GNU bug report logs - #29666
Segfault at changing location

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 29666 in the body.
You can then email your comments to 29666 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Jeremy Feusi <jeremy <at> feusi.co>
To: bug-grep <at> gnu.org
Subject: Segfault at changing location
Date: Mon, 11 Dec 2017 21:44:25 +0100

[Message part 1 (text/plain, inline)]

Hi,
I am working on a project for school in which I use afl to find bugs in
software and I decided to fuzz grep. In doing so I discovered a
segfault. When using gdb, the location of the segfault varies, which
puzzles me and so I cannot include any further information.
The command to obtain this bug is:
grep -o -E -f <seg-file>
where <seg-file> is the file attached.

I am using grep 3.1 on arch linux.
cheers
Jeremy

[seg-file (application/octet-stream, attachment)]

Message #8 received at 29666 <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: Jeremy Feusi <jeremy <at> feusi.co>
Cc: 29666 <at> debbugs.gnu.org
Subject: Re: bug#29666: Segfault at changing location
Date: Tue, 12 Dec 2017 09:47:17 -0800

[Message part 1 (text/plain, inline)]

On Mon, Dec 11, 2017 at 12:44 PM, Jeremy Feusi <jeremy <at> feusi.co> wrote:
> Hi,
> I am working on a project for school in which I use afl to find bugs in
> software and I decided to fuzz grep. In doing so I discovered a
> segfault. When using gdb, the location of the segfault varies, which
> puzzles me and so I cannot include any further information.
> The command to obtain this bug is:
> grep -o -E -f <seg-file>
> where <seg-file> is the file attached.
>
> I am using grep 3.1 on arch linux.
> cheers
> Jeremy

Thank you for the report.

This has been an issue since about grep-2.6.1.
It gave a proper diagnostic until 2.5.4:

  $ grep-2.5.4/bin/grep -E -f <(printf %080000d 0|tr 0 '(')
  grep-2.5.4/bin/grep: Unmatched ( or \(
  [Exit 2]

Starting in approximately 2.6.1 (I don't have 2.6.0 handy) it
would fail like this:

  $ grep-2.6.1/bin/grep -E -f <(printf %080000d 0|tr 0 '(')
  Segmentation fault (core dumped)

Using the latest with -P works fine:

  $ grep -P -f <(printf %080000d 0|tr 0 '(')
  grep: parentheses are too deeply nested
  [Exit 2]

Here's a nearly-complete patch to make grep diagnose the generic
"stack overflow" problem:

[grep-stack-overflow.diff (text/plain, attachment)]

Message #13 received at 29666-done <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: Jeremy Feusi <jeremy <at> feusi.co>
Cc: 29666-done <at> debbugs.gnu.org
Subject: Re: bug#29666: Segfault at changing location
Date: Sat, 16 Dec 2017 11:43:43 -0800

On Tue, Dec 12, 2017 at 9:47 AM, Jim Meyering <jim <at> meyering.net> wrote:
> On Mon, Dec 11, 2017 at 12:44 PM, Jeremy Feusi <jeremy <at> feusi.co> wrote:
...
> Thank you for the report.
>
> This has been an issue since about grep-2.6.1.
> It gave a proper diagnostic until 2.5.4:
>
>   $ grep-2.5.4/bin/grep -E -f <(printf %080000d 0|tr 0 '(')
>   grep-2.5.4/bin/grep: Unmatched ( or \(
>   [Exit 2]
>
> Starting in approximately 2.6.1 (I don't have 2.6.0 handy) it
> would fail like this:
>
>   $ grep-2.6.1/bin/grep -E -f <(printf %080000d 0|tr 0 '(')
>   Segmentation fault (core dumped)
>
> Using the latest with -P works fine:
>
>   $ grep -P -f <(printf %080000d 0|tr 0 '(')
>   grep: parentheses are too deeply nested
>   [Exit 2]
>
> Here's a nearly-complete patch to make grep diagnose the generic
> "stack overflow" problem:

