Project

General

Profile

Bug #8868

/usr/xpg4/bin/grep dumps core in find_nl()

Added by Alexander Pyhalov over 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Start date:
2017-11-29
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

How to repeat:

$ /usr/xpg4/bin/grep -E -v '\|' ~/srcs/illumos-gate/usr/src/tools/scripts/nightly.sh
...
Segmentation Fault (core dumped)
$ pstack core
core 'core' of 4299:    /usr/xpg4/bin/grep -E -v \| /export/home/alp/srcs/illumos-gate/usr/src
 08051c05 find_nl  (3, 8047ce8, 0, fee69e99, 8047ce8, 2) + b
 080535c0 process_file (8047ce8, 0, 0, feed8878) + 68
 08053716 process_path (8047ce8, 8047be4, 8047b68, 8053e6c, fef70548, fef70548) + fb
 08053ec3 main     (8047b6c, fef5f2c8, 8047ba8, 8051b18, 5, 8047bd8) + 7a3
 08051b18 _start_crt (5, 8047bd8, fefd1c00, 0, 0, 0) + 97
 080519ea _start   (5, 8047ccc, 8047cdf, 8047ce2, 8047ce5, 8047ce8) + 1a

Somehow prntlen becomes negative in 

 while ((prntptrend = find_nl(prntptrend+1, prntlen)) != NULL)
.

#1

Updated by Alexander Pyhalov over 3 years ago

  • Subject changed from /usr/xpg4/bin/grep dumps core find_nl() to /usr/xpg4/bin/grep dumps core in find_nl()
#2

Updated by Alexander Pyhalov over 3 years ago

More simple reproducer:

printf '\n\n' > test2
/usr/xpg4/bin/grep -v 'aa' test2

Segmentation Fault (core dumped)

#3

Updated by Alexander Pyhalov over 3 years ago

Another similar crash (other stack path):

printf '\n\nqwe\n\n' > test2
/usr/xpg4/bin/grep -B 1 qw test2

This one is related to the fact that in https://github.com/illumos/illumos-gate/blob/master/usr/src/cmd/grep_xpg4/grep.c#L1339 :

if (conflag & BEFORE) {
                if (conbcnt >= conblen) {
                    char *tmp = conptr;
                    conptr = find_nl(conptr,
                        conptrend - conptr) + 1;
                    if (bflag)
                        blkoffset += conptr - tmp;
                    linenum++;
                    nearmatch = B_TRUE;
                } else {
                    conbcnt++;
                }
}

find_nl() result is never checked for NULL.

#4

Updated by Electric Monk about 3 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit e41ba543c907a7f890945c577bac3566017e4162

commit  e41ba543c907a7f890945c577bac3566017e4162
Author: Matt Barden <matt.barden@nexenta.com>
Date:   2017-12-08T20:19:52.000Z

    8868 /usr/xpg4/bin/grep dumps core in find_nl()
    Reviewed by: Robert Mustacchi <rm@joyent.com>
    Reviewed by: Toomas Soome <tsoome@me.com>
    Approved by: Dan McDonald <danmcd@joyent.com>

Also available in: Atom PDF