public inbox for glibc-bugs-regex@sourceware.org
help / color / mirror / Atom feed
* [Bug regex/18040] New: use-after-free in regexec/get_subexp
@ 2015-02-26 21:31 konstantin.s.serebryany at gmail dot com
2015-03-19 14:53 ` [Bug regex/18040] " fweimer at redhat dot com
2015-03-19 16:20 ` konstantin.s.serebryany at gmail dot com
0 siblings, 2 replies; 3+ messages in thread
From: konstantin.s.serebryany at gmail dot com @ 2015-02-26 21:31 UTC (permalink / raw)
To: glibc-bugs-regex
https://sourceware.org/bugzilla/show_bug.cgi?id=18040
Bug ID: 18040
Summary: use-after-free in regexec/get_subexp
Product: glibc
Version: 2.21
Status: NEW
Severity: normal
Priority: P2
Component: regex
Assignee: unassigned at sourceware dot org
Reporter: konstantin.s.serebryany at gmail dot com
CC: drepper.fsp at gmail dot com
Flags: security+
#include <regex.h>
#include <stdio.h>
int main() {
regex_t r;
char *p = "!(.*)*\\*)\\1";
char *s = "!!(.*)*\\*)\\1";
if (!regcomp(&r, p, REG_ICASE | REG_EXTENDED))
regexec(&r, s, 0, 0, 0);
regfree(&r);
return 0;
}
% gcc -c re2.c && valgrind -q ./a.out
==38369== Invalid read of size 1
==38369== at 0x4F11FEC: get_subexp (regexec.c:2788)
==38369== by 0x4F11FEC: transit_state_bkref (regexec.c:2603)
==38369== by 0x4F1438A: merge_state_with_log (regexec.c:2384)
==38369== by 0x4F1438A: check_matching (regexec.c:1160)
==38369== by 0x4F1438A: re_search_internal (regexec.c:829)
==38369== by 0x4F19D84: regexec@@GLIBC_2.3.4 (regexec.c:253)
clang/fuzz/a.out)
==38369== Address 0x51fd1d8 is 8 bytes inside a block of size 11 free'd
==38369== at 0x4C2CB0A: realloc (vg_replace_malloc.c:692)
==38369== by 0x4F0ADE3: re_string_realloc_buffers (regex_internal.c:157)
==38369== by 0x4F0ADE3: extend_buffers (regexec.c:4110)
==38369== by 0x4F11B84: clean_state_log_if_needed (regexec.c:1728)
==38369== by 0x4F11B84: get_subexp_sub.isra.27 (regexec.c:2852)
==38369== by 0x4F120FE: get_subexp (regexec.c:2819)
==38369== by 0x4F120FE: transit_state_bkref (regexec.c:2603)
==38369== by 0x4F1438A: merge_state_with_log (regexec.c:2384)
==38369== by 0x4F1438A: check_matching (regexec.c:1160)
==38369== by 0x4F1438A: re_search_internal (regexec.c:829)
==38369== by 0x4F19D84: regexec@@GLIBC_2.3.4 (regexec.c:253)
2.19 and fresh trunk are affected.
This is admittedly a use-after-realloc, so with a glibc's malloc it *may*
be hard to exploit, but if a different malloc is used this may become a true
use-after-free. So, conservatively applying security+.
Found with the same fuzzer as bugs 18032, 18036, 18037
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread* [Bug regex/18040] use-after-free in regexec/get_subexp
2015-02-26 21:31 [Bug regex/18040] New: use-after-free in regexec/get_subexp konstantin.s.serebryany at gmail dot com
@ 2015-03-19 14:53 ` fweimer at redhat dot com
2015-03-19 16:20 ` konstantin.s.serebryany at gmail dot com
1 sibling, 0 replies; 3+ messages in thread
From: fweimer at redhat dot com @ 2015-03-19 14:53 UTC (permalink / raw)
To: glibc-bugs-regex
https://sourceware.org/bugzilla/show_bug.cgi?id=18040
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Is it possible to trigger this without REG_EXTENDED and a back reference?
(“\1” in an ERE makes behavior undefined according to POSIX.)
