* Glibc - CVE-2015-8985 help @ 2020-05-05 9:14 Raluca-Petronela Florea 2020-05-05 10:23 ` Aurelien Jarno 0 siblings, 1 reply; 4+ messages in thread From: Raluca-Petronela Florea @ 2020-05-05 9:14 UTC (permalink / raw) To: libc-alpha, adhemerval.zanella, debian-glibc Hello, I'm working on fixing some GLIBC vulnerabilities and I have an issue regarding CVE-2015-8985 - Assertion failure in pop_fail_stack when executing a malformed regexp Although it seems to be fixed in glibc 2.28, I've encountered the following issue testing on a Ubuntu 19.10 virtual machine with glibc 2.30-0ubuntu.2.1 the following program: pop_fail_stack.c #include <assert.h> #include <regex.h> #include <stdio.h> int main(int argc, char **argv) { int rc; regex_t preg; regmatch_t pmatch[2]; rc = regcomp(&preg, "()*)|\\1)*", REG_EXTENDED); assert(rc == 0); regexec(&preg, "", 2, pmatch, 0); regfree(&preg); return 0; } *pop_fail_stack: pop_fail_stack.c:12: main: Assertion `rc == 0' failed.* *Aborted (core dumped)* As describes the Debian bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392), the test program compiles an invalid regexp and then tries to match a string against it, triggers an assertion: *pop_fail_stack: regexec.c:1401: pop_fail_stack: Assertion `num >= 0' failed. Aborted* So, in my scenario, the test program does not even successfully compile the invalid regexp. Did anyone encounter this issue? Could you please help me with this? Thank you, Raluca ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Glibc - CVE-2015-8985 help 2020-05-05 9:14 Glibc - CVE-2015-8985 help Raluca-Petronela Florea @ 2020-05-05 10:23 ` Aurelien Jarno 2020-05-05 10:46 ` Raluca-Petronela Florea 0 siblings, 1 reply; 4+ messages in thread From: Aurelien Jarno @ 2020-05-05 10:23 UTC (permalink / raw) To: Raluca-Petronela Florea; +Cc: libc-alpha, adhemerval.zanella, debian-glibc Hi, On 2020-05-05 12:14, Raluca-Petronela Florea wrote: > Hello, > > I'm working on fixing some GLIBC vulnerabilities and I have an issue > regarding > CVE-2015-8985 - Assertion failure in pop_fail_stack when executing a > malformed regexp > > Although it seems to be fixed in glibc 2.28, I've encountered the following > issue testing on a Ubuntu 19.10 virtual machine with glibc 2.30-0ubuntu.2.1 > the following program: > > pop_fail_stack.c > > #include <assert.h> > #include <regex.h> > #include <stdio.h> > > int main(int argc, char **argv) > { > int rc; > regex_t preg; > regmatch_t pmatch[2]; > > rc = regcomp(&preg, "()*)|\\1)*", REG_EXTENDED); > assert(rc == 0); > regexec(&preg, "", 2, pmatch, 0); > regfree(&preg); > return 0; > } > > *pop_fail_stack: pop_fail_stack.c:12: main: Assertion `rc == 0' failed.* > *Aborted (core dumped)* It means you glibc has the fix. The regex is clearly invalid so it regcomp correctly fails to compile it. > As describes the Debian bug > (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392), the test > program compiles an invalid regexp and then tries to match a string > against it, triggers an assertion: > > *pop_fail_stack: regexec.c:1401: pop_fail_stack: Assertion `num >= 0' failed. > Aborted* That error message means the glibc is not fixed, i.e. regcomp is wronglu able to compile it and regexec later triggers an assertion inside glibc code. > So, in my scenario, the test program does not even successfully > compile the invalid regexp. This is normal as the regexp is invalid, so it can't be compiled. Regards, Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurelien@aurel32.net http://www.aurel32.net ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Glibc - CVE-2015-8985 help 2020-05-05 10:23 ` Aurelien Jarno @ 2020-05-05 10:46 ` Raluca-Petronela Florea 2020-05-05 10:59 ` Raluca-Petronela Florea 0 siblings, 1 reply; 4+ messages in thread From: Raluca-Petronela Florea @ 2020-05-05 10:46 UTC (permalink / raw) To: Raluca-Petronela Florea, libc-alpha, adhemerval.zanella, debian-glibc Ok, thanks for clarification. So, do you have any idea how the regexp should look like in order to reproduce the issue from bug? Thank you very much! On Tue, 5 May 2020, 13:24 Aurelien Jarno, <aurelien@aurel32.net> wrote: > Hi, > > On 2020-05-05 12:14, Raluca-Petronela Florea wrote: > > Hello, > > > > I'm working on fixing some GLIBC vulnerabilities and I have an issue > > regarding > > CVE-2015-8985 - Assertion failure in pop_fail_stack when executing a > > malformed regexp > > > > Although it seems to be fixed in glibc 2.28, I've encountered the > following > > issue testing on a Ubuntu 19.10 virtual machine with glibc > 2.30-0ubuntu.2.1 > > the following program: > > > > pop_fail_stack.c > > > > #include <assert.h> > > #include <regex.h> > > #include <stdio.h> > > > > int main(int argc, char **argv) > > { > > int rc; > > regex_t preg; > > regmatch_t pmatch[2]; > > > > rc = regcomp(&preg, "()*)|\\1)*", REG_EXTENDED); > > assert(rc == 0); > > regexec(&preg, "", 2, pmatch, 0); > > regfree(&preg); > > return 0; > > } > > > > *pop_fail_stack: pop_fail_stack.c:12: main: Assertion `rc == 0' failed.