diff options
author | Yuliy Pisetsky <ypisetsky@fb.com> | 2015-01-01 15:36:55 -0800 |
---|---|---|
committer | Jim Meyering <meyering@fb.com> | 2015-01-09 08:15:59 -0800 |
commit | 83a95bd8c8561875b948cadd417c653dbe7ef2e2 (patch) | |
tree | 638281de90e0f345b1f8af42ac176dd927147b79 /THANKS.in | |
parent | 9aedd79729193d57939dd171850eb2d44d28eecb (diff) | |
download | grep-83a95bd8c8561875b948cadd417c653dbe7ef2e2.tar.gz |
grep -F: fix a heap buffer (read) overrun
grep's read buffer is often filled to its full size, except when
reading the final buffer of a file. In that case, the number of
bytes read may be far less than the size of the buffer. However, for
certain unusual pattern/text combinations, grep -F would mistakenly
examine bytes in that uninitialized region of memory when searching
for a match. With carefully chosen inputs, one can cause grep -F to
read beyond the end of that buffer altogether. This problem arose via
commit v2.18-90-g73893ff with the introduction of a more efficient
heuristic using what is now the memchr_kwset function. The use of
that function in bmexec_trans could leave TP much larger than EP,
and the subsequent call to bm_delta2_search would mistakenly access
beyond end of the main input read buffer.
* src/kwset.c (bmexec_trans): When TP reaches or exceeds EP,
do not call bm_delta2_search.
* tests/kwset-abuse: New file.
* tests/Makefile.am (TESTS): Add it.
* THANKS.in: Update.
* NEWS (Bug fixes): Mention it.
Prior to this patch, this command would trigger a UMR:
printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0)
Use of uninitialised value of size 8
at 0x4142BE: bmexec_trans (kwset.c:657)
by 0x4143CA: bmexec (kwset.c:678)
by 0x414973: kwsexec (kwset.c:848)
by 0x414DC4: Fexecute (kwsearch.c:128)
by 0x404E2E: grepbuf (grep.c:1238)
by 0x4054BF: grep (grep.c:1417)
by 0x405CEB: grepdesc (grep.c:1645)
by 0x405EC1: grep_command_line_arg (grep.c:1692)
by 0x4077D4: main (grep.c:2570)
See the accompanying test for how to trigger the heap buffer overrun.
Thanks to Nima Aghdaii for testing and finding numerous
ways to break early iterations of this patch.
Diffstat (limited to 'THANKS.in')
-rw-r--r-- | THANKS.in | 1 |
1 files changed, 1 insertions, 0 deletions
@@ -62,6 +62,7 @@ Michael Aichlmayr mikla@nx.com Miles Bader miles@ccs.mt.nec.co.jp Mirraz Mirraz mirraz1@rambler.ru Nelson H. F. Beebe beebe@math.utah.edu +Nima Aghdaii naghdaii@fb.com Olaf Kirch okir@ns.lst.de Paul Kimoto kimoto@spacenet.tn.cornell.edu Péter Radics mitchnull@gmail.com |