From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <glibc-bugs-regex-return-605-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Received: (qmail 16590 invoked by alias); 17 Jun 2014 15:22:30 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Received: (qmail 16559 invoked by uid 48); 17 Jun 2014 15:22:27 -0000
From: "konstantin.s.serebryany at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/17062] New: fnmatch: buffer overflow read from pattern "[[:alpha:]'[:alpha:]"
Date: Tue, 17 Jun 2014 15:22:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: 2.19
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: konstantin.s.serebryany at gmail dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc attachments.created
Message-ID: <bug-17062-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-06/txt/msg00009.txt.bz2

https://sourceware.org/bugzilla/show_bug.cgi?id=17062

            Bug ID: 17062
           Summary: fnmatch: buffer overflow read from pattern
                    "[[:alpha:]'[:alpha:]"
           Product: glibc
           Version: 2.19
            Status: NEW
          Severity: normal
          Priority: P2
         Component: regex
          Assignee: unassigned at sourceware dot org
          Reporter: konstantin.s.serebryany at gmail dot com
                CC: drepper.fsp at gmail dot com

Created attachment 7641
  --> https://sourceware.org/bugzilla/attachment.cgi?id=7641&action=edit
fn1.c

Given the pattern "[[:alpha:]'[:alpha:]" and locale "en_US.UTF8" fnmatch()
will read at least 1 byte past the end of the pattern buffer (maybe more).

Initially found with ASAN-instrumented glibc, then confirmed without ASAN.
At least 2.19 and fresh trunk are affected.

ASAN report: 
==8418==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000eff5 
READ of size 1 at 0x60300000eff5 thread T0
    #0 0x7f31375019f1 in internal_fnmatch glibc-2.19/posix/fnmatch_loop.c:918
    #1 0x7f3137501cb7 in __GI_fnmatch glibc-2.19/posix/fnmatch.c:454
    #2 0x4b364f in main fn1.c:14

0x60300000eff5 is located 0 bytes to the right of 21-byte region
[0x60300000efe0,0x60300000eff5)
allocated by thread T0 here:
    #0 0x494ff9 in malloc 
    #1 0x7f31374947a5 in __GI___strdup glibc-2.19/string/strdup.c:42
    #2 0x4b363d in main fn1.c:12


Full reproducer attached. 
Currently it's a bit tricky to build ASAN-instrumented glibc,
but this reproducer happily crashes w/o any tool.
    #0 0x7fee9d62d443 in internal_fnmatch glibc-trunk/posix/fnmatch_loop.c:903
    #1 0x7fee9d62dedd in __GI_fnmatch glibc-trunk/posix/fnmatch.c:454
    #2 0x4b3012 in main fn1.c:30

-- 
You are receiving this mail because:
You are on the CC list for the bug.