rpms/grep
5
0
Fork 0
Code Issues Pull Requests Releases Activity

New version

Browse Source 
Resolves: rhbz#1277113
- Dropped buf-overrun-fix, recurse-behaviour-change-doc, gnulib
  patches (all upstreamed)
- Minor spec cleanup to be consistent with whitespaces
This commit is contained in:
Jaroslav Škarvada 2015-11-02 15:35:01 +01:00
parent 498ee4a5ac
commit 382fd79bc2
7 changed files with 18 additions and 202 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

146
grep-2.21-buf-overrun-fix.patch
View File

@ -1,146 +0,0 @@
From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001
From: Yuliy Pisetsky <ypisetsky@fb.com>
Date: Thu, 01 Jan 2015 23:36:55 +0000
Subject: grep -F: fix a heap buffer (read) overrun
grep's read buffer is often filled to its full size, except when
reading the final buffer of a file. In that case, the number of
bytes read may be far less than the size of the buffer. However, for
certain unusual pattern/text combinations, grep -F would mistakenly
examine bytes in that uninitialized region of memory when searching
for a match. With carefully chosen inputs, one can cause grep -F to
read beyond the end of that buffer altogether. This problem arose via
commit v2.18-90-g73893ff with the introduction of a more efficient
heuristic using what is now the memchr_kwset function. The use of
that function in bmexec_trans could leave TP much larger than EP,
and the subsequent call to bm_delta2_search would mistakenly access
beyond end of the main input read buffer.
* src/kwset.c (bmexec_trans): When TP reaches or exceeds EP,
do not call bm_delta2_search.
* tests/kwset-abuse: New file.
* tests/Makefile.am (TESTS): Add it.
* THANKS.in: Update.
* NEWS (Bug fixes): Mention it.
Prior to this patch, this command would trigger a UMR:
printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0)
Use of uninitialised value of size 8
at 0x4142BE: bmexec_trans (kwset.c:657)
by 0x4143CA: bmexec (kwset.c:678)
by 0x414973: kwsexec (kwset.c:848)
by 0x414DC4: Fexecute (kwsearch.c:128)
by 0x404E2E: grepbuf (grep.c:1238)
by 0x4054BF: grep (grep.c:1417)
by 0x405CEB: grepdesc (grep.c:1645)
by 0x405EC1: grep_command_line_arg (grep.c:1692)
by 0x4077D4: main (grep.c:2570)
See the accompanying test for how to trigger the heap buffer overrun.
Thanks to Nima Aghdaii for testing and finding numerous
ways to break early iterations of this patch.
---
--- a/THANKS.in
+++ b/THANKS.in
@@ -62,6 +62,7 @@ Michael Aichlmayr mikla@nx.com
Miles Bader miles@ccs.mt.nec.co.jp
Mirraz Mirraz mirraz1@rambler.ru
Nelson H. F. Beebe beebe@math.utah.edu
+Nima Aghdaii naghdaii@fb.com
Olaf Kirch okir@ns.lst.de
Paul Kimoto kimoto@spacenet.tn.cornell.edu
Péter Radics mitchnull@gmail.com
diff --git a/src/kwset.c b/src/kwset.c
index 6d21893..998dbfe 100644
--- a/src/kwset.c
+++ b/src/kwset.c
@@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const *text, size_t size)
if (! tp)
return -1;
tp++;
+ if (ep <= tp)
+ break;
}
}
}
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 217a731..2f69835 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -72,6 +72,7 @@ TESTS = \
inconsistent-range \
invalid-multibyte-infloop \
khadafy \
+ kwset-abuse \
long-line-vs-2GiB-read \
match-lines \
max-count-overread \
diff --git a/tests/Makefile.in b/tests/Makefile.in
index e40a070..9ecafe7 100644
--- a/tests/Makefile.in
+++ b/tests/Makefile.in
@@ -1376,6 +1376,7 @@ TESTS = \
inconsistent-range \
invalid-multibyte-infloop \
khadafy \
+ kwset-abuse \
long-line-vs-2GiB-read \
match-lines \
max-count-overread \
@@ -2030,6 +2031,13 @@
$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
--log-file $$b.log --trs-file $$b.trs \
$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
+kwset-abuse.log: kwset-abuse
+ @p='kwset-abuse'; \
+ b='kwset-abuse'; \
+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
"$$tst" $(AM_TESTS_FD_REDIRECT)
long-line-vs-2GiB-read.log: long-line-vs-2GiB-read
@p='long-line-vs-2GiB-read'; \
diff --git a/tests/kwset-abuse b/tests/kwset-abuse
new file mode 100755
index 0000000..6d8ec0c
--- a/dev/null
+++ b/tests/kwset-abuse
@@ -0,0 +1,32 @@
+#! /bin/sh
+# Evoke a segfault in a hard-to-reach code path of kwset.c.
+# This bug affected grep versions 2.19 through 2.21.
+#
+# Copyright (C) 2015 Free Software Foundation, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+. "${srcdir=.}/init.sh"; path_prepend_ ../src
+
+fail=0
+
+# This test case chooses a haystack of size 260,000, since prodding
+# with gdb showed a reallocation slightly larger than that in fillbuf.
+# To reach the buggy code, the needle must have length < 1/11 that of
+# the haystack, and 10,000 is a nice round number that fits the bill.
+printf '%0260000dXy\n' 0 | grep -F $(printf %010000dy 0)
+
+test $? = 1 || fail=1
+
+Exit $fail
--
cgit v0.9.0.2

