From owner-dev-commits-src-all@freebsd.org Tue Feb 16 09:51:47 2021 Return-Path: Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C91A95309EC; Tue, 16 Feb 2021 09:51:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dfx835KyCz3Lqm; Tue, 16 Feb 2021 09:51:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id AA2556E07; Tue, 16 Feb 2021 09:51:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 11G9plEH026299; Tue, 16 Feb 2021 09:51:47 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 11G9plcS026298; Tue, 16 Feb 2021 09:51:47 GMT (envelope-from git) Date: Tue, 16 Feb 2021 09:51:47 GMT Message-Id: <202102160951.11G9plcS026298@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Alex Richardson Subject: git: a1c158199793 - stable/13 - usr.bin/grep: Fix Address OOB read error MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: arichardson X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: a1c1581997936ca7e828673a6468c95ce9578a94 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for all branches of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Feb 2021 09:51:47 -0000 The branch stable/13 has been updated by arichardson: URL: https://cgit.FreeBSD.org/src/commit/?id=a1c1581997936ca7e828673a6468c95ce9578a94 commit a1c1581997936ca7e828673a6468c95ce9578a94 Author: Alex Richardson AuthorDate: 2021-01-19 11:35:07 +0000 Commit: Alex Richardson CommitDate: 2021-02-16 09:50:31 +0000 usr.bin/grep: Fix Address OOB read error I found this when compiling all the bootstrap tools with -fsanitize=addres: ==65590==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d000008400 at pc 0x000000473053 bp 0x7ffc1c7dd910 sp 0x7ffc1c7dd0b8 READ of size 32769 at 0x62d000008400 thread T0 #0 0x473052 in regexec (/local/scratch/alr48/cheri/build/freebsd-amd64-build/local/scratch/alr48/cheri/freebsd/amd64.amd64/tmp/legacy/bin/grep+0x473052) #1 0x4c9cf3 in procline /local/scratch/alr48/cheri/freebsd/usr.bin/grep/util.c:539:8 #2 0x4c8687 in procfile /local/scratch/alr48/cheri/freebsd/usr.bin/grep/util.c:379:18 #3 0x4c6596 in main /local/scratch/alr48/cheri/freebsd/usr.bin/grep/grep.c:714:8 0x62d000008400 is located 0 bytes to the right of 32768-byte region [0x62d000000400,0x62d000008400) allocated by thread T0 here: #0 0x493d5d in malloc (/local/scratch/alr48/cheri/build/freebsd-amd64-build/local/scratch/alr48/cheri/freebsd/amd64.amd64/tmp/legacy/bin/grep+0x493d5d) #1 0x4cad75 in grep_malloc /local/scratch/alr48/cheri/freebsd/usr.bin/grep/util.c:656:13 #2 0x4c8129 in procfile /local/scratch/alr48/cheri/freebsd/usr.bin/grep/util.c #3 0x4c6596 in main /local/scratch/alr48/cheri/freebsd/usr.bin/grep/grep.c:714:8 SUMMARY: AddressSanitizer: heap-buffer-overflow (/local/scratch/alr48/cheri/build/freebsd-amd64-build/local/scratch/alr48/cheri/freebsd/amd64.amd64/tmp/legacy/bin/grep+0x473052) in regexec Reviewed By: kevans MFC after: 1 week (cherry picked from commit 81c3f64110bb76e24d6062eafd7206c10f676d6f) --- usr.bin/grep/file.c | 11 +++++++---- usr.bin/grep/queue.c | 4 +++- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/usr.bin/grep/file.c b/usr.bin/grep/file.c index 3d86bef010e5..8577572c2887 100644 --- a/usr.bin/grep/file.c +++ b/usr.bin/grep/file.c @@ -98,7 +98,6 @@ char * grep_fgetln(struct file *f, struct parsec *pc) { char *p; - char *ret; size_t len; size_t off; ptrdiff_t diff; @@ -116,12 +115,15 @@ grep_fgetln(struct file *f, struct parsec *pc) /* Look for a newline in the remaining part of the buffer */ if ((p = memchr(bufpos, fileeol, bufrem)) != NULL) { ++p; /* advance over newline */ - ret = bufpos; len = p - bufpos; + if (grep_lnbufgrow(len + 1)) + goto error; + memcpy(lnbuf, bufpos, len); bufrem -= len; bufpos = p; pc->ln.len = len; - return (ret); + lnbuf[len] = '\0'; + return (lnbuf); } /* We have to copy the current buffered data to the line buffer */ @@ -148,7 +150,7 @@ grep_fgetln(struct file *f, struct parsec *pc) ++p; diff = p - bufpos; len += diff; - if (grep_lnbufgrow(len)) + if (grep_lnbufgrow(len + 1)) goto error; memcpy(lnbuf + off, bufpos, diff); bufrem -= diff; @@ -156,6 +158,7 @@ grep_fgetln(struct file *f, struct parsec *pc) break; } pc->ln.len = len; + lnbuf[len] = '\0'; return (lnbuf); error: diff --git a/usr.bin/grep/queue.c b/usr.bin/grep/queue.c index ac15185f0694..9babdbf74af8 100644 --- a/usr.bin/grep/queue.c +++ b/usr.bin/grep/queue.c @@ -95,12 +95,14 @@ enqueue(struct str *x) rotated = true; free(item->dat); } - item->dat = grep_malloc(sizeof(char) * x->len); + /* len + 1 for NUL-terminator */ + item->dat = grep_malloc(sizeof(char) * x->len + 1); item->len = x->len; item->line_no = x->line_no; item->boff = x->boff; item->off = x->off; memcpy(item->dat, x->dat, x->len); + item->dat[x->len] = '\0'; item->file = x->file; return (rotated);