[Secure-testing-team] Bug#869220: agrep crash caused by double free

Stefan Weil sw at weilnetz.de
Fri Jul 21 16:37:26 UTC 2017 

Package: agrep
Version: 4.17-9
Severity: important
Tags: security patch

The following crash can be reproduced (files can be downloaded with base URL
https://digi.bib.uni-mannheim.de/periodika/reichsanzeiger/ocr/film/tesseract-4.0.0-alpha.20170703/):

$ agrep -2 -l -d '$$' 'Beilage zum Deutſchen' 001-1879/0006.txt 001-1879/0009.txt 001-1879/0012.txt 001-1879/0008.txt 001-1879/0005.txt 001-1879/0010.txt 001-1879/0003.txt 001-1879/0007.txt 001-1879/0011.txt 001-1879/0002.txt 001-1879/0001.txt 001-1879/0004.txt 001-7920/0335.txt 001-7920/0198.txt 001-7920/0428.txt 001-7920/0006.txt 001-7920/0456.txt 001-7920/0487.txt 001-7920/0406.txt 001-7920/0096.txt 001-7920/0265.txt 001-7920/0370.txt 001-7920/0464.txt 001-7920/0364.txt 001-7920/0055.txt 001-7920/0260.txt 001-7920/0185.txt 001-7920/0389.txt 001-7920/0359.txt 001-7920/0275.txt 001-7920/0372.txt 001-7920/0345.txt 001-7920/0131.txt 001-7920/0015.txt 001-7920/0351.txt 001-7920/0009.txt 001-7920/0491.txt 001-7920/0052.txt 001-7920/0022.txt 001-7920/0241.txt 001-7920/0081.txt 001-7920/0114.txt
001-1879/0009.txt
001-7920/0114.txt
*** Error in `agrep': double free or corruption (!prev): 0x000055be126b8710 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f5c1c88cbcb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7f5c1c892f96]
/lib/x86_64-linux-gnu/libc.so.6(+0x777de)[0x7f5c1c8937de]
agrep(+0x6de7)[0x55be12168de7]
agrep(+0x13a59)[0x55be12175a59]
agrep(+0xff82)[0x55be12171f82]
agrep(+0x1171c)[0x55be1217371c]
agrep(main+0x41)[0x55be12165db1]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f5c1c83c2b1]
agrep(+0x3dfd)[0x55be12165dfd]
======= Memory map: ========
55be12162000-55be1218a000 r-xp 00000000 08:02 147402                     /usr/bin/agrep
55be1238a000-55be1238b000 r--p 00028000 08:02 147402                     /usr/bin/agrep
55be1238b000-55be1238c000 rw-p 00029000 08:02 147402                     /usr/bin/agrep
55be1238c000-55be1256a000 rw-p 00000000 00:00 0 
55be126b7000-55be126d8000 rw-p 00000000 00:00 0                          [heap]
7f5c18000000-7f5c18021000 rw-p 00000000 00:00 0 
7f5c18021000-7f5c1c000000 ---p 00000000 00:00 0 
7f5c1c605000-7f5c1c61b000 r-xp 00000000 08:02 131705                     /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
7f5c1c61b000-7f5c1c81a000 ---p 00016000 08:02 131705                     /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
7f5c1c81a000-7f5c1c81b000 r--p 00015000 08:02 131705                     /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
7f5c1c81b000-7f5c1c81c000 rw-p 00016000 08:02 131705                     /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
7f5c1c81c000-7f5c1c9b1000 r-xp 00000000 08:02 133277                     /usr/lib/x86_64-linux-gnu/libc-2.24.so
7f5c1c9b1000-7f5c1cbb1000 ---p 00195000 08:02 133277                     /usr/lib/x86_64-linux-gnu/libc-2.24.so
7f5c1cbb1000-7f5c1cbb5000 r--p 00195000 08:02 133277                     /usr/lib/x86_64-linux-gnu/libc-2.24.so
7f5c1cbb5000-7f5c1cbb7000 rw-p 00199000 08:02 133277                     /usr/lib/x86_64-linux-gnu/libc-2.24.so
7f5c1cbb7000-7f5c1cbbb000 rw-p 00000000 00:00 0 
7f5c1cbbb000-7f5c1cbde000 r-xp 00000000 08:02 133162                     /usr/lib/x86_64-linux-gnu/ld-2.24.so
7f5c1cc32000-7f5c1cdcd000 r--p 00000000 08:02 135927                     /usr/lib/locale/locale-archive
7f5c1cdcd000-7f5c1cdcf000 rw-p 00000000 00:00 0 
7f5c1cdda000-7f5c1cdde000 rw-p 00000000 00:00 0 
7f5c1cdde000-7f5c1cddf000 r--p 00023000 08:02 133162                     /usr/lib/x86_64-linux-gnu/ld-2.24.so
7f5c1cddf000-7f5c1cde0000 rw-p 00024000 08:02 133162                     /usr/lib/x86_64-linux-gnu/ld-2.24.so
7f5c1cde0000-7f5c1cde1000 rw-p 00000000 00:00 0 
7fffa0853000-7fffa0874000 rw-p 00000000 00:00 0                          [stack]
7fffa0930000-7fffa0932000 r--p 00000000 00:00 0                          [vvar]
7fffa0932000-7fffa0934000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

The code indeed is buggy, and using Valgrind I found this and also
another memory related bug.

Here are the bug fixes for a newer version of agrep:
https://github.com/Wikinaut/agrep/pull/13

Similar changes can be applied to the Debian version:

diff --git a/asearch.c b/asearch.c
index 38ad3fb..d39907c 100644
--- a/asearch.c
+++ b/asearch.c
@@ -254,7 +254,6 @@ Nextchar1file:
                                        { 
                                                if(FILENAMEONLY && (NEW_FILE || !POST_FILTER)) {
                                                        num_of_matched++;
-                                                       free_buf(text, buffer);
 
                                                        if (agrep_finalfp != NULL)
                                                                fprintf(agrep_finalfp, "%s", CurrentFileName);
diff --git a/sgrep.c b/sgrep.c
index aadbd23..77340b9 100644
--- a/sgrep.c
+++ b/sgrep.c
@@ -1079,7 +1079,9 @@ register CHARTYPE *text, *textend, *pat, *oldpat;
        CHARTYPE *lastout = text;
        int newlen;
 
-       Candidate[0][0] = Candidate[0][1] = 0; 
+       Candidate[0][0] = 0;
+       Candidate[0][1] = 0;
+       Candidate[1][0] = 0;
        d1 = shift_1;
        cdx = 0;
        if(m < 3) r1 = m;



-- System Information:
Debian Release: 9.1
  APT prefers proposed-updates
  APT policy: (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/32 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages agrep depends on:
ii  libc6  2.24-11+deb9u1

agrep recommends no packages.

agrep suggests no packages.

-- no debconf information

More information about the Secure-testing-team mailing list