public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/12078] New: regcomp with invalid expression leaks memory
@ 2010-10-01 12:46 ppluzhnikov at google dot com
2010-10-01 12:52 ` [Bug libc/12078] " ppluzhnikov at google dot com
2010-10-01 14:58 ` ppluzhnikov at google dot com
0 siblings, 2 replies; 10+ messages in thread
From: ppluzhnikov at google dot com @ 2010-10-01 12:46 UTC (permalink / raw)
To: glibc-bugs
Running attached test case under Valgrind shows that failing regcomp leaks
memory (also verified with alternative leak detector):
==21485== Memcheck, a memory error detector
==21485== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==21485== Using Valgrind-3.6.0.SVN and LibVEX; rerun with -h for copyright info
==21485== Command: ./a.out
==21485==
Error 8 (expected)
==21485==
==21485== HEAP SUMMARY:
==21485== in use at exit: 32 bytes in 1 blocks
==21485== total heap usage: 9 allocs, 8 frees, 3,474 bytes allocated
==21485==
==21485== 32 bytes in 1 blocks are definitely lost in loss record 1 of 1
==21485== at 0x4C24185: calloc
/tmp/vg/coregrind/m_replacemalloc/vg_replace_malloc.c:506
==21485== by 0x4EE5FA8: parse_expression
/usr/local/google/ppluzhnikov/Archive/glibc-git/posix/regcomp.c:3021
==21485== by 0x4EE791D: parse_branch
/usr/local/google/ppluzhnikov/Archive/glibc-git/posix/regcomp.c:2153
==21485== by 0x4EE7A0D: parse_reg_exp
/usr/local/google/ppluzhnikov/Archive/glibc-git/posix/regcomp.c:2112
==21485== by 0x4EE6C98: parse_expression
/usr/local/google/ppluzhnikov/Archive/glibc-git/posix/regcomp.c:2419
==21485== by 0x4EE795C: parse_branch
/usr/local/google/ppluzhnikov/Archive/glibc-git/posix/regcomp.c:2160
==21485== by 0x4EE7A0D: parse_reg_exp /usr/local/glibc-git/posix/regcomp.c:2112
==21485== by 0x4EE6C98: parse_expression
/usr/local/glibc-git/posix/regcomp.c:2419
==21485== by 0x4EE795C: parse_branch /usr/local/glibc-git/posix/regcomp.c:2160
==21485== by 0x4EE7A0D: parse_reg_exp /usr/local/glibc-git/posix/regcomp.c:2112
==21485== by 0x4EE7E20: re_compile_internal
/usr/local/glibc-git/posix/regcomp.c:2081
==21485== by 0x4EE9090: regcomp /usr/local/glibc-git/posix/regcomp.c:500
==21485==
==21485== LEAK SUMMARY:
==21485== definitely lost: 32 bytes in 1 blocks
==21485== indirectly lost: 0 bytes in 0 blocks
==21485== possibly lost: 0 bytes in 0 blocks
==21485== still reachable: 0 bytes in 0 blocks
==21485== suppressed: 0 bytes in 0 blocks
==21485==
==21485== For counts of detected and suppressed errors, rerun with: -v
==21485== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 4 from 0)
The bug is present in glibc-2.11.1 and current trunk; not present in glibc-2.7.
--
Summary: regcomp with invalid expression leaks memory
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: drepper dot fsp at gmail dot com
ReportedBy: ppluzhnikov at google dot com
CC: glibc-bugs at sources dot redhat dot com
GCC build triplet: x86_64-linux-gnu
GCC host triplet: x86_64-linux-gnu
GCC target triplet: x86_64-linux-gnu
http://sourceware.org/bugzilla/show_bug.cgi?id=12078
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 10+ messages in thread[parent not found: <bug-12078-131@http.sourceware.org/bugzilla/>]
* [Bug libc/12078] regcomp with invalid expression leaks memory
[not found] <bug-12078-131@http.sourceware.org/bugzilla/>
@ 2010-10-11 15:47 ` drepper.fsp at gmail dot com
2010-10-11 21:46 ` ppluzhnikov at google dot com
` (5 subsequent siblings)
6 siblings, 0 replies; 10+ messages in thread
From: drepper.fsp at gmail dot com @ 2010-10-11 15:47 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12078
Ulrich Drepper <drepper.fsp at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #3 from Ulrich Drepper <drepper.fsp at gmail dot com> 2010-10-11 15:47:22 UTC ---
Should be fixed in git.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread* [Bug libc/12078] regcomp with invalid expression leaks memory
[not found] <bug-12078-131@http.sourceware.org/bugzilla/>
2010-10-11 15:47 ` drepper.fsp at gmail dot com
@ 2010-10-11 21:46 ` ppluzhnikov at google dot com
2010-10-12 2:50 ` drepper.fsp at gmail dot com
` (4 subsequent siblings)
6 siblings, 0 replies; 10+ messages in thread
From: ppluzhnikov at google dot com @ 2010-10-11 21:46 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12078
--- Comment #4 from Paul Pluzhnikov <ppluzhnikov at google dot com> 2010-10-11 21:46:51 UTC ---
Created attachment 5050
--> http://sourceware.org/bugzilla/attachment.cgi?id=5050
slightly modified form of posix/bug-regex31.c
Only the specific instance of the bug has been fixed, but regcomp() can still
leak arbitrary amount of memory :-(
I've modified the test case to allow REGEX to be specified on command line.
