From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 120433 invoked by alias); 26 Feb 2015 21:31:10 -0000 Mailing-List: contact glibc-bugs-regex-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-regex-owner@sourceware.org Received: (qmail 120398 invoked by uid 48); 26 Feb 2015 21:31:06 -0000 From: "konstantin.s.serebryany at gmail dot com" To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/18040] New: use-after-free in regexec/get_subexp Date: Thu, 26 Feb 2015 21:31:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: 2.21 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: konstantin.s.serebryany at gmail dot com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security+ X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc flagtypes.name Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-02/txt/msg00010.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=18040 Bug ID: 18040 Summary: use-after-free in regexec/get_subexp Product: glibc Version: 2.21 Status: NEW Severity: normal Priority: P2 Component: regex Assignee: unassigned at sourceware dot org Reporter: konstantin.s.serebryany at gmail dot com CC: drepper.fsp at gmail dot com Flags: security+ #include #include int main() { regex_t r; char *p = "!(.*)*\\*)\\1"; char *s = "!!(.*)*\\*)\\1"; if (!regcomp(&r, p, REG_ICASE | REG_EXTENDED)) regexec(&r, s, 0, 0, 0); regfree(&r); return 0; } % gcc -c re2.c && valgrind -q ./a.out ==38369== Invalid read of size 1 ==38369== at 0x4F11FEC: get_subexp (regexec.c:2788) ==38369== by 0x4F11FEC: transit_state_bkref (regexec.c:2603) ==38369== by 0x4F1438A: merge_state_with_log (regexec.c:2384) ==38369== by 0x4F1438A: check_matching (regexec.c:1160) ==38369== by 0x4F1438A: re_search_internal (regexec.c:829) ==38369== by 0x4F19D84: regexec@@GLIBC_2.3.4 (regexec.c:253) clang/fuzz/a.out) ==38369== Address 0x51fd1d8 is 8 bytes inside a block of size 11 free'd ==38369== at 0x4C2CB0A: realloc (vg_replace_malloc.c:692) ==38369== by 0x4F0ADE3: re_string_realloc_buffers (regex_internal.c:157) ==38369== by 0x4F0ADE3: extend_buffers (regexec.c:4110) ==38369== by 0x4F11B84: clean_state_log_if_needed (regexec.c:1728) ==38369== by 0x4F11B84: get_subexp_sub.isra.27 (regexec.c:2852) ==38369== by 0x4F120FE: get_subexp (regexec.c:2819) ==38369== by 0x4F120FE: transit_state_bkref (regexec.c:2603) ==38369== by 0x4F1438A: merge_state_with_log (regexec.c:2384) ==38369== by 0x4F1438A: check_matching (regexec.c:1160) ==38369== by 0x4F1438A: re_search_internal (regexec.c:829) ==38369== by 0x4F19D84: regexec@@GLIBC_2.3.4 (regexec.c:253) 2.19 and fresh trunk are affected. This is admittedly a use-after-realloc, so with a glibc's malloc it *may* be hard to exploit, but if a different malloc is used this may become a true use-after-free. So, conservatively applying security+. Found with the same fuzzer as bugs 18032, 18036, 18037 -- You are receiving this mail because: You are on the CC list for the bug.