113507 – get_subexp() uses uninitialized memory in posix/tst-pcre

Bug 113507 - get_subexp() uses uninitialized memory in posix/tst-pcre

Summary: get_subexp() uses uninitialized memory in posix/tst-pcre

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	glibc
Sub Component:
Version:	1
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jakub Jelinek
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-01-14 19:50 UTC by John Reiser
Modified:	2007-11-30 22:10 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-09-28 09:50:31 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description John Reiser 2004-01-14 19:50:53 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Gecko/20031114

Description of problem:
Internal testcase "tst-pcre PCRE.tests" uses uninitialized memory in
get_subexp().

Version-Release number of selected component (if applicable):
glibc-2.3.2-101.4

How reproducible:
Always

Steps to Reproduce:
1. Run testcase "tst-pcre PCRE.tests" under a memory access checker.

Or, run under gdb with a breakpoint on regex_internal.c:171, just
after the last call to re_realloc() inside
re_string_realloc_buffers().  On the 294-th hit of the breakpoint, set
"awatch *(char *)(6+ ...)" where "..." is the value of new_array.  The
byte will be read before it is written.

Actual Results:  Byte is read by memcmp() in get_subexp() at
regexec.c:2571 before it is written.

Expected Results:  No use of uninitialized byte.

Additional info:
Patch for bug 113421 (msg00054.html) has been applied.

Insure++ symptom is:
-----
[regexec.c:2571] (Thread 0) **READ_UNINIT_MEM(read)**
>>           if (sl_str_diff > 0
 
  Reading uninitialized memory.
 
  Pointer : 0x4022475e
  In block: 0x40224758 thru 0x4022475e (7 bytes)
                  block allocated at regex_internal.c, 169
       re_string_realloc_buffers()  regex_internal.c, 169
              re_search_internal()  regexec.c, 66
                       __regexec()  regexec.c, 214
                            main()  tst-pcre.c, 169
 
  Stack trace where the error occurred:
                      get_subexp()  regexec.c, 2571
             transit_state_bkref()  regex_internal.c, 2445
                   transit_state()  regexec.c, 2251
                  check_matching()  regexec.c, 1025
              re_search_internal()  regexec.c, 748
                       __regexec()  regexec.c, 214
                            main()  tst-pcre.c, 169
 
 
Breakpoint 1, gdb_break_here () at chap0.S:70
70      chap0.S: No such file or directory.
        in chap0.S
Current language:  auto; currently asm
(gdb) x/x $esp
0xbfffe864:     0x400e7793
(gdb) x/i $__
0x400e7793 <get_subexp+291>:    repz cmpsb %es:(%edi),%ds:(%esi)
(gdb) p/x $edi
$53 = 0x40224758
(gdb) p/x $esi
$54 = 0x4022475e
(gdb) bt
#0  gdb_break_here () at chap0.S:70
#1  0x400e7793 in get_subexp (mctx=0x4022409c, bkref_node=6,
    bkref_str_idx=1075980896) at regexec.c:2571
#2  0x400e71b0 in transit_state_bkref (mctx=0xbfffef10, nodes=0x4022409c)
    at regexec.c:2445
#3  0x400e6ad5 in transit_state (err=0xbfffeea8, mctx=0xbfffef10,
state=0x2)
    at regexec.c:2251
#4  0x400e47ef in check_matching (mctx=0xbfffef10, fl_longest_match=1)
    at regexec.c:1025
#5  0x400e40e6 in re_search_internal (preg=0x2, string=0x4021f848
"ABCABC",
    length=6, start=0, range=6, stop=6, nmatch=20, pmatch=0xbffff25c,
eflags=0)
    at regexec.c:748
#6  0x400e366d in __regexec (preg=0xbffff23c, string=0x4021f848 "ABCABC",
    nmatch=1075988318, pmatch=0x4022475e, eflags=0) at regexec.c:214
#7  0x08048a0b in main (argc=2, argv=0x401607d8) at tst-pcre.c:169
#8  0x40040760 in __libc_start_main (main=0x8048720 <main>, argc=2,
    ubp_av=0xbffff390, init=0x8048ea0 <__libc_csu_init>, fini=0xbffff23c,
    rtld_fini=0x4021f848, stack_end=0x6) at
../sysdeps/generic/libc-start.c:205
-----

Comment 1 John Reiser 2004-01-14 19:58:14 UTC

The 296-th allocation also leads to a use of uninit byte:
-----
[regexec.c:2602] (Thread 0) **READ_UNINIT_MEM(read)**
>>           if (sl_str_off > 0 && *bkref_str++ != buf[sl_str - 1])
 
  Reading uninitialized memory.
 