Here is what I see:
gcc -g /tmp/bug-regex31.c
valgrind --leak-check=yes ./a.out
...
==29536== in use at exit: 32 bytes in 1 blocks
...
(This is *before* the fix.)
gcc -g /tmp/bug-regex31.c -Wl,-rpath=.,--dynamic-linker=./ld.so && valgrind
--leak-check=yes ./a.out
...
==29829== in use at exit: 0 bytes in 0 blocks
(This is after the fix, so far so good.)
But:
gcc -g '-DREGEX="([0]([0])"' /tmp/bug-regex31.c
-Wl,-rpath=.,--dynamic-linker=./ld.so && valgrind --leak-check=yes ./a.out
==30196== definitely lost: 64 bytes in 2 blocks
gcc -g '-DREGEX="([0]([0])([0])"' /tmp/bug-regex31.c
-Wl,-rpath=.,--dynamic-linker=./ld.so && valgrind --leak-check=yes ./a.out
==30260== definitely lost: 96 bytes in 3 blocks
gcc -g '-DREGEX="([0]([0])([0])([0])"' /tmp/bug-regex31.c
-Wl,-rpath=.,--dynamic-linker=./ld.so && valgrind --leak-check=yes ./a.out
==30328== definitely lost: 128 bytes in 4 blocks
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread* [Bug libc/12078] regcomp with invalid expression leaks memory
[not found] <bug-12078-131@http.sourceware.org/bugzilla/>
2010-10-11 15:47 ` drepper.fsp at gmail dot com
2010-10-11 21:46 ` ppluzhnikov at google dot com
@ 2010-10-12 2:50 ` drepper.fsp at gmail dot com
2010-10-12 4:58 ` ppluzhnikov at google dot com
` (3 subsequent siblings)
6 siblings, 0 replies; 10+ messages in thread
From: drepper.fsp at gmail dot com @ 2010-10-12 2:50 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12078
--- Comment #5 from Ulrich Drepper <drepper.fsp at gmail dot com> 2010-10-12 02:50:02 UTC ---
(In reply to comment #4)
> Only the specific instance of the bug has been fixed, but regcomp() can still
> leak arbitrary amount of memory :-(
Try the current git code.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread* [Bug libc/12078] regcomp with invalid expression leaks memory
[not found] <bug-12078-131@http.sourceware.org/bugzilla/>
` (2 preceding siblings ...)
2010-10-12 2:50 ` drepper.fsp at gmail dot com
@ 2010-10-12 4:58 ` ppluzhnikov at google dot com
2010-10-12 5:04 ` ppluzhnikov at google dot com
` (2 subsequent siblings)
6 siblings, 0 replies; 10+ messages in thread
From: ppluzhnikov at google dot com @ 2010-10-12 4:58 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12078
Paul Pluzhnikov <ppluzhnikov at google dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |
--- Comment #6 from Paul Pluzhnikov <ppluzhnikov at google dot com> 2010-10-12 04:58:29 UTC ---
(In reply to comment #5)
> Try the current git code.
Thanks. This fixed all the patterns I had so far.
However, this pattern still leaks: "([0]([0]([0([0])".
Making a systematic/exhaustive search ...
The smallest pattern that causes a leak is 4-characters.
Here are all 4-character patterns that currently cause a leak:
[[][
[[](
[0][
[0](
[(][
[(](
[)][
[)](
[]][
[]](
All of the above leak 1 32-byte chunk, and there is a definite pattern to them,
so probably all are caused by the same bug:
==12334== 320 bytes in 10 blocks are definitely lost in loss record 1 of 1
==12334== at 0x4C24185: calloc
/tmp/vg/coregrind/m_replacemalloc/vg_replace_malloc.c:506
==12334== by 0x4EE61D8: parse_expression /glibc-git/posix/regcomp.c:3028
==12334== by 0x4EE7B80: parse_branch /glibc-git/posix/regcomp.c:2153
==12334== by 0x4EE7C9D: parse_reg_exp /glibc-git/posix/regcomp.c:2112
==12334== by 0x4EE80B0: re_compile_internal /glibc-git/posix/regcomp.c:2081
==12334== by 0x4EE9320: regcomp /glibc-git/posix/regcomp.c:500
==12334== by 0x400764: main /tmp/build-glibc-git/bug-regex31.c:23
Extending to all possible 5-character patterns, I see what appears to be two
new leaks (in addition to the one above):
==12555== 960 bytes in 30 blocks are definitely lost in loss record 2 of 3
==12555== at 0x4C24185: calloc
/tmp/vg/coregrind/m_replacemalloc/vg_replace_malloc.c:506
==12555== by 0x4EE61D8: parse_expression /glibc-git/posix/regcomp.c:3028
==12555== by 0x4EE7BBF: parse_branch /glibc-git/posix/regcomp.c:2160
==12555== by 0x4EE7C9D: parse_reg_exp /glibc-git/posix/regcomp.c:2112
==12555== by 0x4EE80B0: re_compile_internal /glibc-git/posix/regcomp.c:2081
==12555== by 0x4EE9320: regcomp /glibc-git/posix/regcomp.c:500
==12555== by 0x400764: main /tmp/build-glibc-git/bug-regex31.c:23
==12555==
==12555== 3,680 bytes in 115 blocks are definitely lost in loss record 3 of 3
==12555== at 0x4C24185: calloc
/tmp/vg/coregrind/m_replacemalloc/vg_replace_malloc.c:506
==12555== by 0x4EE61D8: parse_expression /glibc-git/posix/regcomp.c:3028
==12555== by 0x4EE7B80: parse_branch /glibc-git/posix/regcomp.c:2153
==12555== by 0x4EE7C9D: parse_reg_exp /glibc-git/posix/regcomp.c:2112
==12555== by 0x4EE80B0: re_compile_internal /glibc-git/posix/regcomp.c:2081
==12555== by 0x4EE9320: regcomp/glibc-git/posix/regcomp.c:500
==12555== by 0x400764: main /tmp/build-glibc-git/bug-regex31.c:23
For all 6-character patterns, I see 3 additional leaks.
