public inbox for glibc-bugs-regex@sourceware.org help / color / mirror / Atom feed
From: "konstantin.s.serebryany at gmail dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/18040] New: use-after-free in regexec/get_subexp Date: Thu, 26 Feb 2015 21:31:00 -0000 [thread overview] Message-ID: <bug-18040-132@http.sourceware.org/bugzilla/> (raw) https://sourceware.org/bugzilla/show_bug.cgi?id=18040 Bug ID: 18040 Summary: use-after-free in regexec/get_subexp Product: glibc Version: 2.21 Status: NEW Severity: normal Priority: P2 Component: regex Assignee: unassigned at sourceware dot org Reporter: konstantin.s.serebryany at gmail dot com CC: drepper.fsp at gmail dot com Flags: security+ #include <regex.h> #include <stdio.h> int main() { regex_t r; char *p = "!(.*)*\\*)\\1"; char *s = "!!(.*)*\\*)\\1"; if (!regcomp(&r, p, REG_ICASE | REG_EXTENDED)) regexec(&r, s, 0, 0, 0); regfree(&r); return 0; } % gcc -c re2.c && valgrind -q ./a.out ==38369== Invalid read of size 1 ==38369== at 0x4F11FEC: get_subexp (regexec.c:2788) ==38369== by 0x4F11FEC: transit_state_bkref (regexec.c:2603) ==38369== by 0x4F1438A: merge_state_with_log (regexec.c:2384) ==38369== by 0x4F1438A: check_matching (regexec.c:1160) ==38369== by 0x4F1438A: re_search_internal (regexec.c:829) ==38369== by 0x4F19D84: regexec@@GLIBC_2.3.4 (regexec.c:253) clang/fuzz/a.out) ==38369== Address 0x51fd1d8 is 8 bytes inside a block of size 11 free'd ==38369== at 0x4C2CB0A: realloc (vg_replace_malloc.c:692) ==38369== by 0x4F0ADE3: re_string_realloc_buffers (regex_internal.c:157) ==38369== by 0x4F0ADE3: extend_buffers (regexec.c:4110) ==38369== by 0x4F11B84: clean_state_log_if_needed (regexec.c:1728) ==38369== by 0x4F11B84: get_subexp_sub.isra.27 (regexec.c:2852) ==38369== by 0x4F120FE: get_subexp (regexec.c:2819) ==38369== by 0x4F120FE: transit_state_bkref (regexec.c:2603) ==38369== by 0x4F1438A: merge_state_with_log (regexec.c:2384) ==38369== by 0x4F1438A: check_matching (regexec.c:1160) ==38369== by 0x4F1438A: re_search_internal (regexec.c:829) ==38369== by 0x4F19D84: regexec@@GLIBC_2.3.4 (regexec.c:253) 2.19 and fresh trunk are affected. This is admittedly a use-after-realloc, so with a glibc's malloc it *may* be hard to exploit, but if a different malloc is used this may become a true use-after-free. So, conservatively applying security+. Found with the same fuzzer as bugs 18032, 18036, 18037 -- You are receiving this mail because: You are on the CC list for the bug.
next reply other threads:[~2015-02-26 21:31 UTC|newest] Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top 2015-02-26 21:31 konstantin.s.serebryany at gmail dot com [this message] 2015-03-19 14:53 ` [Bug regex/18040] " fweimer at redhat dot com 2015-03-19 16:20 ` konstantin.s.serebryany at gmail dot com
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-18040-132@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs-regex@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).