* Glibc - CVE-2015-8985 help
@ 2020-05-05 9:14 Raluca-Petronela Florea
2020-05-05 10:23 ` Aurelien Jarno
0 siblings, 1 reply; 4+ messages in thread
From: Raluca-Petronela Florea @ 2020-05-05 9:14 UTC (permalink / raw)
To: libc-alpha, adhemerval.zanella, debian-glibc
Hello,
I'm working on fixing some GLIBC vulnerabilities and I have an issue
regarding
CVE-2015-8985 - Assertion failure in pop_fail_stack when executing a
malformed regexp
Although it seems to be fixed in glibc 2.28, I've encountered the following
issue testing on a Ubuntu 19.10 virtual machine with glibc 2.30-0ubuntu.2.1
the following program:
pop_fail_stack.c
#include <assert.h>
#include <regex.h>
#include <stdio.h>
int main(int argc, char **argv)
{
int rc;
regex_t preg;
regmatch_t pmatch[2];
rc = regcomp(&preg, "()*)|\\1)*", REG_EXTENDED);
assert(rc == 0);
regexec(&preg, "", 2, pmatch, 0);
regfree(&preg);
return 0;
}
*pop_fail_stack: pop_fail_stack.c:12: main: Assertion `rc == 0' failed.*
*Aborted (core dumped)*
As describes the Debian bug
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392), the test
program compiles an invalid regexp and then tries to match a string
against it, triggers an assertion:
*pop_fail_stack: regexec.c:1401: pop_fail_stack: Assertion `num >= 0' failed.
Aborted*
So, in my scenario, the test program does not even successfully
compile the invalid regexp.
Did anyone encounter this issue?
Could you please help me with this?
Thank you,
Raluca
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Glibc - CVE-2015-8985 help
2020-05-05 9:14 Glibc - CVE-2015-8985 help Raluca-Petronela Florea
@ 2020-05-05 10:23 ` Aurelien Jarno
2020-05-05 10:46 ` Raluca-Petronela Florea
0 siblings, 1 reply; 4+ messages in thread
From: Aurelien Jarno @ 2020-05-05 10:23 UTC (permalink / raw)
To: Raluca-Petronela Florea; +Cc: libc-alpha, adhemerval.zanella, debian-glibc
Hi,
On 2020-05-05 12:14, Raluca-Petronela Florea wrote:
> Hello,
>
> I'm working on fixing some GLIBC vulnerabilities and I have an issue
> regarding
> CVE-2015-8985 - Assertion failure in pop_fail_stack when executing a
> malformed regexp
>
> Although it seems to be fixed in glibc 2.28, I've encountered the following
> issue testing on a Ubuntu 19.10 virtual machine with glibc 2.30-0ubuntu.2.1
> the following program:
>
> pop_fail_stack.c
>
> #include <assert.h>
> #include <regex.h>
> #include <stdio.h>
>
> int main(int argc, char **argv)
> {
> int rc;
> regex_t preg;
> regmatch_t pmatch[2];
>
> rc = regcomp(&preg, "()*)|\\1)*", REG_EXTENDED);
> assert(rc == 0);
> regexec(&preg, "", 2, pmatch, 0);
> regfree(&preg);
> return 0;
> }
>
> *pop_fail_stack: pop_fail_stack.c:12: main: Assertion `rc == 0' failed.*
> *Aborted (core dumped)*
It means you glibc has the fix. The regex is clearly invalid so it
regcomp correctly fails to compile it.
> As describes the Debian bug
> (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392), the test
> program compiles an invalid regexp and then tries to match a string
> against it, triggers an assertion:
>
> *pop_fail_stack: regexec.c:1401: pop_fail_stack: Assertion `num >= 0' failed.
> Aborted*
That error message means the glibc is not fixed, i.e. regcomp is wronglu
able to compile it and regexec later triggers an assertion inside glibc
code.
> So, in my scenario, the test program does not even successfully
> compile the invalid regexp.
This is normal as the regexp is invalid, so it can't be compiled.
Regards,
Aurelien
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurelien@aurel32.net http://www.aurel32.net
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Glibc - CVE-2015-8985 help
2020-05-05 10:23 ` Aurelien Jarno
@ 2020-05-05 10:46 ` Raluca-Petronela Florea
2020-05-05 10:59 ` Raluca-Petronela Florea
0 siblings, 1 reply; 4+ messages in thread
From: Raluca-Petronela Florea @ 2020-05-05 10:46 UTC (permalink / raw)
To: Raluca-Petronela Florea, libc-alpha, adhemerval.zanella, debian-glibc
Ok, thanks for clarification.
So, do you have any idea how the regexp should look like in order to
reproduce the issue from bug?
Thank you very much!