  Pointer : 0x4021dffd
  In block: 0x4021dff8 thru 0x4021dffd (6 bytes)
                  block allocated at regex_internal.c, 169
       re_string_realloc_buffers()  regex_internal.c, 169
              re_search_internal()  regexec.c, 66
                       __regexec()  regexec.c, 214
                            main()  tst-pcre.c, 169
 
  Stack trace where the error occurred:
                      get_subexp()  regexec.c, 2602
             transit_state_bkref()  regex_internal.c, 2445
                   transit_state()  regexec.c, 2251
                  check_matching()  regexec.c, 1025
              re_search_internal()  regexec.c, 748
                       __regexec()  regexec.c, 214
                            main()  tst-pcre.c, 169
 
 
Breakpoint 1, gdb_break_here () at chap0.S:70
70      chap0.S: No such file or directory.
        in chap0.S
Current language:  auto; currently asm
(gdb) x/x $esp
0xbfffe868:     0x400e782e
(gdb) x/6i $__
0x400e782e <get_subexp+446>:    movzbl (%esi),%edx
0x400e7831 <get_subexp+449>:    inc    %esi
0x400e7832 <get_subexp+450>:    mov    0xffffffd8(%ebp),%ecx
0x400e7835 <get_subexp+453>:    mov    0xffffffc8(%ebp),%edi
0x400e7838 <get_subexp+456>:    cmp    0xffffffff(%edi,%ecx,1),%dl  
### %dl is low byte of %edx
0x400e783c <get_subexp+460>:    jne    0x400e7859 <get_subexp+489>

(gdb) p/x $esi
$61 = 0x4021dffd
(gdb) bt
#0  gdb_break_here () at chap0.S:70
#1  0x400e782e in get_subexp (mctx=0x40220194, bkref_node=3,
    bkref_str_idx=1075962688) at regexec.c:2602
#2  0x400e71b0 in transit_state_bkref (mctx=0xbfffef10, nodes=0x40220194)
    at regexec.c:2445
#3  0x400e6ad5 in transit_state (err=0xbfffeea8, mctx=0xbfffef10,
state=0x0)
    at regexec.c:2251
#4  0x400e47ef in check_matching (mctx=0xbfffef10, fl_longest_match=1)
    at regexec.c:1025
#5  0x400e40e6 in re_search_internal (preg=0x0, string=0x4021f848 "Ab4ab",
    length=5, start=0, range=5, stop=5, nmatch=20, pmatch=0xbffff25c,
eflags=0)
    at regexec.c:748
#6  0x400e366d in __regexec (preg=0xbffff23c, string=0x4021f848 "Ab4ab",
    nmatch=0, pmatch=0x0, eflags=0) at regexec.c:214
#7  0x08048a0b in main (argc=2, argv=0x401607d8) at tst-pcre.c:169
#8  0x40040760 in __libc_start_main (main=0x8048720 <main>, argc=2,
    ubp_av=0xbffff390, init=0x8048ea0 <__libc_csu_init>, fini=0xbffff23c,
    rtld_fini=0x4021f848, stack_end=0x3) at
../sysdeps/generic/libc-start.c:205
-----

Comment 2 Jakub Jelinek 2004-01-19 14:24:42 UTC

http://sources.redhat.com/ml/libc-hacker/2004-01/msg00070.html

Comment 3 Ulrich Drepper 2004-09-28 09:50:31 UTC

Assume fixed in current release.

Note You need to log in before you can comment on or make changes to this bug.