crash in re_search_stub Date: Tue, 30 May 2017 19:41:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: fweimer at redhat dot com X-Bugzilla-Status: RESOLVED X-Bugzilla-Resolution: INVALID X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security- X-Bugzilla-Changed-Fields: cc flagtypes.name Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-05/txt/msg00002.txt.bz2 Content-length: 456 https://sourceware.org/bugzilla/show_bug.cgi?id=3D21442 Florian Weimer changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fweimer at redhat dot com Flags| |security- --=20 You are receiving this mail because: You are on the CC list for the bug. >>From glibc-bugs-regex-return-717-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Mon Jun 26 10:08:16 2017 Return-Path: Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 13244 invoked by alias); 26 Jun 2017 10:08:16 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 13166 invoked by uid 48); 26 Jun 2017 10:08:12 -0000 From: "bensberg at telfort dot nl" To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/21673] New: a regexec call with REG_STARTEND finds a bogus match for \> Date: Mon, 26 Jun 2017 10:08:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: bensberg at telfort dot nl X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-06/txt/msg00000.txt.bz2 Content-length: 1524 https://sourceware.org/bugzilla/show_bug.cgi?id=3D21673 Bug ID: 21673 Summary: a regexec call with REG_STARTEND finds a bogus match for \> Product: glibc Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: regex Assignee: unassigned at sourceware dot org Reporter: bensberg at telfort dot nl CC: drepper.fsp at gmail dot com Target Milestone: --- Created attachment 10222 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D10222&action=3Ded= it tiny program that searches for \> starting from two different positions When calling regexec with the REG_STARTEND flag and providing an end-of-range value (in .rm_eo) that points to somewhere in the middle of a word, regexec will nevertheless find a match for \> at that offset. The corresponding case for \<, with a start-of-range value (in .rm_so) that points to the middle of a word, will /not/ find a match for \< there. The latter is what I expected, the former was a surprise. To reproduce: Compile the attached until.c and run it. The actual output is: Found tail at 6: '. ' Found tail at 4: 'rd. ' Expected result: The second line of output shouldn't have been there, because the word does not end after "wo". First seen on Ubuntu Lucid (10.04). Still present on Ubuntu Zesty (17.04, glibc 2.24). --=20 You are receiving this mail because: You are on the CC list for the bug. >>From glibc-bugs-regex-return-718-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Mon Nov 13 00:52:38 2017 Return-Path: Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 118734 invoked by alias); 13 Nov 2017 00:52:38 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 118559 invoked by uid 48); 13 Nov 2017 00:52:34 -0000 From: "gniibe at fsij dot org" To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/22425] New: Escape by \ with REG_ICASE Date: Mon, 13 Nov 2017 00:52:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: gniibe at fsij dot org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_file_loc bug_status bug_severity priority component assigned_to reporter cc target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-11/txt/msg00000.txt.bz2 Content-length: 860 https://sourceware.org/bugzilla/show_bug.cgi?id=3D22425 Bug ID: 22425 Summary: Escape by \ with REG_ICASE Product: glibc Version: unspecified URL: https://dev.gnupg.org/T2923 Status: UNCONFIRMED Severity: normal Priority: P2 Component: regex Assignee: unassigned at sourceware dot org Reporter: gniibe at fsij dot org CC: drepper.fsp at gmail dot com Target Milestone: --- Created attachment 10583 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D10583&action=3Ded= it Test program to show regcomp bug With REG_ICASE, escape by \ (backslash) doesn't work well. Regexp of \x\y\z is expected to match string of xyz with REG_ICASE. --=20 You are receiving this mail because: You are on the CC list for the bug. >>From glibc-bugs-regex-return-719-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Mon Nov 13 08:34:56 2017 Return-Path: Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 57220 invoked by alias); 13 Nov 2017 08:34:55 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 57184 invoked by uid 48); 13 Nov 2017 08:34:52 -0000 From: "schwab@linux-m68k.org" To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/22425] Escape by \ with REG_ICASE Date: Mon, 13 Nov 2017 08:34:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: schwab@linux-m68k.