From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <florea.raluca.petronela@gmail.com>
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com
 [IPv6:2a00:1450:4864:20::335])
 by sourceware.org (Postfix) with ESMTPS id 5D104388E817
 for <libc-alpha@sourceware.org>; Tue,  5 May 2020 10:46:19 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 5D104388E817
Received: by mail-wm1-x335.google.com with SMTP id k12so1742995wmj.3
 for <libc-alpha@sourceware.org>; Tue, 05 May 2020 03:46:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to;
 bh=gxRNh5rpQuqph/6WCGjmTOXRifMa5HXrlhUFz2vKnB4=;
 b=ZsYFAIzFgCw/9ZLjnp11EBzysuCrlNRoKcjMKNUG9UiYyF/LbptYVSTnSydboPthF6
 pEf44hAngWZ2bwo0J4AEQqQeTHSvg7+OQvhlqRGuwNDqRx/zBONPqm4/JhrLliDSIgTF
 3PnIBbOpNLgqrXrGLyxHKihoXte3FWdr68ro3RMF3xJP3hwoFxTuTSYIgY0s4w4urO+j
 W5aCBqgAI0+Lga0umOZ82bm8MHFrkvOXGEBkjO3SCEmR1u2lOp9N2z4dWkn0U1Adas0J
 V8/OvQoNEz3LIJtem2CbVgzD74CyUQIWQjeYuXLtQoae6qd+FogrWsnAM1ZUi2N8BQ5j
 V0og==
X-Gm-Message-State: AGi0PuZmHXNKcn8xLJotYt7ZLd/Rg818bZXyaMpS2TDzRfEX2G90Ri6o
 9TCuP79V5YURigcw3wDhLtP+hFyMpPddln1j+fAIO+20
X-Google-Smtp-Source: APiQypIZfFjGbrIxxdv/NZse6OdahK9KRZ1qe0FZLhnIX6PBtGGcpknQgGYk42xgAPcHi+2lkrbiZGzlV9F8sk2GoCU=
X-Received: by 2002:a1c:7d4b:: with SMTP id y72mr2838693wmc.11.1588675578503; 
 Tue, 05 May 2020 03:46:18 -0700 (PDT)
MIME-Version: 1.0
References: <CAF=qhUjXSpAFOmwobY7TgzvT0FVS08zJHFfO3P2zrUmi1UxKiA@mail.gmail.com>
 <20200505102359.GA411353@aurel32.net>
In-Reply-To: <20200505102359.GA411353@aurel32.net>
From: Raluca-Petronela Florea <florea.raluca.petronela@gmail.com>
Date: Tue, 5 May 2020 13:46:07 +0300
Message-ID: <CAF=qhUhy0B-nz86p9c6wip1rHW-B2ViDv5cpUCe+skPg9vMW9g@mail.gmail.com>
Subject: Re: Glibc - CVE-2015-8985 help
To: Raluca-Petronela Florea <florea.raluca.petronela@gmail.com>,
 libc-alpha@sourceware.org, 
 adhemerval.zanella@linaro.org, debian-glibc@lists.debian.org
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, HTML_MESSAGE,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2020 10:46:23 -0000

Ok, thanks for clarification.

So, do you have any idea how the regexp should look like in order to
reproduce the issue from bug?

Thank you very much!

On Tue, 5 May 2020, 13:24 Aurelien Jarno, <aurelien@aurel32.net> wrote:

> Hi,
>
> On 2020-05-05 12:14, Raluca-Petronela Florea wrote:
> > Hello,
> >
> > I'm working on fixing some GLIBC vulnerabilities and I have an issue
> > regarding
> > CVE-2015-8985 - Assertion failure in pop_fail_stack when executing a
> > malformed regexp
> >
> > Although it seems to be fixed in glibc 2.28, I've encountered the
> following
> > issue testing on a Ubuntu 19.10 virtual machine with glibc
> 2.30-0ubuntu.2.1
> > the following program:
> >
> > pop_fail_stack.c
> >
> > #include <assert.h>
> > #include <regex.h>
> > #include <stdio.h>
> >
> > int main(int argc, char **argv)
> > {
> >     int rc;
> >     regex_t preg;
> >     regmatch_t pmatch[2];
> >
> >     rc = regcomp(&preg, "()*)|\\1)*", REG_EXTENDED);
> >     assert(rc == 0);
> >     regexec(&preg, "", 2, pmatch, 0);
> >     regfree(&preg);
> >     return 0;
> > }
> >
> > *pop_fail_stack: pop_fail_stack.c:12: main: Assertion `rc == 0' failed.*
> > *Aborted (core dumped)*
>
> It means you glibc has the fix. The regex is clearly invalid so it
> regcomp correctly fails to compile it.
>
> > As describes the Debian bug
> > (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392), the test
> > program compiles an invalid regexp and then tries to match a string
> > against it, triggers an assertion:
> >
> > *pop_fail_stack: regexec.c:1401: pop_fail_stack: Assertion `num >= 0'
> failed.
> > Aborted*
>
> That error message means the glibc is not fixed, i.e. regcomp is wronglu
> able to compile it and regexec later triggers an assertion inside glibc
> code.
>
> > So, in my scenario, the test program does not even successfully
> > compile the invalid regexp.
>
> This is normal as the regexp is invalid, so it can't be compiled.
>
> Regards,
> Aurelien
>
> --
> Aurelien Jarno                          GPG: 4096R/1DDD8C9B
> aurelien@aurel32.net                 http://www.aurel32.net
>