[Bug 1580385] Re: /usr/bin/nmap:11:hascaptures:hascaptures:hascaptures:hascaptures:hascaptures
Bug Watch Updater
1580385 at bugs.launchpad.net
Wed Nov 6 17:19:30 UTC 2019
** Changed in: lua-lpeg (Debian)
Status: Unknown => New
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1580385
Title:
/usr/bin/nmap:11:hascaptures:hascaptures:hascaptures:hascaptures:hascaptures
Status in lua-lpeg package in Ubuntu:
In Progress
Status in lua-lpeg source package in Xenial:
New
Status in lua-lpeg source package in Bionic:
New
Status in lua-lpeg source package in Disco:
New
Status in lua-lpeg source package in Eoan:
New
Status in lua-lpeg package in Debian:
New
Bug description:
[Impact]
Under certain conditions, lpeg will crash while walking the pattern
tree looking for TCapture nodes.
[Test Case]
The reproducer, taken from an upstream discussion (link in "Other
info"), is:
$ cat repro.lua
#!/usr/bin/env lua
lpeg = require "lpeg"
p = lpeg.C(-lpeg.P{lpeg.P'x' * lpeg.V(1) + lpeg.P'y'})
p:match("xx")
The program crashes due to a hascaptures() infinite recursion:
$ ./repro.lua
Segmentation fault (core dumped)
(gdb) bt -25
#523984 0x00007ffff7a3743c in hascaptures () from /usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
#523985 0x00007ffff7a3743c in hascaptures () from /usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
#523986 0x00007ffff7a3743c in hascaptures () from /usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
#523987 0x00007ffff7a3743c in hascaptures () from /usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
#523988 0x00007ffff7a3743c in hascaptures () from /usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
#523989 0x00007ffff7a3743c in hascaptures () from /usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
#523990 0x00007ffff7a3815c in ?? () from /usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
#523991 0x00007ffff7a388e3 in compile () from /usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
#523992 0x00007ffff7a36fab in ?? () from /usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
#523993 0x000055555555fd1e in ?? ()
#523994 0x000055555556a5fc in ?? ()
#523995 0x00005555555600c8 in ?? ()
#523996 0x000055555555f63f in ?? ()
#523997 0x000055555556030f in ?? ()
#523998 0x000055555555dc91 in lua_pcallk ()
#523999 0x000055555555b896 in ?? ()
#524000 0x000055555555c54b in ?? ()
#524001 0x000055555555fd1e in ?? ()
#524002 0x0000555555560092 in ?? ()
#524003 0x000055555555f63f in ?? ()
#524004 0x000055555556030f in ?? ()
#524005 0x000055555555dc91 in lua_pcallk ()
#524006 0x000055555555b64b in ?? ()
#524007 0x00007ffff7c94bbb in __libc_start_main (main=0x55555555b5f0, argc=2, argv=0x7fffffffe6d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe6c8)
at ../csu/libc-start.c:308
#524008 0x000055555555b70a in ?? ()
The expected behavior is to have the program finish normally
[Regression potential]
Low, this is a backport from upstream and only limits the infinite recursion in a scenario where it shouldn't happen to begin with (TCapture node search).
[Other info]
This was fixed upstream in 1.0.1 by stopping the recursion in TCall
nodes and controlling that TRule nodes do not follow siblings (sib2)
The upstream discussion can be found here:
http://lua.2524044.n2.nabble.com/LPeg-intermittent-stack-exhaustion-
td7674831.html
My analysis can be found here:
http://pastebin.ubuntu.com/p/n4824ftZt9/plain/
[Original description]
The Ubuntu Error Tracker has been receiving reports about a problem
regarding nmap. This problem was most recently seen with version
7.01-2ubuntu2, the problem page at
https://errors.ubuntu.com/problem/5e852236a443bab0279d47c8a9b7e55802bfb46f
contains more details.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lua-lpeg/+bug/1580385/+subscriptions
More information about the Ubuntu-sponsors
mailing list