bug#44538: grep -E might exhaust stack space

Mon, 09 Nov 2020 10:02:45 -0800 

Hi,

grep -E “.*{10,}{10,}{10,}{10,}{10,}” can exhaust stack space then stack 
overflow comes out. (Tested on latest version 3.6)

jyc@ubuntu18:~/GREP/grep-3.6/src$ ./grep -E ".*{10,}{10,}{10,}{10,}{10,}" 
grep: stack overflow

Gdb information:

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x20 (' ')
RCX: 0x555555799010 --> 0x705070701010700 
RDX: 0x0 
RSI: 0x8 
RDI: 0x7ffff7b5dc40 --> 0x0 
RBP: 0xffffffffffffffb0 
RSP: 0x7fffff7fefa0 
RIP: 0x7ffff780637e (<_int_malloc+62>:  mov    QWORD PTR [rsp+0x8],rsi)
R8 : 0x68b1d 
R9 : 0x0 
R10: 0x555555799010 --> 0x705070701010700 
R11: 0x0 
R12: 0x7ffff4d228f8 --> 0x0 
R13: 0x3458e8 
R14: 0x0 
R15: 0x55555579e460 --> 0x7ffff545e010 --> 0x2e ('.')
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction 
overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7806373 <_int_malloc+51>:     test   al,al
   0x7ffff7806375 <_int_malloc+53>:     jne    0x7ffff7806a58 <_int_malloc+1816>
   0x7ffff780637b <_int_malloc+59>:     test   rdi,rdi
=> 0x7ffff780637e <_int_malloc+62>:     mov    QWORD PTR [rsp+0x8],rsi
   0x7ffff7806383 <_int_malloc+67>:     mov    r14,rdi
   0x7ffff7806386 <_int_malloc+70>:     je     0x7ffff7806a38 <_int_malloc+1784>
   0x7ffff780638c <_int_malloc+76>:     mov    r15d,ebx
   0x7ffff780638f <_int_malloc+79>:     shr    r15d,0x4
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fefa0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff780637e in _int_malloc (av=av@entry=0x7ffff7b5dc40 <main_arena>, 
bytes=bytes@entry=0x8)
    at malloc.c:3557
3557    malloc.c: No such file or directory.

ASAN:

=================================================================
==12861==ERROR: AddressSanitizer: stack-overflow on address 0x7fffe9c8afc8 (pc 
0x7f9f6989dd2e bp 0x7fffe9c8b060 sp 0x7fffe9c8afd0 T0)
    #0 0x7f9f6989dd2d  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x27d2d)
    #1 0x7f9f69954b0a in __interceptor_malloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb0a)
    #2 0x555aa36928ec in re_node_set_alloc 
/home/jyc/GREP/grep-3.6/lib/regex_internal.c:973
    #3 0x555aa369f8cf in calc_eclosure_iter 
/home/jyc/GREP/grep-3.6/lib/regcomp.c:1700
    #4 0x555aa369fe25 in calc_eclosure_iter 
/home/jyc/GREP/grep-3.6/lib/regcomp.c:1737
    #5 0x555aa369fe25 in calc_eclosure_iter 
/home/jyc/GREP/grep-3.6/lib/regcomp.c:1737
    #6 0x555aa369fe25 in calc_eclosure_iter 
/home/jyc/GREP/grep-3.6/lib/regcomp.c:1737
…
    #248 0x555aa369fe25 in calc_eclosure_iter 
/home/jyc/GREP/grep-3.6/lib/regcomp.c:1737
    #249 0x555aa369fe25 in calc_eclosure_iter 
/home/jyc/GREP/grep-3.6/lib/regcomp.c:1737
    #250 0x555aa369fe25 in calc_eclosure_iter 
/home/jyc/GREP/grep-3.6/lib/regcomp.c:1737

SUMMARY: AddressSanitizer: stack-overflow 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x27d2d) 
==12861==ABORTING



Thanks,
Yuancheng

Reply via email to