This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug c++/82164] New: AddressSanitizer: stack-buffer-overflow while constructing std::regex
- From: "bique.alexandre at gmail dot com" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: Sun, 10 Sep 2017 00:27:41 +0000
- Subject: [Bug c++/82164] New: AddressSanitizer: stack-buffer-overflow while constructing std::regex
- Auto-submitted: auto-generated
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82164
Bug ID: 82164
Summary: AddressSanitizer: stack-buffer-overflow while
constructing std::regex
Product: gcc
Version: 7.2.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: bique.alexandre at gmail dot com
Target Milestone: ---
Hi,
I'd like to report a bug regarding libstdc++ crashing in the regex engine:
Compiling this:
const std::regex kNewLineEscaped("(\\\\r\\\\n)|(\\\\n)|(\\\\r)");
const std::regex kNewLineRaw("[\n\r]+", std::regex::basic |
std::regex::optimize);
const std::regex kTabRaw("[\t]");
const std::regex kComma("[,]");
const std::regex kSlash("[/]");
Will generate the following error at runtime:
==6700==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffce71cd978 at pc 0x7f31c9b2402d bp 0x7ffce71cd890 sp
0x7ffce71cd880
WRITE of size 8 at 0x7ffce71cd978 thread T0
#0 0x7f31c9b2402c in _Deque_iterator
/usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/stl_deque.h:153
#1 0x7f31c9b24b6f in
std::deque<std::__detail::_StateSeq<std::__cxx11::regex_traits<char>
>, std::allocator<std::__detail::_StateSeq<std::__cxx11::regex_traits<char>
> > >::begin() /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/stl_deque.h:1167
#2 0x7f31c9b24a34 in ~deque
/usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/stl_deque.h:1045
#3 0x7f31c9ac3554 in ~stack
/usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/stl_stack.h:99
#4 0x7f31c9ac1824 in _Compiler
/usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/regex_compiler.tcc:90
#5 0x7f31c9ac112d in
_ZNSt8__detail13__compile_nfaIPKcNSt7__cxx1112regex_traitsIcEEEENSt9enable_ifIXsr27__is_contiguous_normal_iterIT_EE5valueESt10shared_ptrIKNS_4_NFAIT0_EEEE4typeES7_S7_RKNSA_11locale_typeENSt15regex_constants18syntax_option_typeE
/usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/regex_compiler.h:203
#6 0x7f31c9ac0e33 in basic_regex<const char *>
/usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/regex.h:768
#7 0x7f31c9ac0986 in basic_regex<const char *>
/usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/regex.h:512
#8 0x7f31c9abf336 in basic_regex
/usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/regex.h:445
#9 0x7f31c97606fb in __cxx_global_var_init.6
../../AudioModulesFrame/AM_StdLibExtensions.cpp:11
#10 0x7f31c976084d in _GLOBAL__sub_I_AM_StdLibExtensions.cpp
../../AudioModulesFrame/AM_StdLibExtensions.cpp
#11 0x7f31d0329579 in call_init.part.0 (/lib64/ld-linux-x86-64.so.2+0xf579)
#12 0x7f31d0329685 in _dl_init (/lib64/ld-linux-x86-64.so.2+0xf685)
#13 0x7f31d032db5d in dl_open_worker (/lib64/ld-linux-x86-64.so.2+0x13b5d)
#14 0x7f31ce54beb3 in __GI__dl_catch_error (/usr/lib/libc.so.6+0x131eb3)
#15 0x7f31d032d379 in _dl_open (/lib64/ld-linux-x86-64.so.2+0x13379)
#16 0x7f31cef52e85 (/usr/lib/libdl.so.2+0xe85)
#17 0x7f31ce54beb3 in __GI__dl_catch_error (/usr/lib/libc.so.6+0x131eb3)
#18 0x7f31cef53586 (/usr/lib/libdl.so.2+0x1586)
#19 0x7f31cef52f21 in dlopen (/usr/lib/libdl.so.2+0xf21)
#20 0x7f31cf3abd98 in __interceptor_dlopen
/build/gcc-multilib/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:5364
#21 0x55abc3a21cb7 in Vst2Plugin::loadDLL()
(/home/abique/develop/bitwig/alex-future/target/bin/release/BitwigPluginHost64+0xa8cb7)
#22 0x55abc3a2218e in Vst2PluginApi::loadPlugin(PluginHost*,
base::core::String)
(/home/abique/develop/bitwig/alex-future/target/bin/release/BitwigPluginHost64+0xa918e)
#23 0x55abc39cc7d5 in PluginHost::getPlugin(base::core::String
const&)
(/home/abique/develop/bitwig/alex-future/target/bin/release/BitwigPluginHost64+0x537d5)
#24 0x55abc39d41a1 in writePluginInfo(base::core::String,
base::core::OutputStream*)
(/home/abique/develop/bitwig/alex-future/target/bin/release/BitwigPluginHost64+0x5b1a1)
#25 0x55abc39bb47f in main
(/home/abique/develop/bitwig/alex-future/target/bin/release/BitwigPluginHost64+0x4247f)
#26 0x7f31ce43af69 in __libc_start_main (/usr/lib/libc.so.6+0x20f69)
#27 0x55abc39be9d9 in _start
(/home/abique/develop/bitwig/alex-future/target/bin/release/BitwigPluginHost64+0x459d9)
Address 0x7ffce71cd978 is located in stack of thread T0 at offset 56 in frame
#0 0x7f31c9b2493f in ~deque
/usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/stl_deque.h:1045
This frame has 2 object(s):
[32, 64) 'agg.tmp' <== Memory access at offset 56 is inside this variable
[96, 128) 'agg.tmp2'
HINT: this may be a false positive if your program uses some custom
stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/stl_deque.h:153
in _Deque_iterator
Shadow bytes around the buggy address:
0x10001ce31ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001ce31ae0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x10001ce31af0: 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2
0x10001ce31b00: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x10001ce31b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10001ce31b20: f1 f1 f1 f1 00 00 00 f2 f1 f1 f1 f1 00 00 00[f2]
0x10001ce31b30: f2 f2 f2 f2 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
0x10001ce31b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001ce31b50: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
0x10001ce31b60: 00 00 00 f2 f2 f2 f2 f2 00 00 00 f3 f3 f3 f3 f3
0x10001ce31b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==6700==ABORTING
I am using Archlinux 64 bits, my system is up to date as of 10-09-2017.
I believe that the bug is in the libstdc++/regex, as I could reproduce the
issue with clang 4.0.1.
pacman -Qi gcc-multilib
Name : gcc-multilib
Version : 7.2.0-1
pacman -Qi binutils
Name : binutils
Version : 2.29.0-1
Regards,
Alexandre