On Tue, 5 May 2020, 13:24 Aurelien Jarno, <aurelien@aurel32.net> wrote:
> Hi,
>
> On 2020-05-05 12:14, Raluca-Petronela Florea wrote:
> > Hello,
> >
> > I'm working on fixing some GLIBC vulnerabilities and I have an issue
> > regarding
> > CVE-2015-8985 - Assertion failure in pop_fail_stack when executing a
> > malformed regexp
> >
> > Although it seems to be fixed in glibc 2.28, I've encountered the
> following
> > issue testing on a Ubuntu 19.10 virtual machine with glibc
> 2.30-0ubuntu.2.1
> > the following program:
> >
> > pop_fail_stack.c
> >
> > #include <assert.h>
> > #include <regex.h>
> > #include <stdio.h>
> >
> > int main(int argc, char **argv)
> > {
> > int rc;
> > regex_t preg;
> > regmatch_t pmatch[2];
> >
> > rc = regcomp(&preg, "()*)|\\1)*", REG_EXTENDED);
> > assert(rc == 0);
> > regexec(&preg, "", 2, pmatch, 0);
> > regfree(&preg);
> > return 0;
> > }
> >
> > *pop_fail_stack: pop_fail_stack.c:12: main: Assertion `rc == 0' failed.*
> > *Aborted (core dumped)*
>
> It means you glibc has the fix. The regex is clearly invalid so it
> regcomp correctly fails to compile it.
>
> > As describes the Debian bug
> > (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392), the test
> > program compiles an invalid regexp and then tries to match a string
> > against it, triggers an assertion:
> >
> > *pop_fail_stack: regexec.c:1401: pop_fail_stack: Assertion `num >= 0'
> failed.
> > Aborted*
>
> That error message means the glibc is not fixed, i.e. regcomp is wronglu
> able to compile it and regexec later triggers an assertion inside glibc
> code.
>
> > So, in my scenario, the test program does not even successfully
> > compile the invalid regexp.
>
> This is normal as the regexp is invalid, so it can't be compiled.
>
> Regards,
> Aurelien
>
> --
> Aurelien Jarno GPG: 4096R/1DDD8C9B
> aurelien@aurel32.net http://www.aurel32.net
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Glibc - CVE-2015-8985 help
2020-05-05 10:46 ` Raluca-Petronela Florea
@ 2020-05-05 10:59 ` Raluca-Petronela Florea
0 siblings, 0 replies; 4+ messages in thread
From: Raluca-Petronela Florea @ 2020-05-05 10:59 UTC (permalink / raw)
To: Raluca-Petronela Florea, libc-alpha, adhemerval.zanella, debian-glibc
Thanks a lot, I appreciate your help!
I read your answer and I understood!
On Tue, 5 May 2020, 13:46 Raluca-Petronela Florea, <
florea.raluca.petronela@gmail.com> wrote:
> Ok, thanks for clarification.
>
> So, do you have any idea how the regexp should look like in order to
> reproduce the issue from bug?
>
> Thank you very much!
>
> On Tue, 5 May 2020, 13:24 Aurelien Jarno, <aurelien@aurel32.net> wrote:
>
>> Hi,
>>
>> On 2020-05-05 12:14, Raluca-Petronela Florea wrote:
>> > Hello,
>> >
>> > I'm working on fixing some GLIBC vulnerabilities and I have an issue
>> > regarding
>> > CVE-2015-8985 - Assertion failure in pop_fail_stack when executing a
>> > malformed regexp
>> >
>> > Although it seems to be fixed in glibc 2.28, I've encountered the
>> following
>> > issue testing on a Ubuntu 19.10 virtual machine with glibc
>> 2.30-0ubuntu.2.1
>> > the following program:
>> >
>> > pop_fail_stack.c
>> >
>> > #include <assert.h>
>> > #include <regex.h>
>> > #include <stdio.h>
>> >
>> > int main(int argc, char **argv)
>> > {
>> > int rc;
>> > regex_t preg;
>> > regmatch_t pmatch[2];
>> >
>> > rc = regcomp(&preg, "()*)|\\1)*", REG_EXTENDED);
>> > assert(rc == 0);
>> > regexec(&preg, "", 2, pmatch, 0);
>> > regfree(&preg);
>> > return 0;
>> > }
>> >
>> > *pop_fail_stack: pop_fail_stack.c:12: main: Assertion `rc == 0' failed.*
>> > *Aborted (core dumped)*
>>
>> It means you glibc has the fix. The regex is clearly invalid so it
>> regcomp correctly fails to compile it.
>>
>> > As describes the Debian bug
>> > (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392), the test
>> > program compiles an invalid regexp and then tries to match a string
>> > against it, triggers an assertion:
>> >
>> > *pop_fail_stack: regexec.c:1401: pop_fail_stack: Assertion `num >= 0'
>> failed.
>> > Aborted*
>>
>> That error message means the glibc is not fixed, i.e. regcomp is wronglu
>> able to compile it and regexec later triggers an assertion inside glibc
>> code.
>>
>> > So, in my scenario, the test program does not even successfully
>> > compile the invalid regexp.
>>
>> This is normal as the regexp is invalid, so it can't be compiled.
>>
>> Regards,
>> Aurelien
>>
>> --
>> Aurelien Jarno GPG: 4096R/1DDD8C9B
>> aurelien@aurel32.net http://www.aurel32.net
>>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-05-05 10:59 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-05 9:14 Glibc - CVE-2015-8985 help Raluca-Petronela Florea
2020-05-05 10:23 ` Aurelien Jarno
2020-05-05 10:46 ` Raluca-Petronela Florea
2020-05-05 10:59 ` Raluca-Petronela Florea
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).