11
grep-2.21-gnulib.patch
View File

@ -1,11 +0,0 @@
--- grep-2.21/build-aux/update-copyright.orig 2015-08-02 18:10:29.174256966 +0100
+++ grep-2.21/build-aux/update-copyright 2015-08-02 18:11:19.926287054 +0100
@@ -124,7 +124,7 @@
use warnings;
my $copyright_re = 'Copyright';
-my $circle_c_re = '(?:\([cC]\)|@copyright{}|&copy;)';
+my $circle_c_re = '(?:\([cC]\)|@copyright\{}|\\\\\(co|&copy;)';
my $holder = $ENV{UPDATE_COPYRIGHT_HOLDER};
$holder ||= 'Free Software Foundation, Inc.';
my $prefix_max = 5;

24
grep-2.21-recurse-behaviour-change-doc.patch
View File

@ -1,24 +0,0 @@
diff --git a/doc/grep.in.1 b/doc/grep.in.1
index 5a1e3ea..3f633ea 100644
--- a/doc/grep.in.1
+++ b/doc/grep.in.1
@@ -478,6 +478,7 @@ Search only files whose base name matches
.BR \-r ", " \-\^\-recursive
Read all files under each directory, recursively,
following symbolic links only if they are on the command line.
+Note that if no file operand is given, grep searches the working directory.
This is equivalent to the
.B "\-d recurse"
option.
diff --git a/doc/grep.texi b/doc/grep.texi
index da9a1be..63016bd 100644
--- a/doc/grep.texi
+++ b/doc/grep.texi
@@ -698,6 +698,7 @@ For each directory operand,
read and process all files in that directory, recursively.
Follow symbolic links on the command line, but skip symlinks
that are encountered recursively.
+Note that if no file operand is given, grep searches the working directory.
This is the same as the @samp{--directories=recurse} option.
@item -R

4
grep-2.21-help-align.patch → grep-2.22-help-align.patch
View File

@ -1,8 +1,8 @@
diff --git a/src/grep.c b/src/grep.c
index e3461a7..50a9868 100644
index 7315bd0..2748fd3 100644
--- a/src/grep.c
+++ b/src/grep.c
@@ -1757,17 +1757,20 @@ Output control:\n\
@@ -1813,17 +1813,20 @@ Output control:\n\
-D, --devices=ACTION how to handle devices, FIFOs and sockets;\n\
ACTION is 'read' or 'skip'\n\
-r, --recursive like --directories=recurse\n\