I'll attach my pattern generator and modified bug-regex31.c shortly.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread* [Bug libc/12078] regcomp with invalid expression leaks memory
[not found] <bug-12078-131@http.sourceware.org/bugzilla/>
` (3 preceding siblings ...)
2010-10-12 4:58 ` ppluzhnikov at google dot com
@ 2010-10-12 5:04 ` ppluzhnikov at google dot com
2010-10-12 5:06 ` ppluzhnikov at google dot com
2010-10-13 22:59 ` ppluzhnikov at google dot com
6 siblings, 0 replies; 10+ messages in thread
From: ppluzhnikov at google dot com @ 2010-10-12 5:04 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12078
--- Comment #7 from Paul Pluzhnikov <ppluzhnikov at google dot com> 2010-10-12 05:04:15 UTC ---
Created attachment 5051
--> http://sourceware.org/bugzilla/attachment.cgi?id=5051
slightly modified bug-regex31.c -- regfree on success
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread* [Bug libc/12078] regcomp with invalid expression leaks memory
[not found] <bug-12078-131@http.sourceware.org/bugzilla/>
` (4 preceding siblings ...)
2010-10-12 5:04 ` ppluzhnikov at google dot com
@ 2010-10-12 5:06 ` ppluzhnikov at google dot com
2010-10-13 22:59 ` ppluzhnikov at google dot com
6 siblings, 0 replies; 10+ messages in thread
From: ppluzhnikov at google dot com @ 2010-10-12 5:06 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12078
--- Comment #8 from Paul Pluzhnikov <ppluzhnikov at google dot com> 2010-10-12 05:05:51 UTC ---
Created attachment 5052
--> http://sourceware.org/bugzilla/attachment.cgi?id=5052
pattern generator; run e.g. "perl gen.pl 4 | ./bug-regex31"
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread* [Bug libc/12078] regcomp with invalid expression leaks memory
[not found] <bug-12078-131@http.sourceware.org/bugzilla/>
` (5 preceding siblings ...)
2010-10-12 5:06 ` ppluzhnikov at google dot com
@ 2010-10-13 22:59 ` ppluzhnikov at google dot com
6 siblings, 0 replies; 10+ messages in thread
From: ppluzhnikov at google dot com @ 2010-10-13 22:59 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12078
Paul Pluzhnikov <ppluzhnikov at google dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |FIXED
--- Comment #9 from Paul Pluzhnikov <ppluzhnikov at google dot com> 2010-10-13 22:59:11 UTC ---
The last commit:
http://repo.or.cz/w/glibc.git/commit/b833d51fbbf78b38c6ff68074c22d3fe3ddd0ce3
fixed all patterns up to 10 characters in length.
Using extended gen.pl which also emits '.', '?', '^', etc.
I found no leaks for all patterns up to 8 characters.
This is probably as good as one can hope for.
Thanks for fixing this!
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2010-10-13 22:59 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-10-01 12:46 [Bug libc/12078] New: regcomp with invalid expression leaks memory ppluzhnikov at google dot com
2010-10-01 12:52 ` [Bug libc/12078] " ppluzhnikov at google dot com
2010-10-01 14:58 ` ppluzhnikov at google dot com
[not found] <bug-12078-131@http.sourceware.org/bugzilla/>
2010-10-11 15:47 ` drepper.fsp at gmail dot com
2010-10-11 21:46 ` ppluzhnikov at google dot com
2010-10-12 2:50 ` drepper.fsp at gmail dot com
2010-10-12 4:58 ` ppluzhnikov at google dot com
2010-10-12 5:04 ` ppluzhnikov at google dot com
2010-10-12 5:06 ` ppluzhnikov at google dot com
2010-10-13 22:59 ` ppluzhnikov at google dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).