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-11/txt/msg00001.txt.bz2 Content-length: 254 https://sourceware.org/bugzilla/show_bug.cgi?id=3D22425 --- Comment #1 from Andreas Schwab --- Unknown backslash escapes invoke undefined behaviour. --=20 You are receiving this mail because: You are on the CC list for the bug. >>From glibc-bugs-regex-return-720-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Fri Dec 08 18:32:05 2017 Return-Path: Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 76232 invoked by alias); 8 Dec 2017 18:32:05 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 76183 invoked by uid 48); 8 Dec 2017 18:32:01 -0000 From: "eggert at cs dot ucla.edu" To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/11053] Wrong results with backreferences Date: Fri, 08 Dec 2017 18:32:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: 2.11 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: eggert at cs dot ucla.edu X-Bugzilla-Status: ASSIGNED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: bonzini at gnu dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security+ X-Bugzilla-Changed-Fields: cc attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-12/txt/msg00000.txt.bz2 Content-length: 1003 https://sourceware.org/bugzilla/show_bug.cgi?id=3D11053 eggert at cs dot ucla.edu changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |eggert at cs dot ucla.edu --- Comment #6 from eggert at cs dot ucla.edu --- Created attachment 10674 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D10674&action=3Ded= it This test case silently returns the wrong answer Following up on a 'grep' bug report here: https://debbugs.gnu.org/29613 attached is a seemingly-related test case which illustrates a bug that caus= es 'grep' to quietly return the wrong answer instead of dumping core. This test case should exit successfully, but because of the bug regexec returns 0 so = the test case exits with status 1. I compiled and ran it on Fedora 27 x86-64 wi= th "gcc regbug.c; ./a.out". --=20 You are receiving this mail because: You are on the CC list for the bug. >>From glibc-bugs-regex-return-721-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Sat Dec 16 19:13:37 2017 Return-Path: Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com Received: (qmail 17182 invoked by alias); 16 Dec 2017 19:13:37 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-regex-owner@sourceware.org Delivered-To: mailing list glibc-bugs-regex@sourceware.org Received: (qmail 17150 invoked by uid 48); 16 Dec 2017 19:13:33 -0000 From: "jim at meyering dot net" To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/22620] New: parse_expression blows stack for a 20k-byte regexp with only '('s Date: Sat, 16 Dec 2017 19:13:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: 2.28 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: jim at meyering dot net X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2017-12/txt/msg00001.txt.bz2 Content-length: 1512 https://sourceware.org/bugzilla/show_bug.cgi?id=3D22620 Bug ID: 22620 Summary: parse_expression blows stack for a 20k-byte regexp with only '('s Product: glibc Version: 2.28 Status: UNCONFIRMED Severity: normal Priority: P2 Component: regex Assignee: unassigned at sourceware dot org Reporter: jim at meyering dot net CC: drepper.fsp at gmail dot com Target Milestone: --- glibc's regexp parser used to diagnose this problem with "Unmatched ( or \(= ", but that no longer happens. Perhaps related (since COMPILE_STACK_ macros are what caught the problem before), this change in 2002 removed the code in question: https://sourceware.org/git/?p=3Dglibc.git;a=3Dcommitdiff;h=3D51f38e87b13f23= 3bdf76bd6d3edaabf4fd9eb126 Now, attempting to compile such a regexp causes stack overflow and probable segfault. Demonstrate with this: $ cat regex-compile-lparen-stack-overflow.c=20 #include #include #include int main (int argc, char **argv) { size_t n =3D 40000; regex_t preg; char *pat =3D malloc (n+1); if (!pat) return 2; memset (pat, '(', n); pat[n] =3D '\0'; int rc =3D regcomp (&preg, pat, REG_EXTENDED); return rc =3D=3D 0; } $ gcc -g -O -Wall regex-compile-lparen-stack-overflow.c && ./a.out segmentation fault (core dumped) ./a.out --=20 You are receiving this mail because: You are on the CC list for the bug.