https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117457
Bug ID: 117457
Summary: regex global buffer overflow LTO
Product: gcc
Version: 14.2.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: libstdc++
Assignee: unassigned at gcc dot gnu.org
Reporter: kingoipo at gmail dot com
Target Milestone: ---
Compiling the following program:
#include <regex>
int main() {
std::regex _r{"\\/some\\/http\\/(\\d{1,2})\\/(\\d{1,2})\\/(\\d{1,2})\\/test",
std::regex::ECMAScript};
return 0;
}
with the following flags:
g++ -O2 -g3 -fsanitize=address -flto bug.cpp
Produces the following ASAN report:
=================================================================
==40127==ERROR: AddressSanitizer: global-buffer-overflow on address
0x5621f46983b4 at pc 0x5621f4658d07 bp 0x7ffe9425cf00 sp 0x7ffe9425cef8
READ of size 1 at 0x5621f46983b4 thread T0
#0 0x5621f4658d06 in std::__detail::_Scanner<char>::_M_scan_normal()
/usr/include/c++/14/bits/regex_scanner.tcc:98
#1 0x5621f4658d06 in std::__detail::_Scanner<char>::_M_advance()
/usr/include/c++/14/bits/regex_scanner.tcc:79
#2 0x5621f46599be in
std::__detail::_Compiler<std::__cxx11::regex_traits<char>
>::_M_match_token(std::__detail::_ScannerBase::_TokenT)
/usr/include/c++/14/bits/regex_compiler.tcc:575
#3 0x5621f46599be in
std::__detail::_Compiler<std::__cxx11::regex_traits<char>
>::_M_match_token(std::__detail::_ScannerBase::_TokenT)
/usr/include/c++/14/bits/regex_compiler.tcc:569
#4 0x5621f46599be in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_try_char()
/usr/include/c++/14/bits/regex_compiler.tcc:562
#5 0x5621f4674989 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_atom()
/usr/include/c++/14/bits/regex_compiler.tcc:310
#6 0x5621f4674989 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_term()
/usr/include/c++/14/bits/regex_compiler.tcc:133
#7 0x5621f4674989 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:115
#8 0x5621f4675340 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:118
#9 0x5621f4675340 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:118
#10 0x5621f4675340 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:118
#11 0x5621f4675340 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:118
#12 0x5621f4675340 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:118
#13 0x5621f4675340 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:118
#14 0x5621f4675340 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:118
#15 0x5621f4675340 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:118
#16 0x5621f4675340 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:118
#17 0x5621f4675340 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:118
#18 0x5621f4675340 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:118
#19 0x5621f4675340 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:118
#20 0x5621f4675340 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:118
#21 0x5621f4675340 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:118
#22 0x5621f4675340 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:118
#23 0x5621f4675340 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:118
#24 0x5621f4675340 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:118
#25 0x5621f4675340 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:118
#26 0x5621f4675340 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:118
#27 0x5621f4675340 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:118
#28 0x5621f4675340 in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_alternative()
/usr/include/c++/14/bits/regex_compiler.tcc:118
#29 0x5621f468280d in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_M_disjunction()
/usr/include/c++/14/bits/regex_compiler.tcc:91
#30 0x5621f468b4cb in
std::__detail::_Compiler<std::__cxx11::regex_traits<char> >::_Compiler(char
const*, char const*, std::locale const&,
std::regex_constants::syntax_option_type)
/usr/include/c++/14/bits/regex_compiler.tcc:76
#31 0x5621f468b4cb in std::__cxx11::basic_regex<char,
std::__cxx11::regex_traits<char> >::_M_compile(char const*, char const*,
std::regex_constants::syntax_option_type) [clone .constprop.0]
/usr/include/c++/14/bits/regex.h:809
#32 0x5621f46498fe in std::__cxx11::basic_regex<char,
std::__cxx11::regex_traits<char> >::basic_regex(char const*,
std::regex_constants::syntax_option_type) /usr/include/c++/14/bits/regex.h:473
#33 0x5621f46498fe in main /home/oipo/Programming/Ichor/build/bug.cpp:4
#34 0x7f01a2633d67 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#35 0x7f01a2633e24 in __libc_start_main_impl ../csu/libc-start.c:360
#36 0x5621f4649a70 in _start
(/home/oipo/Programming/Ichor/build/a.out+0xba70) (BuildId:
e42a5c6b2ff4dc486cfd3625e2358b6c9db52de2)
0x5621f46983b4 is located 44 bytes before global variable '*.LC30' defined in
'./a.ltrans1.ltrans' (0x5621f46983e0) of size 145
'*.LC30' is ascii string 'Number of NFA states exceeds limit. Please use
shorter regex string, or use smaller brace expression, or make
_GLIBCXX_REGEX_STATE_LIMIT larger.'
0x5621f46983b4 is located 0 bytes after global variable '*.LC29' defined in
'./a.ltrans1.ltrans' (0x5621f4698380) of size 52
'*.LC29' is ascii string
'\/some\/http\/(\d{1,2})\/(\d{1,2})\/(\d{1,2})\/test'
SUMMARY: AddressSanitizer: global-buffer-overflow
/usr/include/c++/14/bits/regex_scanner.tcc:98 in
std::__detail::_Scanner<char>::_M_scan_normal()
Shadow bytes around the buggy address:
0x5621f4698100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x5621f4698180: 00 00 00 00 00 00 00 02 f9 f9 f9 f9 00 00 00 00
0x5621f4698200: 05 f9 f9 f9 f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9
0x5621f4698280: 07 f9 f9 f9 f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9
0x5621f4698300: 00 f9 f9 f9 f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9
=>0x5621f4698380: 00 00 00 00 00 00[04]f9 f9 f9 f9 f9 00 00 00 00
0x5621f4698400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 f9
0x5621f4698480: f9 f9 f9 f9 00 00 00 00 00 00 02 f9 f9 f9 f9 f9
0x5621f4698500: 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 00 00 00 00
0x5621f4698580: 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 04 f9
0x5621f4698600: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==40127==ABORTING
ASAN report goes away if not compiling with flto.
gcc info:
$ g++ -v
Using built-in specs.
COLLECT_GCC=g++
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-linux-gnu/14/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none:amdgcn-amdhsa
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 14.2.0-6'
--with-bugurl=file:///usr/share/doc/gcc-14/README.Bugs
--enable-languages=c,ada,c++,go,d,fortran,objc,obj-c++,m2,rust --prefix=/usr
--with-gcc-major-version-only --program-suffix=-14
--program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id
--libexecdir=/usr/libexec --without-included-gettext --enable-threads=posix
--libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu
--enable-libstdcxx-debug --enable-libstdcxx-time=yes
--with-default-libstdcxx-abi=new --enable-libstdcxx-backtrace
--enable-gnu-unique-object --disable-vtable-verify --enable-plugin
--enable-default-pie --with-system-zlib --enable-libphobos-checking=release
--with-target-system-zlib=auto --enable-objc-gc=auto --enable-multiarch
--disable-werror --enable-cet --with-arch-32=i686 --with-abi=m64
--with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic
--enable-offload-targets=nvptx-none=/build/reproducible-path/gcc-14-14.2.0/debian/tmp-nvptx/usr,amdgcn-amdhsa=/build/reproducible-path/gcc-14-14.2.0/debian/tmp-gcn/usr
--enable-offload-defaulted --without-cuda-driver --enable-checking=release
--build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
--with-build-config=bootstrap-lto-lean --enable-link-serialization=3
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 14.2.0 (Debian 14.2.0-6)
