From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Gerd =?UTF-8?Q?M=C3=B6llmann?= Newsgroups: gmane.emacs.bugs Subject: bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal Date: Sat, 24 Sep 2022 16:48:29 +0200 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="3330"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (darwin) To: 58042@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Sep 24 16:49:34 2022 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oc6TG-0000gZ-BS for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 24 Sep 2022 16:49:34 +0200 Original-Received: from localhost ([::1]:46574 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oc6TE-0002zY-OW for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 24 Sep 2022 10:49:32 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:39676) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oc6Sk-0002vU-U8 for bug-gnu-emacs@gnu.org; Sat, 24 Sep 2022 10:49:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:45826) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oc6Sk-0004sp-Fr for bug-gnu-emacs@gnu.org; Sat, 24 Sep 2022 10:49:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oc6Sj-0002gz-UP for bug-gnu-emacs@gnu.org; Sat, 24 Sep 2022 10:49:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Gerd =?UTF-8?Q?M=C3=B6llmann?= Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 24 Sep 2022 14:49:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 58042 X-GNU-PR-Package: emacs Original-Received: via spool by 58042-submit@debbugs.gnu.org id=B58042.166403091910320 (code B ref 58042); Sat, 24 Sep 2022 14:49:01 +0000 Original-Received: (at 58042) by debbugs.gnu.org; 24 Sep 2022 14:48:39 +0000 Original-Received: from localhost ([127.0.0.1]:44904 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oc6SN-0002gO-C7 for submit@debbugs.gnu.org; Sat, 24 Sep 2022 10:48:39 -0400 Original-Received: from mail-ej1-f51.google.com ([209.85.218.51]:36475) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oc6SL-0002gB-Dq for 58042@debbugs.gnu.org; Sat, 24 Sep 2022 10:48:38 -0400 Original-Received: by mail-ej1-f51.google.com with SMTP id 13so6026366ejn.3 for <58042@debbugs.gnu.org>; Sat, 24 Sep 2022 07:48:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:to:from:from:to:cc:subject:date; bh=egNrnR7eQbAjzz48ywLbnouVjQKjp3Kc106VVMOcweM=; b=JsDgGYb7fCEeJvK7zRFVfdjRA2FniKwycMl/qQtgdNV/CxkF1Z6bG259vhuYuEjSxY 19g1a8Iv3VzOZr8bn9N9C6HC1kds3Y2X8kOOidSfTvPQDjHID9eDbLzXAt0ZaMu3Vta2 8d4KE8FJ3WArfO2/OSXzIWC8BCHmhZ8JHgDm9dTwzOamYVvSwitApTZYO5igprhkffvj T+rBm/CI9Tkf6Ct+/kQ0/P8GhGLP3F+s89MxL5Kxb1h5Fh+qg8Ve+5gLYlDIWElFIzTA hO2H3/LvWauZwCdaye4VZooRoH3eiUW71KRq1xWFMcJa0iEa7n6Qo2Ljw0uEkIh3RK6r ZV3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:to:from:x-gm-message-state:from:to :cc:subject:date; bh=egNrnR7eQbAjzz48ywLbnouVjQKjp3Kc106VVMOcweM=; b=LPrda3M5/GeETh2vZZZGtYUNjjDUPllDIcKvh68Tcxmiuc4eSSDXPybL49PohxalD+ hQXQP9ZE3uO/YHX23ruBFOLt0R+h49RXEblxwW5VwWzm/uDE87vJVYeBqFx8Gx7xyoKT +zdsvhrT5cDvbKxxCjlM7wTFtUxhQxG7XuxGpSWcJ/Nx2nXdYqNede3VGzvMWwiNGR6t 6KF6kaBdAMhub2FaZE4CZ7QCgo8XuQijsKvyseBdCzrCOzHJyJRXiQIRho5ASV2HHPSN dC9Xz8c4W84kig2mqr7ur0tbOeRAjZ5y7EmaWvjBw5F1O9WGZJ7eXGpXBzHoaThq1KJV +6jg== X-Gm-Message-State: ACrzQf3TF+1fU7NWNX86/g3n3ErVMtYvlk3x/M5ZGgjCtZAcEIVECfVX H0aC+SHkcJ+q4Mav4vBT+a6ZPCEEAC8= X-Google-Smtp-Source: AMsMyM7Rcf48wk6Y8olGDL6HRhZ7YdRomj1ITfzHj/VRtNmel0qH4LK6ZPIrXsOMNYFi0hLpeD456A== X-Received: by 2002:a17:907:da9:b0:780:5fe8:f8d7 with SMTP id go41-20020a1709070da900b007805fe8f8d7mr11418280ejc.357.1664030911112; Sat, 24 Sep 2022 07:48:31 -0700 (PDT) Original-Received: from Mini.fritz.box (p4fe3a935.dip0.t-ipconnect.de. [79.227.169.53]) by smtp.gmail.com with ESMTPSA id cz9-20020a0564021ca900b00447e5983478sm3192982edb.76.2022.09.24.07.48.30 for <58042@debbugs.gnu.org> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 24 Sep 2022 07:48:30 -0700 (PDT) In-Reply-To: ("Gerd =?UTF-8?Q?M=C3=B6llmann?="'s message of "Sat, 24 Sep 2022 16:17:20 +0200") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:243538 Archived-At: Gerd M=C3=B6llmann writes: > Gerd M=C3=B6llmann writes: >> =3D=3D79227=3D=3DERROR: AddressSanitizer: heap-use-after-free on address= 0x00011f81e7d1 at pc 0x0001005825c4 bp 0x00016fdcf370 sp 0x00016fdcf368 >> READ of size 1 at 0x00011f81e7d1 thread T0 >> #0 0x1005825c0 in re_match_2_internal regex-emacs.c:4352 >> #1 0x10057e5cc in rpl_re_search_2 regex-emacs.c:3383 >> #2 0x10057d1c4 in rpl_re_search regex-emacs.c:3177 >> #3 0x10056115c in fast_string_match_internal search.c:492 >> #4 0x1005045c0 in fast_string_match lisp.h:4818 >> #5 0x100504018 in Ffind_file_name_handler fileio.c:324 >> #6 0x1006dbe5c in openp lread.c:1911 >> #7 0x1006d8844 in Fload lread.c:1302 >> #8 0x1006e1af0 in save_match_data_load lread.c:1630 >> #9 0x10064f8cc in load_with_autoload_queue eval.c:2269 >> #10 0x10067d2f8 in Frequire fns.c:3274 Here's a guess: Suppose that strings a compacted in a GC happening between fast_string_match and re_match_2_internal. That GC compacts strings, moves the data of the string being matched from one block to another, and the block where the string data used to be is freed. Then the char* used in the regexp machine point into no-man's-land.