public inbox for glibc-bugs-regex@sourceware.org
help / color / mirror / Atom feed
* [Bug regex/17062] New: fnmatch: buffer overflow read from pattern "[[:alpha:]'[:alpha:]"
@ 2014-06-17 15:22 konstantin.s.serebryany at gmail dot com
  0 siblings, 0 replies; only message in thread
From: konstantin.s.serebryany at gmail dot com @ 2014-06-17 15:22 UTC (permalink / raw)
  To: glibc-bugs-regex

https://sourceware.org/bugzilla/show_bug.cgi?id=17062

            Bug ID: 17062
           Summary: fnmatch: buffer overflow read from pattern
                    "[[:alpha:]'[:alpha:]"
           Product: glibc
           Version: 2.19
            Status: NEW
          Severity: normal
          Priority: P2
         Component: regex
          Assignee: unassigned at sourceware dot org
          Reporter: konstantin.s.serebryany at gmail dot com
                CC: drepper.fsp at gmail dot com

Created attachment 7641
  --> https://sourceware.org/bugzilla/attachment.cgi?id=7641&action=edit
fn1.c

Given the pattern "[[:alpha:]'[:alpha:]" and locale "en_US.UTF8" fnmatch()
will read at least 1 byte past the end of the pattern buffer (maybe more).

Initially found with ASAN-instrumented glibc, then confirmed without ASAN.
At least 2.19 and fresh trunk are affected.

ASAN report: 
==8418==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000eff5 
READ of size 1 at 0x60300000eff5 thread T0
    #0 0x7f31375019f1 in internal_fnmatch glibc-2.19/posix/fnmatch_loop.c:918
    #1 0x7f3137501cb7 in __GI_fnmatch glibc-2.19/posix/fnmatch.c:454
    #2 0x4b364f in main fn1.c:14

0x60300000eff5 is located 0 bytes to the right of 21-byte region
[0x60300000efe0,0x60300000eff5)
allocated by thread T0 here:
    #0 0x494ff9 in malloc 
    #1 0x7f31374947a5 in __GI___strdup glibc-2.19/string/strdup.c:42
    #2 0x4b363d in main fn1.c:12


Full reproducer attached. 
Currently it's a bit tricky to build ASAN-instrumented glibc,
but this reproducer happily crashes w/o any tool.
    #0 0x7fee9d62d443 in internal_fnmatch glibc-trunk/posix/fnmatch_loop.c:903
    #1 0x7fee9d62dedd in __GI_fnmatch glibc-trunk/posix/fnmatch.c:454
    #2 0x4b3012 in main fn1.c:30

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2014-06-17 15:22 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-06-17 15:22 [Bug regex/17062] New: fnmatch: buffer overflow read from pattern "[[:alpha:]'[:alpha:]" konstantin.s.serebryany at gmail dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).