diff options
| author | Pádraig Brady <P@draigBrady.com> | 2014-04-28 13:29:41 +0100 |
|---|---|---|
| committer | Pádraig Brady <P@draigBrady.com> | 2014-04-29 09:50:58 +0100 |
| commit | f940fece04ec0265ad8c52046f7678ad3116a305 (patch) | |
| tree | e51e068a1000a9503b7b9a7616b5f8a639d5d750 /tests/misc/ptx-overrun.sh | |
| parent | 2f8d53a7989bf172931bfe5cfc7f7c4a9dbdd9ed (diff) | |
| download | coreutils-f940fece04ec0265ad8c52046f7678ad3116a305.tar.xz | |
ptx: fix whitespace trimming with multiple files
This issue was identified by running the test suite with
http://code.google.com/p/address-sanitizer/
which is included in GCC 4.8 and enabled with -fsanitize=address
This was checked on Fedora 20 with GCC 4.8 as follows:
$ yum install libasan # http://bugzilla.redhat.com/991003
$ rm -f src/ptx.o
$ make check AM_CFLAGS='-fsanitize=address' SUBDIRS=. VERBOSE=yes
$ failure identified in tests/test-suite.log
To see this particular failure triggered with multiple files:
$ src/ptx <(echo a) <(echo a) 2>&1 | asan_symbolize.py -d
=================================================================
==32178==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000e74f at pc 0x435442 bp 0x7fffe8a1b290 sp 0x7fffe8a1b288
READ of size 1 at 0x60200000e74f thread T0
#0 0x435441 in define_all_fields coreutils/src/ptx.c:1425
#1 0x7fa206d31d64 in __libc_start_main ??:?
#2 0x42f77c in _start ??:?
0x60200000e74f is located 1 bytes to the left of 3-byte region
[0x60200000e750,0x60200000e753) allocated by thread T0 here:
#0 0x421809 in realloc ??:?
#1 0x439b4e in fread_file coreutils/lib/read-file.c:97
Shadow bytes around the buggy address:
0x0c047fff9c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fd
=>0x0c047fff9ce0: fa fa 03 fa fa fa fd fd fa[fa]03 fa fa fa 00 00
0x0c047fff9cf0: fa fa 04 fa fa fa 04 fa fa fa fd fa fa fa fd fa
0x0c047fff9d00: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa 00 fa
0x0c047fff9d10: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9d20: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9d30: fa fa fd fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==32178==ABORTING
The initial report and high level analysis were from Jim Meyering...
"The underlying problem is that swallow_file_in_memory()
is setting the contents of the global text_buffer for the first file,
then updating it (clobbering old value) for the second file.
Yet, some pointers to the initial buffer have been squirreled away
and later, one of them (keyafter) is presumed to point into
the new "text_buffer", which it does not. The subsequent
SKIP_WHITE_BACKWARDS use backs up "cursor" and goes out of bounds."
* src/ptx.c (text_buffers): Maintain references for the limits of each
buffer corresponding to each file, rather than just the last processed.
(struct OCCURS): Add a member to map back to the corresponding file.
Note normally this could be computed from the "reference" member
rather than needing the extra storage, however this is not possible
when in --references mode.
(find_occurs_in_text): Reference the array rather than a single entry.
(define_all_fields): Likewise. Also avoid computing the file index
since this is now stored directly.
(main): Update text_buffers[] array rather than a single text_buffer.
* tests/misc/ptx-overrun.sh: Even though this issue is already triggered
with AddressSanitizer, add a new case to demonstrate the whitespace
trimming issue, and to trigger without AddressSanitizer.
Fixes https://bugs.gnu.org/16171
Diffstat (limited to 'tests/misc/ptx-overrun.sh')
| -rwxr-xr-x | tests/misc/ptx-overrun.sh | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/tests/misc/ptx-overrun.sh b/tests/misc/ptx-overrun.sh index 693a1800a..be9fb524f 100755 --- a/tests/misc/ptx-overrun.sh +++ b/tests/misc/ptx-overrun.sh @@ -1,5 +1,4 @@ #!/bin/sh -# Trigger a heap-clobbering bug in ptx from coreutils-6.10 and earlier. # Copyright (C) 2008-2014 Free Software Foundation, Inc. @@ -19,12 +18,12 @@ . "${srcdir=.}/tests/init.sh"; path_prepend_ ./src print_ver_ ptx +# Trigger a heap-clobbering bug in ptx from coreutils-6.10 and earlier. # Using a long file name makes an abort more likely. # Even with no file name, valgrind detects the buffer overrun. f=01234567890123456789012345678901234567890123456789 touch $f empty || framework_failure_ - # Specifying a regular expression ending in a lone backslash # would cause ptx to write beyond the end of a malloc'd buffer. ptx -F '\' $f < /dev/null > out || fail=1 @@ -32,4 +31,14 @@ ptx -S 'foo\' $f < /dev/null >> out || fail=1 ptx -W 'bar\\\' $f < /dev/null >> out || fail=1 compare out empty || fail=1 + +# Trigger an invalid heap reference noticed by gcc -fsanitize=address +# from coreutils-8.22 and earlier. As well as an invalid memory reference, +# the issue can be seen in the output, with non deterministice whitespace +# trimming when multiple files are specified. +printf '%s\n' 'This is a ptx whitespace Trimming test' > ws.in +ptx ws.in ws.in | sort | uniq -u > out +compare /dev/null out || fail=1 + + Exit $fail |