* > > *Aborted (core dumped)* > > It means you glibc has the fix. The regex is clearly invalid so it > regcomp correctly fails to compile it. > > > As describes the Debian bug > > (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392), the test > > program compiles an invalid regexp and then tries to match a string > > against it, triggers an assertion: > > > > *pop_fail_stack: regexec.c:1401: pop_fail_stack: Assertion `num >= 0' > failed. > > Aborted* > > That error message means the glibc is not fixed, i.e. regcomp is wronglu > able to compile it and regexec later triggers an assertion inside glibc > code. > > > So, in my scenario, the test program does not even successfully > > compile the invalid regexp. > > This is normal as the regexp is invalid, so it can't be compiled. > > Regards, > Aurelien > > -- > Aurelien Jarno GPG: 4096R/1DDD8C9B > aurelien@aurel32.net http://www.aurel32.net > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Glibc - CVE-2015-8985 help 2020-05-05 10:46 ` Raluca-Petronela Florea @ 2020-05-05 10:59 ` Raluca-Petronela Florea 0 siblings, 0 replies; 4+ messages in thread From: Raluca-Petronela Florea @ 2020-05-05 10:59 UTC (permalink / raw) To: Raluca-Petronela Florea, libc-alpha, adhemerval.zanella, debian-glibc Thanks a lot, I appreciate your help! I read your answer and I understood! On Tue, 5 May 2020, 13:46 Raluca-Petronela Florea, < florea.raluca.petronela@gmail.com> wrote: > Ok, thanks for clarification. > > So, do you have any idea how the regexp should look like in order to > reproduce the issue from bug? > > Thank you very much! > > On Tue, 5 May 2020, 13:24 Aurelien Jarno, <aurelien@aurel32.net> wrote: > >> Hi, >> >> On 2020-05-05 12:14, Raluca-Petronela Florea wrote: >> > Hello, >> > >> > I'm working on fixing some GLIBC vulnerabilities and I have an issue >> > regarding >> > CVE-2015-8985 - Assertion failure in pop_fail_stack when executing a >> > malformed regexp >> > >> > Although it seems to be fixed in glibc 2.28, I've encountered the >> following >> > issue testing on a Ubuntu 19.10 virtual machine with glibc >> 2.30-0ubuntu.2.1 >> > the following program: >> > >> > pop_fail_stack.c >> > >> > #include <assert.h> >> > #include <regex.h> >> > #include <stdio.h> >> > >> > int main(int argc, char **argv) >> > { >> > int rc; >> > regex_t preg; >> > regmatch_t pmatch[2]; >> > >> > rc = regcomp(&preg, "()*)|\\1)*", REG_EXTENDED); >> > assert(rc == 0); >> > regexec(&preg, "", 2, pmatch, 0); >> > regfree(&preg); >> > return 0; >> > } >> > >> > *pop_fail_stack: pop_fail_stack.c:12: main: Assertion `rc == 0' failed.* >> > *Aborted (core dumped)* >> >> It means you glibc has the fix. The regex is clearly invalid so it >> regcomp correctly fails to compile it. >> >> > As describes the Debian bug >> > (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392), the test >> > program compiles an invalid regexp and then tries to match a string >> > against it, triggers an assertion: >> > >> > *pop_fail_stack: regexec.c:1401: pop_fail_stack: Assertion `num >= 0' >> failed. >> > Aborted* >> >> That error message means the glibc is not fixed, i.e. regcomp is wronglu >> able to compile it and regexec later triggers an assertion inside glibc >> code. >> >> > So, in my scenario, the test program does not even successfully >> > compile the invalid regexp. >> >> This is normal as the regexp is invalid, so it can't be compiled. >> >> Regards, >> Aurelien >> >> -- >> Aurelien Jarno GPG: 4096R/1DDD8C9B >> aurelien@aurel32.net http://www.aurel32.net >> > ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-05-05 10:59 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-05-05 9:14 Glibc - CVE-2015-8985 help Raluca-Petronela Florea 2020-05-05 10:23 ` Aurelien Jarno 2020-05-05 10:46 ` Raluca-Petronela Florea 2020-05-05 10:59 ` Raluca-Petronela Florea
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).