[cmake-developers] [CMake 0015944]: Use after free in regexp functionality

Mantis Bug Tracker mantis at public.kitware.com
Fri Jan 29 13:10:41 EST 2016 

The following issue has been SUBMITTED. 
====================================================================== 
https://public.kitware.com/Bug/view.php?id=15944 
====================================================================== 
Reported By:                hanno
Assigned To:                
====================================================================== 
Project:                    CMake
Issue ID:                   15944
Category:                   CMake
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     new
====================================================================== 
Date Submitted:             2016-01-29 13:10 EST
Last Modified:              2016-01-29 13:10 EST
====================================================================== 
Summary:                    Use after free in regexp functionality
Description: 
The attached file will cause a use after free error in cmake. This is a reduced
example, I originally discovered this by using a version of cmake built with
address sanitizer.

This bug can also be seen by using cmake with valgrind (but the asan output is
more detailed).

Steps to Reproduce: 
1. run "cmake ." in a directory with the attached file. cmake must either be
compiled with address sanitizer or run with valgrind.

Additional Information: 
Here's the significant part of the asan error:

==10481==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000014998
at pc 0x7f7f52711590 bp 0x7ffedc5d4690 sp 0x7ffedc5d4660
READ of size 2 at 0x603000014998 thread T0
    https://public.kitware.com/Bug/view.php?id=0 0x7f7f5271158f in
__interceptor_strchr
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x3458f)
    https://public.kitware.com/Bug/view.php?id=1 0x564b27c3891b in strchr
/usr/include/string.h:226
    https://public.kitware.com/Bug/view.php?id=2 0x564b27c3891b in
cmsys::RegularExpression::find(char const*)
/var/tmp/portage/dev-util/cmake-3.4.3/work/cmake-3.4.3/Source/kwsys/RegularExpression.cxx:928
    https://public.kitware.com/Bug/view.php?id=3 0x564b278c9f7e in
cmConditionEvaluator::HandleLevel2(std::list<cmExpandedCommandArgument,
std::allocator<cmExpandedCommandArgument> >&, std::string&, cmake::MessageType&)
/var/tmp/portage/dev-util/cmake-3.4.3/work/cmake-3.4.3/Source/cmConditionEvaluator.cxx:608
    https://public.kitware.com/Bug/view.php?id=4 0x564b278decd8 in
cmConditionEvaluator::IsTrue(std::vector<cmExpandedCommandArgument,
std::allocator<cmExpandedCommandArgument> > const&, std::string&,
cmake::MessageType&)
/var/tmp/portage/dev-util/cmake-3.4.3/work/cmake-3.4.3/Source/cmConditionEvaluator.cxx:78
    https://public.kitware.com/Bug/view.php?id=5 0x564b278df3a0 in
cmIfCommand::InvokeInitialPass(std::vector<cmListFileArgument,
std::allocator<cmListFileArgument> > const&, cmExecutionStatus&)
/var/tmp/portage/dev-util/cmake-3.4.3/work/cmake-3.4.3/Source/cmIfCommand.cxx:217
    https://public.kitware.com/Bug/view.php?id=6 0x564b276bb068 in
cmMakefile::ExecuteCommand(cmListFileFunction const&, cmExecutionStatus&)
/var/tmp/portage/dev-util/cmake-3.4.3/work/cmake-3.4.3/Source/cmMakefile.cxx:305
    https://public.kitware.com/Bug/view.php?id=7 0x564b276bb7d2 in
cmMakefile::ReadListFile(cmListFile const&, std::string const&)
/var/tmp/portage/dev-util/cmake-3.4.3/work/cmake-3.4.3/Source/cmMakefile.cxx:611
    https://public.kitware.com/Bug/view.php?id=8 0x564b276bd3a6 in
cmMakefile::Configure()
/var/tmp/portage/dev-util/cmake-3.4.3/work/cmake-3.4.3/Source/cmMakefile.cxx:1663
    https://public.kitware.com/Bug/view.php?id=9 0x564b27aa5ec3 in
cmGlobalGenerator::Configure()
/var/tmp/portage/dev-util/cmake-3.4.3/work/cmake-3.4.3/Source/cmGlobalGenerator.cxx:1126
    https://public.kitware.com/Bug/view.php?id=10 0x564b27ac9241 in
cmGlobalUnixMakefileGenerator3::Configure()
/var/tmp/portage/dev-util/cmake-3.4.3/work/cmake-3.4.3/Source/cmGlobalUnixMakefileGenerator3.cxx:133
    https://public.kitware.com/Bug/view.php?id=11 0x564b2779ed6b in
cmake::ActualConfigure()
/var/tmp/portage/dev-util/cmake-3.4.3/work/cmake-3.4.3/Source/cmake.cxx:1422
    https://public.kitware.com/Bug/view.php?id=12 0x564b277a0248 in
cmake::Configure()
/var/tmp/portage/dev-util/cmake-3.4.3/work/cmake-3.4.3/Source/cmake.cxx:1205
    https://public.kitware.com/Bug/view.php?id=13 0x564b277a51f7 in
cmake::Run(std::vector<std::string, std::allocator<std::string> > const&, bool)
/var/tmp/portage/dev-util/cmake-3.4.3/work/cmake-3.4.3/Source/cmake.cxx:1579
    https://public.kitware.com/Bug/view.php?id=14 0x564b2763f2f9 in
do_cmake(int, char const* const*)
/var/tmp/portage/dev-util/cmake-3.4.3/work/cmake-3.4.3/Source/cmakemain.cxx:330
    https://public.kitware.com/Bug/view.php?id=15 0x564b2763751a in main
/var/tmp/portage/dev-util/cmake-3.4.3/work/cmake-3.4.3/Source/cmakemain.cxx:190
    https://public.kitware.com/Bug/view.php?id=16 0x7f7f511b062f in
__libc_start_main (/lib64/libc.so.6+0x2062f)
    https://public.kitware.com/Bug/view.php?id=17 0x564b2763ce78 in _start
(/usr/bin/cmake+0x163e78)