6
grep-2.21-man-fix-gs.patch → grep-2.22-man-fix-gs.patch
View File

@ -1,5 +1,5 @@
diff --git a/doc/grep.in.1 b/doc/grep.in.1
index b6362ee..5a1e3ea 100644
index 2b513a8..40ac40d 100644
--- a/doc/grep.in.1
+++ b/doc/grep.in.1
@@ -314,7 +314,7 @@ Print
@ -47,10 +47,10 @@ index b6362ee..5a1e3ea 100644
.TP
.BR \-a ", " \-\^\-text
diff --git a/src/grep.c b/src/grep.c
index 8dbf86e..e3461a7 100644
index 2c5e09a..7315bd0 100644
--- a/src/grep.c
+++ b/src/grep.c
@@ -1781,6 +1781,8 @@ Context control:\n\
@@ -1837,6 +1837,8 @@ Context control:\n\
"));
printf (_("\
-NUM same as --context=NUM\n\

27
grep.spec
View File

@ -2,8 +2,8 @@
Summary: Pattern matching utilities
Name: grep
Version: 2.21
Release: 7%{?dist}
Version: 2.22
Release: 1%{?dist}
License: GPLv3+
URL: http://www.gnu.org/software/grep/
Group: Applications/Text
@ -14,16 +14,9 @@ Source2: colorgrep.csh
Source3: GREP_COLORS
Source4: grepconf.sh
# upstream ticket 39444
Patch0: grep-2.21-man-fix-gs.patch
Patch0: grep-2.22-man-fix-gs.patch
# upstream ticket 39445
Patch1: grep-2.21-help-align.patch
# fix buffer overrun for grep -F, rhbz#1183653
Patch2: grep-2.21-buf-overrun-fix.patch
# backported from upstream
# http://git.savannah.gnu.org/cgit/grep.git/commit/?id=c8b9364d5900a40809827aee6cc53705073278f6
Patch3: grep-2.21-recurse-behaviour-change-doc.patch
# http://www.mail-archive.com/bug-gnulib%40gnu.org/msg31638.html
Patch4: grep-2.21-gnulib.patch
Patch1: grep-2.22-help-align.patch
Requires(post): /sbin/install-info
Requires(preun): /sbin/install-info
@ -43,9 +36,6 @@ GNU grep is needed by many scripts, so it shall be installed on every system.
%setup -q
%patch0 -p1 -b .man-fix-gs
%patch1 -p1 -b .help-align
%patch2 -p1 -b .buf-overrun-fix
%patch3 -p1 -b .recurse-behaviour-change-doc
%patch4 -p1 -b .gnulib
chmod 755 tests/kwset-abuse
@ -82,7 +72,7 @@ make check
%preun
if [ $1 = 0 ]; then
/sbin/install-info --quiet --info-dir=%{_infodir} --delete %{_infodir}/grep.info.gz || :
/sbin/install-info --quiet --info-dir=%{_infodir} --delete %{_infodir}/grep.info.gz || :
fi
%files -f %{name}.lang
@ -98,6 +88,13 @@ fi
%{_libexecdir}/grepconf.sh
%changelog
* Mon Nov 2 2015 Jaroslav Škarvada <jskarvad@redhat.com> - 2.22-1
- New version
Resolves: rhbz#1277113
- Dropped buf-overrun-fix, recurse-behaviour-change-doc, gnulib
patches (all upstreamed)
- Minor spec cleanup to be consistent with whitespaces
* Sun Aug 2 2015 Peter Robinson <pbrobinson@fedoraproject.org> 2.21-7
- Minor spec cleanups and modifications
- Drop Changelog, details in NEWS

2
sources
View File

@ -1 +1 @@
43c48064d6409862b8a850db83c8038a grep-2.21.tar.xz
e1015e951a49a82b02e38891026ef5df grep-2.22.tar.xz