bin/149425: BSD grep accesses incorrect memory area.

Sun, 08 Aug 2010 06:00:33 -0700 

>Number:         149425
>Category:       bin
>Synopsis:       BSD grep accesses incorrect memory area.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Aug 08 13:00:16 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Shuichi KITAGUCHI
>Release:        9.0-CURRENT
>Organization:
>Environment:
FreeBSD rhea.k.ysnb.net 9.0-CURRENT FreeBSD 9.0-CURRENT #0 r210927: Fri Aug  6 
22:55:43 JST 2010     r...@rhea.k.ysnb.net:/usr/obj/data/rhea/usr/src/sys/RHEA  
amd64

>Description:
BSD grep accesses incorrect memory region and may abort.
Additionally, valgrind detectes some errors.
>How-To-Repeat:
1)grep aborts (allocated buffer is short)
% cd /usr/src/usr.bin/grep
% grep -r -B 2 char .
..
grep: (malloc) /data/rhea/usr/src/lib/libc/stdlib/malloc.c:3176: Failed 
assertion: "bin->runcur->magic == ARENA_RUN_MAGIC"
Abort

2)valgrind detects some errors. (take 1, 0 bytes file)
% cd /usr/src/usr.bin/grep
% make
% touch x
% valgrind -v ./grep a x
..
==3775== Invalid read of size 1
==3775==    at 0x25C8E9: memchr (in 
/usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==3775==    by 0x4027C4: grep_fgetln (in /data/home/kit/tmp/g/grep)
==3775==    by 0x404156: procfile (in /data/home/kit/tmp/g/grep)
==3775==    by 0x4037DA: main (in /data/home/kit/tmp/g/grep)
..

3)valgrind detects some errors. (take 2, incorrect free)
% cd /usr/src/usr.bin/grep
% make
% valgrind -v ./grep -r -C 2 char .
..
==3716== Invalid free() / delete / delete[]
==3716==    at 0x25B260: free (in 
/usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==3716==    by 0x4044FD: procfile (in /data/home/kit/tmp/grep/grep)
==3716==    by 0x4049CD: grep_tree (in /data/home/kit/tmp/grep/grep)
==3716==    by 0x403857: main (in /data/home/kit/tmp/grep/grep)
..

>Fix:
attached patch is to be fixed for 1) and 2).
I cannot resolve 3).

Patch attached with submission follows:

diff --git a/queue.c b/queue.c
index 5f4d4ef..1fd05c5 100644
--- a/queue.c
+++ b/queue.c
@@ -56,7 +56,7 @@ enqueue(struct str *x)
        struct qentry *item;
 
        item = grep_malloc(sizeof(struct qentry));
-       item->data.dat = grep_malloc(sizeof(char) * x->len);
+       item->data.dat = grep_malloc(sizeof(char) * x->len + 1);
        item->data.len = x->len;
        item->data.line_no = x->line_no;
        item->data.off = x->off;

diff --git a/file.c b/file.c
index 7d9715f..ab658fc 100644
--- a/file.c
+++ b/file.c
@@ -132,6 +132,10 @@ grep_fgetln(struct file *f, size_t *len)
                        else if (stat(fname, &st) != 0)
                                err(2, NULL);
 
+                       /* no need to allocate buffer. */
+                       if (st.st_size == 0)
+                               return (NULL);
+
                        bufsiz = (MAXBUFSIZ > (st.st_size * PREREAD_M)) ?
                            (st.st_size / 2) : MAXBUFSIZ;
 


>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

Reply via email to