[Bug c++/82164] New: AddressSanitizer: stack-buffer-overflow while constructing std::regex

bique.alexandre at gmail dot com Sat, 09 Sep 2017 17:28:20 -0700

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82164


            Bug ID: 82164
           Summary: AddressSanitizer: stack-buffer-overflow while
                    constructing std::regex
           Product: gcc
           Version: 7.2.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: bique.alexandre at gmail dot com
  Target Milestone: ---

Hi,

I'd like to report a bug regarding libstdc++ crashing in the regex engine:

Compiling this:

const std::regex kNewLineEscaped("(\\\\r\\\\n)|(\\\\n)|(\\\\r)");

const std::regex kNewLineRaw("[\n\r]+", std::regex::basic |
std::regex::optimize);

const std::regex kTabRaw("[\t]");

const std::regex kComma("[,]");

const std::regex kSlash("[/]");


Will generate the following error at runtime:


==6700==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffce71cd978 at pc 0x7f31c9b2402d bp 0x7ffce71cd890 sp
0x7ffce71cd880
WRITE of size 8 at 0x7ffce71cd978 thread T0
    #0 0x7f31c9b2402c in _Deque_iterator
/usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/stl_deque.h:153
    #1 0x7f31c9b24b6f in
std::deque<std::__detail::_StateSeq<std::__cxx11::regex_traits<char>
>, std::allocator<std::__detail::_StateSeq<std::__cxx11::regex_traits<char>
> > >::begin() 
> > >/usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/stl_deque.h:1167
    #2 0x7f31c9b24a34 in ~deque
/usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/stl_deque.h:1045
    #3 0x7f31c9ac3554 in ~stack
/usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/stl_stack.h:99
    #4 0x7f31c9ac1824 in _Compiler
/usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/regex_compiler.tcc:90
    #5 0x7f31c9ac112d in
_ZNSt8__detail13__compile_nfaIPKcNSt7__cxx1112regex_traitsIcEEEENSt9enable_ifIXsr27__is_contiguous_normal_iterIT_EE5valueESt10shared_ptrIKNS_4_NFAIT0_EEEE4typeES7_S7_RKNSA_11locale_typeENSt15regex_constants18syntax_option_typeE
/usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/regex_compiler.h:203
    #6 0x7f31c9ac0e33 in basic_regex<const char *>
/usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/regex.h:768
    #7 0x7f31c9ac0986 in basic_regex<const char *>
/usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/regex.h:512
    #8 0x7f31c9abf336 in basic_regex
/usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/regex.h:445
    #9 0x7f31c97606fb in __cxx_global_var_init.6
../../AudioModulesFrame/AM_StdLibExtensions.cpp:11
    #10 0x7f31c976084d in _GLOBAL__sub_I_AM_StdLibExtensions.cpp
../../AudioModulesFrame/AM_StdLibExtensions.cpp
    #11 0x7f31d0329579 in call_init.part.0 (/lib64/ld-linux-x86-64.so.2+0xf579)
    #12 0x7f31d0329685 in _dl_init (/lib64/ld-linux-x86-64.so.2+0xf685)
    #13 0x7f31d032db5d in dl_open_worker (/lib64/ld-linux-x86-64.so.2+0x13b5d)
    #14 0x7f31ce54beb3 in __GI__dl_catch_error (/usr/lib/libc.so.6+0x131eb3)
    #15 0x7f31d032d379 in _dl_open (/lib64/ld-linux-x86-64.so.2+0x13379)
    #16 0x7f31cef52e85  (/usr/lib/libdl.so.2+0xe85)
    #17 0x7f31ce54beb3 in __GI__dl_catch_error (/usr/lib/libc.so.6+0x131eb3)
    #18 0x7f31cef53586  (/usr/lib/libdl.so.2+0x1586)
    #19 0x7f31cef52f21 in dlopen (/usr/lib/libdl.so.2+0xf21)
    #20 0x7f31cf3abd98 in __interceptor_dlopen
/build/gcc-multilib/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:5364
    #21 0x55abc3a21cb7 in Vst2Plugin::loadDLL()
(/home/abique/develop/bitwig/alex-future/target/bin/release/BitwigPluginHost64+0xa8cb7)
    #22 0x55abc3a2218e in Vst2PluginApi::loadPlugin(PluginHost*,
base::core::String)
(/home/abique/develop/bitwig/alex-future/target/bin/release/BitwigPluginHost64+0xa918e)
    #23 0x55abc39cc7d5 in PluginHost::getPlugin(base::core::String
const&)
(/home/abique/develop/bitwig/alex-future/target/bin/release/BitwigPluginHost64+0x537d5)
    #24 0x55abc39d41a1 in writePluginInfo(base::core::String,
base::core::OutputStream*)
(/home/abique/develop/bitwig/alex-future/target/bin/release/BitwigPluginHost64+0x5b1a1)
    #25 0x55abc39bb47f in main
(/home/abique/develop/bitwig/alex-future/target/bin/release/BitwigPluginHost64+0x4247f)
    #26 0x7f31ce43af69 in __libc_start_main (/usr/lib/libc.so.6+0x20f69)
    #27 0x55abc39be9d9 in _start
(/home/abique/develop/bitwig/alex-future/target/bin/release/BitwigPluginHost64+0x459d9)

Address 0x7ffce71cd978 is located in stack of thread T0 at offset 56 in frame
    #0 0x7f31c9b2493f in ~deque
/usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/stl_deque.h:1045

  This frame has 2 object(s):
    [32, 64) 'agg.tmp' <== Memory access at offset 56 is inside this variable
    [96, 128) 'agg.tmp2'
HINT: this may be a false positive if your program uses some custom
stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/stl_deque.h:153
in _Deque_iterator
Shadow bytes around the buggy address:
  0x10001ce31ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001ce31ae0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x10001ce31af0: 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2
  0x10001ce31b00: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x10001ce31b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10001ce31b20: f1 f1 f1 f1 00 00 00 f2 f1 f1 f1 f1 00 00 00[f2]
  0x10001ce31b30: f2 f2 f2 f2 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
  0x10001ce31b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001ce31b50: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
  0x10001ce31b60: 00 00 00 f2 f2 f2 f2 f2 00 00 00 f3 f3 f3 f3 f3
  0x10001ce31b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6700==ABORTING


I am using Archlinux 64 bits, my system is up to date as of 10-09-2017.

I believe that the bug is in the libstdc++/regex, as I could reproduce the
issue with clang 4.0.1.


pacman -Qi gcc-multilib 
Name            : gcc-multilib
Version         : 7.2.0-1

pacman -Qi binutils
Name            : binutils
Version         : 2.29.0-1


Regards,
Alexandre

[Bug c++/82164] New: AddressSanitizer: stack-buffer-overflow while constructing std::regex

Reply via email to