From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <aurelien@aurel32.net>
Received: from hall.aurel32.net (hall.aurel32.net [IPv6:2001:bc8:30d7:100::1])
 by sourceware.org (Postfix) with ESMTPS id CCB67388E831
 for <libc-alpha@sourceware.org>; Tue,  5 May 2020 10:24:02 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org CCB67388E831
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=aurel32.net
Authentication-Results: sourceware.org;
 spf=none smtp.mailfrom=aurelien@aurel32.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=aurel32.net
 ; s=202004.hall;
 h=In-Reply-To:Content-Type:MIME-Version:References:
 Message-ID:Subject:Cc:To:From:Date:Content-Transfer-Encoding:From:Reply-To:
 Subject:Content-ID:Content-Description:X-Debbugs-Cc;
 bh=vLVvt2FtNX3k+O7Y1FTs6jHpCXZRiuj9wUrEfglmHaE=; b=M1qSl/JhRZJ+avNYKE3vIlZev1
 zekTGVwwEG8dn2wAmRoBEXOyo+rDxU0myUw011FYnh8yBseP/YmNRhliwKONVdGmcJtCxpDbpoNI4
 mcuE0xLx9ciqx3MD3vsTSBFUtNXIe7rzxPwL11jC1/XxUbmiEvco9If+wFQUZumTttfownTsxAh+u
 HGc1mI6Ox7uTS3AdzZnHW4mlVGXs4A5lmCXJ+XEGeleTcG+sCioAqJud1j1bs6DChPRy8NHbetw9b
 jdOhfICzD0kT7tuP8iPVhyZkuU9zyRAkJ7zy6wb74Xn+w4t59HD6DdTXV0doOxdzrSFUCH9LlPMZL
 k9ZBVwyA==;
Received: from [2a01:e35:2fdd:a4e1:fe91:fc89:bc43:b814] (helo=ohm.rr44.fr)
 by hall.aurel32.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.92) (envelope-from <aurelien@aurel32.net>)
 id 1jVuk5-0007AD-4M; Tue, 05 May 2020 12:24:01 +0200
Received: from aurel32 by ohm.rr44.fr with local (Exim 4.93)
 (envelope-from <aurelien@aurel32.net>)
 id 1jVuk3-001j5H-My; Tue, 05 May 2020 12:23:59 +0200
Date: Tue, 5 May 2020 12:23:59 +0200
From: Aurelien Jarno <aurelien@aurel32.net>
To: Raluca-Petronela Florea <florea.raluca.petronela@gmail.com>
Cc: libc-alpha@sourceware.org, adhemerval.zanella@linaro.org,
 debian-glibc@lists.debian.org
Subject: Re: Glibc - CVE-2015-8985 help
Message-ID: <20200505102359.GA411353@aurel32.net>
Mail-Followup-To: Raluca-Petronela Florea <florea.raluca.petronela@gmail.com>, 
 libc-alpha@sourceware.org, adhemerval.zanella@linaro.org,
 debian-glibc@lists.debian.org
References: <CAF=qhUjXSpAFOmwobY7TgzvT0FVS08zJHFfO3P2zrUmi1UxKiA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAF=qhUjXSpAFOmwobY7TgzvT0FVS08zJHFfO3P2zrUmi1UxKiA@mail.gmail.com>
User-Agent: Mutt/1.13.2 (2019-12-18)
X-Spam-Status: No, score=-6.0 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, SPF_HELO_PASS, SPF_NONE,
 TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2020 10:24:05 -0000

Hi,

On 2020-05-05 12:14, Raluca-Petronela Florea wrote:
> Hello,
> 
> I'm working on fixing some GLIBC vulnerabilities and I have an issue
> regarding
> CVE-2015-8985 - Assertion failure in pop_fail_stack when executing a
> malformed regexp
> 
> Although it seems to be fixed in glibc 2.28, I've encountered the following
> issue testing on a Ubuntu 19.10 virtual machine with glibc 2.30-0ubuntu.2.1
> the following program:
> 
> pop_fail_stack.c
> 
> #include <assert.h>
> #include <regex.h>
> #include <stdio.h>
> 
> int main(int argc, char **argv)
> {
>     int rc;
>     regex_t preg;
>     regmatch_t pmatch[2];
> 
>     rc = regcomp(&preg, "()*)|\\1)*", REG_EXTENDED);
>     assert(rc == 0);
>     regexec(&preg, "", 2, pmatch, 0);
>     regfree(&preg);
>     return 0;
> }
> 
> *pop_fail_stack: pop_fail_stack.c:12: main: Assertion `rc == 0' failed.*
> *Aborted (core dumped)*

It means you glibc has the fix. The regex is clearly invalid so it
regcomp correctly fails to compile it.

> As describes the Debian bug
> (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392), the test
> program compiles an invalid regexp and then tries to match a string
> against it, triggers an assertion:
> 
> *pop_fail_stack: regexec.c:1401: pop_fail_stack: Assertion `num >= 0' failed.
> Aborted*

That error message means the glibc is not fixed, i.e. regcomp is wronglu
able to compile it and regexec later triggers an assertion inside glibc
code.

> So, in my scenario, the test program does not even successfully
> compile the invalid regexp.

This is normal as the regexp is invalid, so it can't be compiled.

Regards,
Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net