0x603000014998 is located 24 bytes inside of 26-byte region
[0x603000014980,0x60300001499a)
freed by thread T0 here:
    https://public.kitware.com/Bug/view.php?id=0 0x7f7f5273561f in operator
delete(void*) (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x5861f)
    https://public.kitware.com/Bug/view.php?id=1 0x7f7f51b08c37 in
std::string::assign(std::string const&)
(/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/libstdc++.so.6+0xcec37)
    https://public.kitware.com/Bug/view.php?id=2 0x61c00000f87f (+0xf87f)
    https://public.kitware.com/Bug/view.php?id=3 0x7f7f51b09485 in
std::basic_string<char, std::char_traits<char>, std::allocator<char>
>::basic_string(char const*, std::allocator<char> const&)
(/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/libstdc++.so.6+0xcf485)

previously allocated by thread T0 here:
    https://public.kitware.com/Bug/view.php?id=0 0x7f7f5273511f in operator
new(unsigned long) (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x5811f)
    https://public.kitware.com/Bug/view.php?id=1 0x7f7f51b076c8 in
std::string::_Rep::_S_create(unsigned long, unsigned long, std::allocator<char>
const&) (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/libstdc++.so.6+0xcd6c8)
    https://public.kitware.com/Bug/view.php?id=2 0x7f7f51b076c8 in
std::string::_Rep::_S_create(unsigned long, unsigned long, std::allocator<char>
const&) (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/libstdc++.so.6+0xcd6c8)
    https://public.kitware.com/Bug/view.php?id=3 0x564b28040147 in
matchVariables (/usr/bin/cmake+0xb67147)

====================================================================== 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2016-01-29 13:10 hanno          New Issue                                    
2016-01-29 13:10 hanno          File Added: CMakeLists.txt                    
======================================================================

More information about the cmake-developers mailing list