regex fixes coming

public inbox for libc-alpha@sourceware.org
 help / color / mirror / Atom feed

* regex fixes coming
       [not found] ` <2ffa6787-eb96-ab53-e69d-372d7e7ebcc4@cs.ucla.edu>
@ 2018-09-09 15:09   ` Paul Eggert
  2018-09-09 15:12     ` [PATCH 2/2] regex: fix storage-exhaustion error Paul Eggert
  2018-09-09 15:12     ` [PATCH 1/2] regex: fix heap-use-after-free error Paul Eggert
  0 siblings, 2 replies; 3+ messages in thread
From: Paul Eggert @ 2018-09-09 15:09 UTC (permalink / raw)
  To: GNU C Library; +Cc: Assaf Gordon

Assaf Gordon has been doing heroic work in finding crashes in the regex code, 
and two fixes found as part of that process are ready to go in. I'll follow up 
with copies of proposed patches, one found by his work and one minor cleanup I 
found by code inspection. With luck, Assaf will have more fixes later.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH 2/2] regex: fix storage-exhaustion error
  2018-09-09 15:09   ` regex fixes coming Paul Eggert
@ 2018-09-09 15:12     ` Paul Eggert
  2018-09-09 15:12     ` [PATCH 1/2] regex: fix heap-use-after-free error Paul Eggert
  1 sibling, 0 replies; 3+ messages in thread
From: Paul Eggert @ 2018-09-09 15:12 UTC (permalink / raw)
  To: libc-alpha; +Cc: Paul Eggert

[BZ #23610][BZ #18040]
* posix/regexec.c (get_subexp):
Do not continue if storage is exhausted.
---
 ChangeLog       | 7 +++++++
 posix/regexec.c | 2 ++
 2 files changed, 9 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index cf69a33d73..0d865c4eae 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2018-09-09  Paul Eggert  <eggert@cs.ucla.edu>
+
+	regex: fix storage-exhaustion error
+	[BZ #23609][BZ #18040]
+	* posix/regexec.c (get_subexp):
+	Do not continue if storage is exhausted.
+
 2018-09-09  Assaf Gordon  <assafgordon@gmail.com>
 
 	regex: fix heap-use-after-free error
diff --git a/posix/regexec.c b/posix/regexec.c
index 61a4ea26d1..0bef862dca 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -2780,6 +2780,8 @@ get_subexp (re_match_context_t *mctx, Idx bkref_node, Idx bkref_str_idx)
 	  buf = (const char *) re_string_get_buffer (&mctx->input);
 	  if (err == REG_NOMATCH)
 	    continue;
+	  if (BE (err != REG_NOERROR, 0))
+	    return err;
 	}
     }
   return REG_NOERROR;
-- 
2.17.1

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH 1/2] regex: fix heap-use-after-free error
  2018-09-09 15:09   ` regex fixes coming Paul Eggert
  2018-09-09 15:12     ` [PATCH 2/2] regex: fix storage-exhaustion error Paul Eggert
@ 2018-09-09 15:12     ` Paul Eggert
  1 sibling, 0 replies; 3+ messages in thread
From: Paul Eggert @ 2018-09-09 15:12 UTC (permalink / raw)
  To: libc-alpha; +Cc: Assaf Gordon

From: Assaf Gordon <assafgordon@gmail.com>

[BZ #23609][BZ #18040]
Problem reported by Saito Takaaki <tails.saito@gmail.com> in
https://debbugs.gnu.org/32592
Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may
call extend_buffers which reallocates the re_string_t internal buffer.
Local variable 'buf' was not updated in such case, resulting in
use-after-free.
* posix/regexec.c (get_subexp): Update 'buf' after call to
get_subexp_sub.
---
 ChangeLog       | 13 +++++++++++++
 posix/regexec.c |  1 +
 2 files changed, 14 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 611caf9bd8..cf69a33d73 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2018-09-09  Assaf Gordon  <assafgordon@gmail.com>
+
+	regex: fix heap-use-after-free error
+	[BZ #23609][BZ #18040]
+	Problem reported by Saito Takaaki <tails.saito@gmail.com> in
+	https://debbugs.gnu.org/32592
+	Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may
+	call extend_buffers which reallocates the re_string_t internal buffer.
+	Local variable 'buf' was not updated in such case, resulting in
+	use-after-free.
+	* posix/regexec.c (get_subexp): Update 'buf' after call to
+	get_subexp_sub.
+
 2018-09-06  Stefan Liebler  <stli@linux.ibm.com>
 
 	* sysdeps/s390/fpu/libm-test-ulps: Regenerated.
diff --git a/posix/regexec.c b/posix/regexec.c
index 73644c2341..61a4ea26d1 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -2777,6 +2777,7 @@ get_subexp (re_match_context_t *mctx, Idx bkref_node, Idx bkref_str_idx)
 	    return REG_ESPACE;
 	  err = get_subexp_sub (mctx, sub_top, sub_last, bkref_node,
 				bkref_str_idx);
+	  buf = (const char *) re_string_get_buffer (&mctx->input);
 	  if (err == REG_NOMATCH)
 	    continue;
 	}
-- 
2.17.1

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2018-09-09 15:12 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <b4246051-d6d3-e984-e1cd-9486250e19ec@gmail.com>
     [not found] ` <2ffa6787-eb96-ab53-e69d-372d7e7ebcc4@cs.ucla.edu>
2018-09-09 15:09   ` regex fixes coming Paul Eggert
2018-09-09 15:12     ` [PATCH 2/2] regex: fix storage-exhaustion error Paul Eggert
2018-09-09 15:12     ` [PATCH 1/2] regex: fix heap-use-after-free error Paul Eggert

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).