modify augtool execute error

[traffic-millions]

meet a problem when execute "augtool print /file/etc/hosts" , will be segment fault;

so , I search and found when call re_compile_pattern function failed, maybe a very complex regular expression; the regexp_match function will return -3, means "Syntax error in regexp" and it's normal;

but the next call regexp_match function, the program will skip regexp_compile and directly to re_match; the input parameters is re->re, last time regexp_compile failed, so the input parameters is not legal; I think this is the root cause to segment fault;

I made some changes, like this:

//augeas/src/get.c
count = regexp_match(re, state->text, size, start, regs);
if (count < -1) {
        regexp_match_error(state, lens, count, re);
        FREE(regs);
        // add this line
        FREE(re->re);
        return -1;
}

and the problem is gone.

[traffic-millions]

@lutter

[ptoscano]

Hi @traffic-millions,

I'm not one of the augeas maintainers, just a contributor.

I tried to reproduce your issue with augeas 1.12.0 (the latest) as available in Fedora 31, and augtool print /file/etc/hosts does not crash (exits with code=0 and prints nothing, as expected).
Can you please share:

• which augeas version did you test, and on which operating system / distribution
• the full backtrace of the crash, possibly by compiling augeas in debug mode

Thanks!

[traffic-millions]

1、 I test augeas version is 1.4.0 and the operating system is EulerOS;
2、 the backtrace of the crash

[ptoscano]

1、 I test augeas version is 1.4.0 and the operating system is EulerOS;

This version is almost 5 years old, and there were lots of fixes since that. Can you please test using the latest version, i.e. augeas 1.12.0?

[traffic-millions]

@ptoscano
actually I test augeas version 1.12.0, it can not reproduct this problem; But it does not means it's OK, I have seen the logic of source code, the augtool execute is the same with 1.4.0;

when call re_compile_pattern function failed, maybe a very complex regular expression; the regexp_match function will return. but the next time call regexp_match function, the program will skip regexp_compile and directly to re_match; the input parameters is re->re, last time regexp_compile failed, so the input parameters is not legal; The the problem will happen.

1.12.0 don't repduct this problem because when call re_compile_pattern function it success, maybe the complex regular expression is not complex enough for 1.12.0.

but if the re_compile_pattern function call failed, the problem will happen. 1.12.0 don't deal the exception properly.

[ptoscano]

You need to come up with a reproducer then, because otherwise it is hard to understand why it is an issue (assuming it is).

[kerongw]

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000ffffb73f86a4 in re_search_stub (bufp=0xaaab05eef8f0,
    string=0xaaab056eb800 "$template sysmonitorformat,\"%TIMESTAMP:::date-rfc3339%|%syslogseverity-text%|%msg%\\n\"\n\n$outchannel sysmonitor, /var/log/sysmonitor.log, 2097152, /usr/libexec/sysmonitor/sysmonitor_log_dump.sh\nif ($pro"..., length=480, start=0, range=range@entry=0, stop=480, regs=0xaaab05dfa5a0, ret_len=ret_len@entry=true) at regexec.c:396
396	  lock_lock (dfa->lock);
(gdb) bt
#0  0x0000ffffb73f86a4 in re_search_stub (bufp=0xaaab05eef8f0,
    string=0xaaab056eb800 "$template sysmonitorformat,\"%TIMESTAMP:::date-rfc3339%|%syslogseverity-text%|%msg%\\n\"\n\n$outchannel sysmonitor, /var/log/sysmonitor.log, 2097152, /usr/libexec/sysmonitor/sysmonitor_log_dump.sh\nif ($pro"..., length=480, start=0, range=range@entry=0, stop=480, regs=0xaaab05dfa5a0, ret_len=ret_len@entry=true) at regexec.c:396
#1  0x0000ffffb73f8e84 in __re_match (bufp=<optimized out>, string=<optimized out>, length=<optimized out>, start=<optimized out>, regs=<optimized out>) at regexec.c:285
#2  0x0000ffffb7765bd8 in match (state=0xffffc5e65078, lens=lens@entry=0xaaab04e0ed00, re=0xaaab04d4f400, size=size@entry=480, start=start@entry=0) at get.c:454
#3  0x0000ffffb7765da0 in init_regs (state=state@entry=0xffffc5e65078, lens=lens@entry=0xaaab04e0ed00, size=size@entry=480) at get.c:1583
#4  0x0000ffffb7768aec in lns_get (info=info@entry=0xaaab05efd650, lens=lens@entry=0xaaab04e0ed00,
    text=text@entry=0xaaab056eb800 "$template sysmonitorformat,\"%TIMESTAMP:::date-rfc3339%|%syslogseverity-text%|%msg%\\n\"\n\n$outchannel sysmonitor, /var/log/sysmonitor.log, 2097152, /usr/libexec/sysmonitor/sysmonitor_log_dump.sh\nif ($pro"..., enable_span=0, err=err@entry=0xffffc5e651c8) at get.c:1628
#5  0x0000ffffb7762100 in lens_get (aug=aug@entry=0xaaab04c38450, lens=lens@entry=0xaaab04e0ed00, filename=filename@entry=0xaaab05df7f10 "/etc/rsyslog.d/sysmonitor.conf",
    text=text@entry=0xaaab056eb800 "$template sysmonitorformat,\"%TIMESTAMP:::date-rfc3339%|%syslogseverity-text%|%msg%\\n\"\n\n$outchannel sysmonitor, /var/log/sysmonitor.log, 2097152, /usr/libexec/sysmonitor/sysmonitor_log_dump.sh\nif ($pro"..., text_len=text_len@entry=480, path=path@entry=0xaaab05ee4a20 "/files/etc/rsyslog.d/sysmonitor.conf", err=err@entry=0xffffc5e651c8) at transform.c:608
#6  0x0000ffffb7764120 in load_file (filename=0xaaab05df7f10 "/etc/rsyslog.d/sysmonitor.conf", lens_name=<optimized out>, lens=0xaaab04e0ed00, aug=0xaaab04c38450) at transform.c:652
#7  transform_load (aug=aug@entry=0xaaab04c38450, xfm=xfm@entry=0xaaab04c40de0, file=file@entry=0x0) at transform.c:898
#8  0x0000ffffb77412a8 in aug_load (aug=aug@entry=0xaaab04c38450) at augeas.c:771
#9  0x0000ffffb77436d4 in aug_init (root=<optimized out>, loadpath=<optimized out>, flags=<optimized out>) at augeas.c:629
#10 0x0000aaaae62024e0 in main (argc=1, argv=0xffffc5e65708) at augtool.c:716

I also encountered the same problem. As mentioned above, r->re was not released after the re_compile_pattern() call failed. The next time in regexp_match(), the input r->re is still the last re_compile_pattern() failed. The value of r->re->buff is NULL in re_match()——>re_search_stub(), and a segment error occurs