I found the root cause and filed a glibc bug for that (link below).
Here are the updated commit log and NEWS entry:

    grep: diagnose stack overflow rather than segfaulting
    * bootstrap.conf (gnulib_modules): Add c-stack.
    * src/grep.c: Include "c-stack.h".
    (main): Call c_stack_action (NULL);
    * tests/stack-overflow: New file.
    * tests/Makefile.am (TESTS): Add name of new file.
    * NEWS (Improvements): Mention it.
    Interestingly, this bug does not afflict grep-2.5.4 or prior,
    so it appeared to have been introduced with grep-2.6.  However,
    the origin is in glibc's regexp compiler, and I tracked it to
    stack-aware parsing that was removed from glibc's regexp in 2002.
    However, grep-2.5.4 was released in 2009.  That version worked
    (and still works, now) because it included and (by default) used
    an old copy of glibc's regexp code.
    Jeremy Feusi reported the grep segfault in https://bugs.gnu.org/29666.
    I reported the glibc regexp bug in
    https://sourceware.org/bugzilla/show_bug.cgi?id=22620

** Improvements

  grep now diagnoses stack overflow.  Before grep-2.6, the included
  regexp code would detect it.  Since 2.6, grep defaulted to using
  glibc's regexp, which lost that capability.

Here's the pushed commit:
https://git.savannah.gnu.org/cgit/grep.git/commit/?id=51ef8adb2f7eeb073ba98be4f6baf56817e4d358

Message #16 received at 29666 <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: grep-devel <at> gnu.org
Cc: 29666 <at> debbugs.gnu.org
Subject: patch-FYI: fix link failure and suppress a warning
Date: Sun, 17 Dec 2017 08:33:28 -0800

Here are two patches.
The first suppresses a warning I saw when building with
gcc-8.0.0 20171215 on fedora 27. The second fixes a link
failure reported by Jeremy Feusi.

Subject: [PATCH 1/2] build: suppress sig-handler.h's -Wcast-function-type warning

* configure.ac (WERROR_CFLAGS): Add -Wno-cast-function-type
to suppress warning about sig-handler.h's sa_handler_t cast:
sig-handler.h: In function 'get_handler':
sig-handler.h:47:12: error: cast between incompatible function\
  types from 'void (* const)(int,  siginfo_t *, void *)'\
  {aka 'void (* const)(int,  struct <anonymous> *, void *)'}\
  to 'void (*)(int)' [-Werror=cast-function-type]
     return (sa_handler_t) a->sa_sigaction;
---
 configure.ac | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configure.ac b/configure.ac
index 032c91b..59153dc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -149,6 +149,7 @@ if test "$gl_gcc_warnings" = yes; then
   gl_WARN_ADD([-Wno-missing-field-initializers]) # We need this one
   gl_WARN_ADD([-Wno-sign-compare])     # Too many warnings for now
   gl_WARN_ADD([-Wno-unused-parameter]) # Too many warnings for now
+  gl_WARN_ADD([-Wno-cast-function-type]) # sig-handler.h's sa_handler_t cast

   # In spite of excluding -Wlogical-op above, it is enabled, as of
   # gcc 4.5.0 20090517, and it provokes warnings in cat.c, dd.c, truncate.c
--


Subject: [PATCH 2/2] build: link with -lsigsegv, when c-stack module requires it

* src/Makefile.am (grep_LDADD): Add $(LIBCSTACK).
Otherwise, on at least Debian and Arch-based systems, linking would
fail with diagnostics like these:
  c-stack.c:207: undefined reference to `stackoverflow_install_handler'
  c-stack.c:216: undefined reference to `sigsegv_install_handler'
Reported by Jeremy Feusi.
---
 src/Makefile.am | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Makefile.am b/src/Makefile.am
index 71c64f9..7a0cdef 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -43,7 +43,7 @@ LDADD = \
   ../lib/libgreputils.a $(LIBINTL) ../lib/libgreputils.a $(LIBICONV) \
   $(LIBTHREAD)

-grep_LDADD = $(LDADD) $(PCRE_LIBS)
+grep_LDADD = $(LDADD) $(PCRE_LIBS) $(LIBCSTACK)
 localedir = $(datadir)/locale
 AM_CPPFLAGS = -I$(top_builddir)/lib -I$(top_srcdir)/lib

--

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.