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-677-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Thu Mar 19 15:54:32 2015
Return-Path: <glibc-bugs-regex-return-677-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 125860 invoked by alias); 19 Mar 2015 15:54:32 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 125795 invoked by uid 48); 19 Mar 2015 15:54:24 -0000
From: "konstantin.s.serebryany at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/18040] use-after-free in regexec/get_subexp
Date: Thu, 19 Mar 2015 15:54:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: 2.21
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: konstantin.s.serebryany at gmail dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security+
X-Bugzilla-Changed-Fields:
Message-ID: <bug-18040-132-DCAqTg2r7E@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-18040-132@http.sourceware.org/bugzilla/>
References: <bug-18040-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-03/txt/msg00005.txt.bz2
Content-length: 525
https://sourceware.org/bugzilla/show_bug.cgi?id=18040
--- Comment #2 from Kostya Serebryany <konstantin.s.serebryany at gmail dot com> ---
(In reply to Florian Weimer from comment #1)
> Is it possible to trigger this without REG_EXTENDED and a back reference?
>
> (“\1” in an ERE makes behavior undefined according to POSIX.)
I don't think I've seen this w/o REG_EXTENDED, but let me re-run the fuzzer
with cflags=0
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-regex-return-678-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org Thu Mar 19 16:17:25 2015
Return-Path: <glibc-bugs-regex-return-678-listarch-glibc-bugs-regex=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs-regex@sources.redhat.com
Received: (qmail 48904 invoked by alias); 19 Mar 2015 16:17:25 -0000
Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs-regex.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-regex-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs-regex@sourceware.org>
List-Help: <mailto:glibc-bugs-regex-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-regex-owner@sourceware.org
Delivered-To: mailing list glibc-bugs-regex@sourceware.org
Received: (qmail 48700 invoked by uid 48); 19 Mar 2015 16:17:21 -0000
From: "konstantin.s.serebryany at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/18037] infinite recursion (stack overflow) in regexec.c (sift_states_bkref->sift_states_backward->update_cur_sifted_state)
Date: Thu, 19 Mar 2015 16:17:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: 2.21
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: konstantin.s.serebryany at gmail dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security?
X-Bugzilla-Changed-Fields:
Message-ID: <bug-18037-132-DXV0arZb1b@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-18037-132@http.sourceware.org/bugzilla/>
References: <bug-18037-132@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-03/txt/msg00006.txt.bz2
Content-length: 385
https://sourceware.org/bugzilla/show_bug.cgi?id\x18037
--- Comment #1 from Kostya Serebryany <konstantin.s.serebryany at gmail dot com> ---
Happens also without REG_EXTENDED:
#include <regex.h>
int main() {
regex_t r;
if (!regcomp(&r, "^9*\\(\\)\\1\\+\\+", 0))
regexec(&r, "foo.*bar", 0, 0, 0);
}
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread* [Bug regex/18040] use-after-free in regexec/get_subexp
2015-02-26 21:31 [Bug regex/18040] New: use-after-free in regexec/get_subexp konstantin.s.serebryany at gmail dot com
2015-03-19 14:53 ` [Bug regex/18040] " fweimer at redhat dot com
@ 2015-03-19 16:20 ` konstantin.s.serebryany at gmail dot com
1 sibling, 0 replies; 3+ messages in thread
From: konstantin.s.serebryany at gmail dot com @ 2015-03-19 16:20 UTC (permalink / raw)
To: glibc-bugs-regex
https://sourceware.org/bugzilla/show_bug.cgi?id=18040
--- Comment #3 from Kostya Serebryany <konstantin.s.serebryany at gmail dot com> ---
A quick fuzzing session did not reveal this bug with cflags=0,
but due to bug 18037 (and probably some other similar issues)
fuzzing is not very efficient.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-03-19 16:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-02-26 21:31 [Bug regex/18040] New: use-after-free in regexec/get_subexp konstantin.s.serebryany at gmail dot com
2015-03-19 14:53 ` [Bug regex/18040] " fweimer at redhat dot com
2015-03-19 16:20 ` konstantin.s.serebryany at gmail dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).