out of bounds heap read in function do_class()

[hannob]

This script will cause an out of bounds heap read in mawk:

/[[:]/

Also attached. This was found with american fuzzy lop and address sanitizer. To see this bug you have to compile mawk with address sanitizer enabled (-fsanitize=address in CFLAGS). mawk-oob-heap-read-do_class.zip

Full address sanitizer error:

==15355==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000efd1 at pc 0x00000054a73e bp 0x7ffe7cacb330 sp 0x7ffe7cacb328
READ of size 1 at 0x60300000efd1 thread T0
    #0 0x54a73d in do_class /tmp/mawk-1.3.4-20160918/./rexp0.c:645:3
    #1 0x54a73d in RE_lex /tmp/mawk-1.3.4-20160918/./rexp0.c:249
    #2 0x546946 in REcompile /tmp/mawk-1.3.4-20160918/./rexp.c:155:9
    #3 0x5441aa in re_compile /tmp/mawk-1.3.4-20160918/re_cmpl.c:74:28
    #4 0x50a71b in collect_RE /tmp/mawk-1.3.4-20160918/scan.c:1147:18
    #5 0x508b46 in yylex /tmp/mawk-1.3.4-20160918/scan.c:449:6
    #6 0x4f3384 in yyparse /tmp/mawk-1.3.4-20160918/parse.c:1616:23
    #7 0x4f2d77 in parse /tmp/mawk-1.3.4-20160918/parse.y:1491:9
    #8 0x50ca08 in main /tmp/mawk-1.3.4-20160918/main.c:96:5
    #9 0x7f305191d78f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289
    #10 0x41a408 in _start (/mnt/ram/mawk/mawk+0x41a408)

0x60300000efd1 is located 15 bytes to the left of 32-byte region [0x60300000efe0,0x60300000f000)
allocated by thread T0 here:
    #0 0x4c2328 in __interceptor_malloc (/mnt/ram/mawk/mawk+0x4c2328)
    #1 0x548f26 in RE_malloc /tmp/mawk-1.3.4-20160918/./rexp1.c:243:9
    #2 0x548f26 in do_class /tmp/mawk-1.3.4-20160918/./rexp0.c:617
    #3 0x548f26 in RE_lex /tmp/mawk-1.3.4-20160918/./rexp0.c:249
    #4 0x546946 in REcompile /tmp/mawk-1.3.4-20160918/./rexp.c:155:9
    #5 0x5441aa in re_compile /tmp/mawk-1.3.4-20160918/re_cmpl.c:74:28

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/mawk-1.3.4-20160918/./rexp0.c:645:3 in do_class
Shadow bytes around the buggy address:
  0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9df0: fa fa fa fa fa fa fa fa fa fa[fa]fa 00 00 00 00
  0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15355==ABORTING

[ThomasDickey]

I don't see this (using Debian testing with either clang 3.6.2 or gcc 6.1.1). I'm testing using the default configuration (which corresponds to your stack trace), using mawk's built-in regex.

It just says: > ./mawk -f foo.awk mawk: foo.awk: line 1: runaway regular expression /[[:]/ ...

[hannob]

I still see this with the latest snapshot. Have you tested with address sanitizer? These kinds of buffer overreads usually don't crash applications. Test with something like:

./configure CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address"
make
./mawk -f [file]

[ThomasDickey]

I did that, but overlooked the zip-file difference from cut/paste.

[ThomasDickey]

http://invisible-island.net/mawk/CHANGES.html#t20160930