Re: Gawk 4-Byte Out Of Bounds Read and Seg Fault

bug-gawk

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Gawk 4-Byte Out Of Bounds Read and Seg Fault

From:	Andrew J. Schorr
Subject:	Re: Gawk 4-Byte Out Of Bounds Read and Seg Fault
Date:	Tue, 24 May 2022 14:16:06 -0400
User-agent:	Mutt/1.5.21 (2010-09-15)

Hi,

You can see the test case here:

https://github.com/AdamVanScyoc/gawk/commit/0a3c822e6b446c367c45e098fae0fdb1ba4dfa21

But why is it useful to set ip->opcode to Op_field_assign when
it already has that value?

static INSTRUCTION *
make_assignable(INSTRUCTION *ip)
{
        switch (ip->opcode) {
        case Op_push:
                ip->opcode = Op_push_lhs;
                return ip;
        case Op_field_spec:
                ip->opcode = Op_field_spec_lhs;
                return ip;
        case Op_subscript:
                ip->opcode = Op_subscript_lhs;
                return ip;
        case Op_field_assign:
                // XXX why is this assignment useful?
                ip->opcode = Op_field_assign;
                return ip;
        default:
                break;  /* keeps gcc -Wall happy */
        }
        return NULL;
}

Regards,
Andy

On Tue, May 24, 2022 at 11:57:06AM -0600, arnold@skeeve.com wrote:
> Hi.
> 
> Thanks for the report and the diff. I think it looks reasonable but
> will explore some more. Please send the new test case; it wasn't in
> your diff.
> 
> Arnold
> 
> Adam Van Scyoc <avanscy@g.clemson.edu> wrote:
> 
> > Hi, thanks for your work maintaining Gawk.
> >
> > After fuzzing with the google address sanitizers (and reproduced in
> > valgrind) I discovered there's a 4-byte out-of-bounds read with a very
> > simple input script that uses getline (see attachment).
> >
> > I wrote a patch that fixes the OOB read and still passes all tests
> > (including a new test that I wrote called getlnfa.awk as in "getline field
> > assign," which is the opcode type that was unhandled causing the bug).
> >
> > I have my patch attached as a diff to this email but also you can check it
> > out on my github fork of gawk: https://github.com/AdamVanScyoc/gawk
> >
> > This bug was reproduced both with the google address sanitizer and valgrind
> > on MacOS 12.3.1 and in an Ubuntu 22.04 docker container. Repro'ed on Gawk
> > versions 5.1.60 and 5.1.1
> >
> > Let me know if there's anything further you need. Also there may be more
> > bugs to come as I continue fuzzing.
> >
> > Thanks!
> > -Adam Van Scyoc

[Prev in Thread]

Current Thread

[Next in Thread]

Gawk 4-Byte Out Of Bounds Read and Seg Fault, Adam Van Scyoc, 2022/05/24
- Re: Gawk 4-Byte Out Of Bounds Read and Seg Fault, arnold, 2022/05/24
  - Re: Gawk 4-Byte Out Of Bounds Read and Seg Fault, Andrew J. Schorr <=
    - Re: Gawk 4-Byte Out Of Bounds Read and Seg Fault, arnold, 2022/05/24
    - Re: Gawk 4-Byte Out Of Bounds Read and Seg Fault, arnold, 2022/05/24
    - Re: Gawk 4-Byte Out Of Bounds Read and Seg Fault, Andrew J. Schorr, 2022/05/24

Prev by Date: Re: Gawk 4-Byte Out Of Bounds Read and Seg Fault
Next by Date: Re: Gawk 4-Byte Out Of Bounds Read and Seg Fault
Previous by thread: Re: Gawk 4-Byte Out Of Bounds Read and Seg Fault
Next by thread: Re: Gawk 4-Byte Out Of Bounds Read and Seg Fault
Index(es):
- Date
- Thread