GNU bug report logs -
#29666
Segfault at changing location
Previous Next
Reported by: Jeremy Feusi <jeremy <at> feusi.co>
Date: Mon, 11 Dec 2017 20:50:02 UTC
Severity: normal
Done: Jim Meyering <jim <at> meyering.net>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 29666 in the body.
You can then email your comments to 29666 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-grep <at> gnu.org
:
bug#29666
; Package
grep
.
(Mon, 11 Dec 2017 20:50:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Jeremy Feusi <jeremy <at> feusi.co>
:
New bug report received and forwarded. Copy sent to
bug-grep <at> gnu.org
.
(Mon, 11 Dec 2017 20:50:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
I am working on a project for school in which I use afl to find bugs in
software and I decided to fuzz grep. In doing so I discovered a
segfault. When using gdb, the location of the segfault varies, which
puzzles me and so I cannot include any further information.
The command to obtain this bug is:
grep -o -E -f <seg-file>
where <seg-file> is the file attached.
I am using grep 3.1 on arch linux.
cheers
Jeremy
[seg-file (application/octet-stream, attachment)]
Information forwarded
to
bug-grep <at> gnu.org
:
bug#29666
; Package
grep
.
(Tue, 12 Dec 2017 17:48:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 29666 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Mon, Dec 11, 2017 at 12:44 PM, Jeremy Feusi <jeremy <at> feusi.co> wrote:
> Hi,
> I am working on a project for school in which I use afl to find bugs in
> software and I decided to fuzz grep. In doing so I discovered a
> segfault. When using gdb, the location of the segfault varies, which
> puzzles me and so I cannot include any further information.
> The command to obtain this bug is:
> grep -o -E -f <seg-file>
> where <seg-file> is the file attached.
>
> I am using grep 3.1 on arch linux.
> cheers
> Jeremy
Thank you for the report.
This has been an issue since about grep-2.6.1.
It gave a proper diagnostic until 2.5.4:
$ grep-2.5.4/bin/grep -E -f <(printf %080000d 0|tr 0 '(')
grep-2.5.4/bin/grep: Unmatched ( or \(
[Exit 2]
Starting in approximately 2.6.1 (I don't have 2.6.0 handy) it
would fail like this:
$ grep-2.6.1/bin/grep -E -f <(printf %080000d 0|tr 0 '(')
Segmentation fault (core dumped)
Using the latest with -P works fine:
$ grep -P -f <(printf %080000d 0|tr 0 '(')
grep: parentheses are too deeply nested
[Exit 2]
Here's a nearly-complete patch to make grep diagnose the generic
"stack overflow" problem:
[grep-stack-overflow.diff (text/plain, attachment)]
Reply sent
to
Jim Meyering <jim <at> meyering.net>
:
You have taken responsibility.
(Sat, 16 Dec 2017 19:45:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Jeremy Feusi <jeremy <at> feusi.co>
:
bug acknowledged by developer.
(Sat, 16 Dec 2017 19:45:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 29666-done <at> debbugs.gnu.org (full text, mbox):
On Tue, Dec 12, 2017 at 9:47 AM, Jim Meyering <jim <at> meyering.net> wrote:
> On Mon, Dec 11, 2017 at 12:44 PM, Jeremy Feusi <jeremy <at> feusi.co> wrote:
...
> Thank you for the report.
>
> This has been an issue since about grep-2.6.1.
> It gave a proper diagnostic until 2.5.4:
>
> $ grep-2.5.4/bin/grep -E -f <(printf %080000d 0|tr 0 '(')
> grep-2.5.4/bin/grep: Unmatched ( or \(
> [Exit 2]
>
> Starting in approximately 2.6.1 (I don't have 2.6.0 handy) it
> would fail like this:
>
> $ grep-2.6.1/bin/grep -E -f <(printf %080000d 0|tr 0 '(')
> Segmentation fault (core dumped)
>
> Using the latest with -P works fine:
>
> $ grep -P -f <(printf %080000d 0|tr 0 '(')
> grep: parentheses are too deeply nested
> [Exit 2]
>
> Here's a nearly-complete patch to make grep diagnose the generic
> "stack overflow" problem:
I found the root cause and filed a glibc bug for that (link below).
