[Bug regex/18040] New: use-after-free in regexec/get_subexp

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug regex/18040] New: use-after-free in regexec/get_subexp

maiku.fabian at gmail dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=18040

            Bug ID: 18040
           Summary: use-after-free in regexec/get_subexp
           Product: glibc
           Version: 2.21
            Status: NEW
          Severity: normal
          Priority: P2
         Component: regex
          Assignee: unassigned at sourceware dot org
          Reporter: konstantin.s.serebryany at gmail dot com
                CC: drepper.fsp at gmail dot com
             Flags: security+

#include <regex.h>
#include <stdio.h>
int main() {
  regex_t r;
  char *p  = "!(.*)*\\*)\\1";
  char *s = "!!(.*)*\\*)\\1";
  if (!regcomp(&r, p, REG_ICASE | REG_EXTENDED))
    regexec(&r, s, 0, 0, 0);
  regfree(&r);
  return 0;
}

% gcc -c  re2.c  && valgrind -q  ./a.out
==38369== Invalid read of size 1
==38369==    at 0x4F11FEC: get_subexp (regexec.c:2788)
==38369==    by 0x4F11FEC: transit_state_bkref (regexec.c:2603)
==38369==    by 0x4F1438A: merge_state_with_log (regexec.c:2384)
==38369==    by 0x4F1438A: check_matching (regexec.c:1160)
==38369==    by 0x4F1438A: re_search_internal (regexec.c:829)
==38369==    by 0x4F19D84: regexec@@GLIBC_2.3.4 (regexec.c:253)
clang/fuzz/a.out)
==38369==  Address 0x51fd1d8 is 8 bytes inside a block of size 11 free'd
==38369==    at 0x4C2CB0A: realloc (vg_replace_malloc.c:692)
==38369==    by 0x4F0ADE3: re_string_realloc_buffers (regex_internal.c:157)
==38369==    by 0x4F0ADE3: extend_buffers (regexec.c:4110)
==38369==    by 0x4F11B84: clean_state_log_if_needed (regexec.c:1728)
==38369==    by 0x4F11B84: get_subexp_sub.isra.27 (regexec.c:2852)
==38369==    by 0x4F120FE: get_subexp (regexec.c:2819)
==38369==    by 0x4F120FE: transit_state_bkref (regexec.c:2603)
==38369==    by 0x4F1438A: merge_state_with_log (regexec.c:2384)
==38369==    by 0x4F1438A: check_matching (regexec.c:1160)
==38369==    by 0x4F1438A: re_search_internal (regexec.c:829)
==38369==    by 0x4F19D84: regexec@@GLIBC_2.3.4 (regexec.c:253)

2.19 and fresh trunk are affected.

This is admittedly a use-after-realloc, so with a glibc's malloc it *may*
be hard to exploit, but if a different malloc is used this may become a true
use-after-free. So, conservatively applying security+.

Found with the same fuzzer as bugs 18032, 18036, 18037

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug regex/18040] use-after-free in regexec/get_subexp

maiku.fabian at gmail dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=18040

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Is it possible to trigger this without REG_EXTENDED and a back reference?

(“\1” in an ERE makes behavior undefined according to POSIX.)

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug regex/18040] use-after-free in regexec/get_subexp

maiku.fabian at gmail dot com
In reply to this post by maiku.fabian at gmail dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=18040

--- Comment #2 from Kostya Serebryany <konstantin.s.serebryany at gmail dot com> ---
(In reply to Florian Weimer from comment #1)
> Is it possible to trigger this without REG_EXTENDED and a back reference?
>
> (“\1” in an ERE makes behavior undefined according to POSIX.)

I don't think I've seen this w/o REG_EXTENDED, but let me re-run the fuzzer
with cflags=0

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug regex/18040] use-after-free in regexec/get_subexp

maiku.fabian at gmail dot com
In reply to this post by maiku.fabian at gmail dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=18040

--- Comment #3 from Kostya Serebryany <konstantin.s.serebryany at gmail dot com> ---
A quick fuzzing session did not reveal this bug with cflags=0,
but due to bug 18037 (and probably some other similar issues)
fuzzing is not very efficient.

--
You are receiving this mail because:
You are on the CC list for the bug.