Date: Tue, 19 Mar 2002 15:50:46 -0800 (PST) From: mki <mki@nospam.mozone.net> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/36114: please MFC 1.24 of libc/regex/regcomp.c Message-ID: <200203192350.g2JNokD54562@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 36114
>Category: misc
>Synopsis: please MFC 1.24 of libc/regex/regcomp.c
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Mar 19 16:00:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator: mki
>Release: 4.5-RELEASE, 4.5-STABLE
>Organization:
>Environment:
>Description:
Programs that use regcomp/regexec get SIGBUS'd when running under ElectricFence and similar mem bounds checkers. This is due to the BM search algo reading beyond the length of an array in computematchjumps(). Here's the stack trace of the attached program:
Program received signal SIGBUS, Bus error.
0x804c5d5 in computematchjumps (p=0xbfbff46c, g=0x28104ea0) at regcomp.c:2048
2048 ssuffix = pmatches[ssuffix];
(gdb) where
#0 0x804c5d5 in computematchjumps (p=0xbfbff46c, g=0x28104ea0) at regcomp.c:2048
#1 0x8048fe8 in regcomp (preg=0xbfbff70c, pattern=0x804da20 "127.0.0.1/10", cflags=7) at regcomp.c:281
#2 0x8048d08 in main (argc=1, argv=0xbfbff770) at test.c:10
#3 0x8048c5d in _start ()
(gdb) frame 0
#0 0x804c5d5 in computematchjumps (p=0xbfbff46c, g=0x28104ea0) at regcomp.c:2048
2048 ssuffix = pmatches[ssuffix];
(gdb) l
2043 while (suffix <= ssuffix && suffix < g->mlen) {
2044 g->matchjump[suffix] = MIN(g->matchjump[suffix],
2045 g->mlen + ssuffix - suffix);
2046 suffix++;
2047 }
2048 ssuffix = pmatches[ssuffix];
2049 }
2050
2051 free(pmatches);
2052 }
(gdb) print ssuffix
$1 = 4
(gdb) l 2000
1995
1996 /* Avoid making errors worse */
1997 if (p->error != 0)
1998 return;
1999
2000 pmatches = (int*) malloc(g->mlen * sizeof(unsigned int));
2001 if (pmatches == NULL) {
2002 g->matchjump = NULL;
2003 return;
2004 }
(gdb) print g->mlen
$2 = 4
(gdb) print pmatches[0]
$3 = 3
(gdb) print pmatches[1]
$4 = 3
(gdb) print pmatches[2]
$5 = 3
(gdb) print pmatches[3]
$6 = 4
(gdb) print pmatches[4]
Error accessing memory address 0x2810d000: Bad address.
(gdb) print ssuffix
$7 = 4
>How-To-Repeat:
#include <stdio.h>
#include <sys/types.h>
#include <regex.h>
int main(int argc, char **argv) {
regex_t preg;
int r;
char errbuf[512];
r = regcomp(&preg, "127.0.0.1/10", REG_NOSUB|REG_EXTENDED|REG_ICASE);
if ( r != 0 ) {
regerror(r, &preg, errbuf, sizeof(errbuf));
printf("couldn't compile regex pattern, %s\n", errbuf);
return -1;
}
return 0;
}
>Fix:
The fix was commited to -CURRENT back in november (revision 1.24); it was supposed to be MFCd within a week from that commit, but it seems to have been forgotten. Please MFC it.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203192350.g2JNokD54562>