Here are the updated commit log and NEWS entry:
grep: diagnose stack overflow rather than segfaulting
* bootstrap.conf (gnulib_modules): Add c-stack.
* src/grep.c: Include "c-stack.h".
(main): Call c_stack_action (NULL);
* tests/stack-overflow: New file.
* tests/Makefile.am (TESTS): Add name of new file.
* NEWS (Improvements): Mention it.
Interestingly, this bug does not afflict grep-2.5.4 or prior,
so it appeared to have been introduced with grep-2.6. However,
the origin is in glibc's regexp compiler, and I tracked it to
stack-aware parsing that was removed from glibc's regexp in 2002.
However, grep-2.5.4 was released in 2009. That version worked
(and still works, now) because it included and (by default) used
an old copy of glibc's regexp code.
Jeremy Feusi reported the grep segfault in https://bugs.gnu.org/29666.
I reported the glibc regexp bug in
https://sourceware.org/bugzilla/show_bug.cgi?id=22620
** Improvements
grep now diagnoses stack overflow. Before grep-2.6, the included
regexp code would detect it. Since 2.6, grep defaulted to using
glibc's regexp, which lost that capability.
Here's the pushed commit:
https://git.savannah.gnu.org/cgit/grep.git/commit/?id=51ef8adb2f7eeb073ba98be4f6baf56817e4d358
Information forwarded
to
bug-grep <at> gnu.org
:
bug#29666
; Package
grep
.
(Sun, 17 Dec 2017 16:34:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 29666 <at> debbugs.gnu.org (full text, mbox):
Here are two patches.
The first suppresses a warning I saw when building with
gcc-8.0.0 20171215 on fedora 27. The second fixes a link
failure reported by Jeremy Feusi.
Subject: [PATCH 1/2] build: suppress sig-handler.h's -Wcast-function-type warning
* configure.ac (WERROR_CFLAGS): Add -Wno-cast-function-type
to suppress warning about sig-handler.h's sa_handler_t cast:
sig-handler.h: In function 'get_handler':
sig-handler.h:47:12: error: cast between incompatible function\
types from 'void (* const)(int, siginfo_t *, void *)'\
{aka 'void (* const)(int, struct <anonymous> *, void *)'}\
to 'void (*)(int)' [-Werror=cast-function-type]
return (sa_handler_t) a->sa_sigaction;
---
configure.ac | 1 +
1 file changed, 1 insertion(+)
diff --git a/configure.ac b/configure.ac
index 032c91b..59153dc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -149,6 +149,7 @@ if test "$gl_gcc_warnings" = yes; then
gl_WARN_ADD([-Wno-missing-field-initializers]) # We need this one
gl_WARN_ADD([-Wno-sign-compare]) # Too many warnings for now
gl_WARN_ADD([-Wno-unused-parameter]) # Too many warnings for now
+ gl_WARN_ADD([-Wno-cast-function-type]) # sig-handler.h's sa_handler_t cast
# In spite of excluding -Wlogical-op above, it is enabled, as of
# gcc 4.5.0 20090517, and it provokes warnings in cat.c, dd.c, truncate.c
--
Subject: [PATCH 2/2] build: link with -lsigsegv, when c-stack module requires it
* src/Makefile.am (grep_LDADD): Add $(LIBCSTACK).
Otherwise, on at least Debian and Arch-based systems, linking would
fail with diagnostics like these:
c-stack.c:207: undefined reference to `stackoverflow_install_handler'
c-stack.c:216: undefined reference to `sigsegv_install_handler'
Reported by Jeremy Feusi.
---
src/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/Makefile.am b/src/Makefile.am
index 71c64f9..7a0cdef 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -43,7 +43,7 @@ LDADD = \
../lib/libgreputils.a $(LIBINTL) ../lib/libgreputils.a $(LIBICONV) \
$(LIBTHREAD)
-grep_LDADD = $(LDADD) $(PCRE_LIBS)
+grep_LDADD = $(LDADD) $(PCRE_LIBS) $(LIBCSTACK)
localedir = $(datadir)/locale
AM_CPPFLAGS = -I$(top_builddir)/lib -I$(top_srcdir)/lib
--
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Mon, 15 Jan 2018 12:24:07 GMT)
Full text and
rfc822 format available.
This bug report was last modified 6 years and 108 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.