public inbox for glibc-bugs-regex@sourceware.org
help / color / mirror / Atom feed
From: "konstantin.s.serebryany at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs-regex@sourceware.org
Subject: [Bug regex/18040] New: use-after-free in regexec/get_subexp
Date: Thu, 26 Feb 2015 21:31:00 -0000 [thread overview]
Message-ID: <bug-18040-132@http.sourceware.org/bugzilla/> (raw)
https://sourceware.org/bugzilla/show_bug.cgi?id=18040
Bug ID: 18040
Summary: use-after-free in regexec/get_subexp
Product: glibc
Version: 2.21
Status: NEW
Severity: normal
Priority: P2
Component: regex
Assignee: unassigned at sourceware dot org
Reporter: konstantin.s.serebryany at gmail dot com
CC: drepper.fsp at gmail dot com
Flags: security+
#include <regex.h>
#include <stdio.h>
int main() {
regex_t r;
char *p = "!(.*)*\\*)\\1";
char *s = "!!(.*)*\\*)\\1";
if (!regcomp(&r, p, REG_ICASE | REG_EXTENDED))
regexec(&r, s, 0, 0, 0);
regfree(&r);
return 0;
}
% gcc -c re2.c && valgrind -q ./a.out
==38369== Invalid read of size 1
==38369== at 0x4F11FEC: get_subexp (regexec.c:2788)
==38369== by 0x4F11FEC: transit_state_bkref (regexec.c:2603)
==38369== by 0x4F1438A: merge_state_with_log (regexec.c:2384)
==38369== by 0x4F1438A: check_matching (regexec.c:1160)
==38369== by 0x4F1438A: re_search_internal (regexec.c:829)
==38369== by 0x4F19D84: regexec@@GLIBC_2.3.4 (regexec.c:253)
clang/fuzz/a.out)
==38369== Address 0x51fd1d8 is 8 bytes inside a block of size 11 free'd
==38369== at 0x4C2CB0A: realloc (vg_replace_malloc.c:692)
==38369== by 0x4F0ADE3: re_string_realloc_buffers (regex_internal.c:157)
==38369== by 0x4F0ADE3: extend_buffers (regexec.c:4110)
==38369== by 0x4F11B84: clean_state_log_if_needed (regexec.c:1728)
==38369== by 0x4F11B84: get_subexp_sub.isra.27 (regexec.c:2852)
==38369== by 0x4F120FE: get_subexp (regexec.c:2819)
==38369== by 0x4F120FE: transit_state_bkref (regexec.c:2603)
==38369== by 0x4F1438A: merge_state_with_log (regexec.c:2384)
==38369== by 0x4F1438A: check_matching (regexec.c:1160)
==38369== by 0x4F1438A: re_search_internal (regexec.c:829)
==38369== by 0x4F19D84: regexec@@GLIBC_2.3.4 (regexec.c:253)
2.19 and fresh trunk are affected.
This is admittedly a use-after-realloc, so with a glibc's malloc it *may*
be hard to exploit, but if a different malloc is used this may become a true
use-after-free. So, conservatively applying security+.
Found with the same fuzzer as bugs 18032, 18036, 18037
--
You are receiving this mail because:
You are on the CC list for the bug.
next reply other threads:[~2015-02-26 21:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-26 21:31 konstantin.s.serebryany at gmail dot com [this message]
2015-03-19 14:53 ` [Bug regex/18040] " fweimer at redhat dot com
2015-03-19 16:20 ` konstantin.s.serebryany at gmail dot com
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-18040-132@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=glibc-bugs-regex@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).