* regex fixes coming [not found] ` <2ffa6787-eb96-ab53-e69d-372d7e7ebcc4@cs.ucla.edu> @ 2018-09-09 15:09 ` Paul Eggert 2018-09-09 15:12 ` [PATCH 2/2] regex: fix storage-exhaustion error Paul Eggert 2018-09-09 15:12 ` [PATCH 1/2] regex: fix heap-use-after-free error Paul Eggert 0 siblings, 2 replies; 3+ messages in thread From: Paul Eggert @ 2018-09-09 15:09 UTC (permalink / raw) To: GNU C Library; +Cc: Assaf Gordon Assaf Gordon has been doing heroic work in finding crashes in the regex code, and two fixes found as part of that process are ready to go in. I'll follow up with copies of proposed patches, one found by his work and one minor cleanup I found by code inspection. With luck, Assaf will have more fixes later. ^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 2/2] regex: fix storage-exhaustion error 2018-09-09 15:09 ` regex fixes coming Paul Eggert @ 2018-09-09 15:12 ` Paul Eggert 2018-09-09 15:12 ` [PATCH 1/2] regex: fix heap-use-after-free error Paul Eggert 1 sibling, 0 replies; 3+ messages in thread From: Paul Eggert @ 2018-09-09 15:12 UTC (permalink / raw) To: libc-alpha; +Cc: Paul Eggert [BZ #23610][BZ #18040] * posix/regexec.c (get_subexp): Do not continue if storage is exhausted. --- ChangeLog | 7 +++++++ posix/regexec.c | 2 ++ 2 files changed, 9 insertions(+) diff --git a/ChangeLog b/ChangeLog index cf69a33d73..0d865c4eae 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2018-09-09 Paul Eggert <eggert@cs.ucla.edu> + + regex: fix storage-exhaustion error + [BZ #23609][BZ #18040] + * posix/regexec.c (get_subexp): + Do not continue if storage is exhausted. + 2018-09-09 Assaf Gordon <assafgordon@gmail.com> regex: fix heap-use-after-free error diff --git a/posix/regexec.c b/posix/regexec.c index 61a4ea26d1..0bef862dca 100644 --- a/posix/regexec.c +++ b/posix/regexec.c @@ -2780,6 +2780,8 @@ get_subexp (re_match_context_t *mctx, Idx bkref_node, Idx bkref_str_idx) buf = (const char *) re_string_get_buffer (&mctx->input); if (err == REG_NOMATCH) continue; + if (BE (err != REG_NOERROR, 0)) + return err; } } return REG_NOERROR; -- 2.17.1 ^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/2] regex: fix heap-use-after-free error 2018-09-09 15:09 ` regex fixes coming Paul Eggert 2018-09-09 15:12 ` [PATCH 2/2] regex: fix storage-exhaustion error Paul Eggert @ 2018-09-09 15:12 ` Paul Eggert 1 sibling, 0 replies; 3+ messages in thread From: Paul Eggert @ 2018-09-09 15:12 UTC (permalink / raw) To: libc-alpha; +Cc: Assaf Gordon From: Assaf Gordon <assafgordon@gmail.com> [BZ #23609][BZ #18040] Problem reported by Saito Takaaki <tails.saito@gmail.com> in https://debbugs.gnu.org/32592 Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may call extend_buffers which reallocates the re_string_t internal buffer. Local variable 'buf' was not updated in such case, resulting in use-after-free. * posix/regexec.c (get_subexp): Update 'buf' after call to get_subexp_sub. --- ChangeLog | 13 +++++++++++++ posix/regexec.c | 1 + 2 files changed, 14 insertions(+) diff --git a/ChangeLog b/ChangeLog index 611caf9bd8..cf69a33d73 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,16 @@ +2018-09-09 Assaf Gordon <assafgordon@gmail.com> + + regex: fix heap-use-after-free error + [BZ #23609][BZ #18040] + Problem reported by Saito Takaaki <tails.saito@gmail.com> in + https://debbugs.gnu.org/32592 + Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may + call extend_buffers which reallocates the re_string_t internal buffer. + Local variable 'buf' was not updated in such case, resulting in + use-after-free. + * posix/regexec.c (get_subexp): Update 'buf' after call to + get_subexp_sub. + 2018-09-06 Stefan Liebler <stli@linux.ibm.com> * sysdeps/s390/fpu/libm-test-ulps: Regenerated. diff --git a/posix/regexec.c b/posix/regexec.c index 73644c2341..61a4ea26d1 100644 --- a/posix/regexec.c +++ b/posix/regexec.c @@ -2777,6 +2777,7 @@ get_subexp (re_match_context_t *mctx, Idx bkref_node, Idx bkref_str_idx) return REG_ESPACE; err = get_subexp_sub (mctx, sub_top, sub_last, bkref_node, bkref_str_idx); + buf = (const char *) re_string_get_buffer (&mctx->input); if (err == REG_NOMATCH) continue; } -- 2.17.1 ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-09-09 15:12 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <b4246051-d6d3-e984-e1cd-9486250e19ec@gmail.com> [not found] ` <2ffa6787-eb96-ab53-e69d-372d7e7ebcc4@cs.ucla.edu> 2018-09-09 15:09 ` regex fixes coming Paul Eggert 2018-09-09 15:12 ` [PATCH 2/2] regex: fix storage-exhaustion error Paul Eggert 2018-09-09 15:12 ` [PATCH 1/2] regex: fix heap-use-after-free error Paul Eggert
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).