[Bug regex/21442] New: Crash in re_search_stub

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug regex/21442] New: Crash in re_search_stub

macro@linux-mips.org
https://sourceware.org/bugzilla/show_bug.cgi?id=21442

            Bug ID: 21442
           Summary: Crash in re_search_stub
           Product: glibc
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: regex
          Assignee: unassigned at sourceware dot org
          Reporter: boehme.marcel at gmail dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

Dear all,

We found a null pointer dereference resulting in a segmentation fault, that
might be a bug in diffutils or a bug in GLIBC depending on the perspective one
takes. The patch can be in GLIBC (introducing a simple null pointer check) or
in Diffutils (preventing the null pointer dereference altogether). We already
reported the bug downstream at
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=26690. Below we provide a quick
analysis. We think, it is actually an incorrect use of GLIBC. However, since it
can be easily prevented in GLIBC, we thought we should report it here as well.

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also
to Van-Thuan Pham.

How to reproduce:
$ diff -Ia -I\\ <(printf "") <(echo a)
diff: \: Trailing backslash
diff: stack overflow

ASAN says:
ASAN:DEADLYSIGNAL
=================================================================
==74668==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000d8 (pc
0x7f0670589bad bp 0x000000000000 sp 0x7ffefbed15b0 T0)
   #0 0x7f0670589bac in re_search_stub
/build/eglibc-MjiXCM/eglibc-2.19/posix/regexec.c:414
   #1 0x7f067058a527 in re_search
/build/eglibc-MjiXCM/eglibc-2.19/posix/regexec.c:312
   #2 0x555bfc in analyze_hunk
/home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/../../src/util.c:1522:8
   #3 0x4f91dd in diff_2_files
/home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/../../src/analyze.c:620:12
   #4 0x528971 in compare_files
/home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/../../src/diff.c:1434:11
   #5 0x51882c in main
/home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/../../src/diff.c:800:18
   #6 0x7f06704c4f44 in __libc_start_main
/build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287
   #7 0x41bac5 in _start
(/home/ubuntu/diffutils-analysis/diffutils/obj-asan/src/diff+0x41bac5)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/build/eglibc-MjiXCM/eglibc-2.19/posix/regexec.c:414 in re_search_stub

This is our analysis:
For the diff-tool the argument -I<regexp> specifies the changed lines to
exclude. For each such argument, the function add_regexp in diff.c is called.
This function uses re_compile_pattern to successfully compile the first
pattern. However, it fails to compile the second pattern, giving the error
“Trailing backslash”. In both cases, the function uses the re_pattern_buffer
*ignore_regexp. However, the failed compilation corrupts *ignore_regexp,
setting ignore_regexp->buffer=0x0 and ignore_regexp->allocated=0. Later, in
function summarize_regexp_list, it is established that at least one pattern was
successfully compiled and ignore_regexp->fastmap is set, indicating that
re_search is being called in utils.c:1501. Unfortunately, it is being called on
the corrupted ignore_regexp where ignore_regexp->buf = 0x0. GLIBC does not
check for a null-pointer when derefencing the buffer in regexec.c:413.

GDB says:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7af5056 in re_search_stub (bufp=0x6228a0 <ignore_regexp>,
string=string@entry=0x62a050 "a\n", length=1, start=start@entry=0, range=1,
stop=1, regs=0x0, ret_len=0) at regexec.c:413
413     in regexec.c
(gdb) p *bufp
$1 = {buffer = 0x0, allocated = 0, used = 224, syntax = 330310, fastmap =
0x6271f0 "\330\036\335\367\377\177", translate = 0x0, re_nsub = 0, can_be_null
= 0, regs_allocated = 0, fastmap_accurate = 0, no_sub = 0, not_bol = 0, not_eol
= 0, newline_anchor = 1}
(gdb) bt
#0  0x00007ffff7af5056 in re_search_stub (bufp=0x6228a0 <ignore_regexp>,
string=string@entry=0x62a050 "a\n", length=1, start=start@entry=0, range=1,
stop=1, regs=0x0, ret_len=0) at regexec.c:413
#1  0x00007ffff7af5a70 in __re_search (bufp=<optimized out>,
string=string@entry=0x62a050 "a\n", length=<optimized out>,
start=start@entry=0, range=<optimized out>, regs=regs@entry=0x0) at
regexec.c:317
#2  0x000000000040ce1e in analyze_hunk (hunk=hunk@entry=0x627340,
first0=first0@entry=0x7fffffffdf80, last0=last0@entry=0x7fffffffdf88,
first1=first1@entry=0x7fffffffdf90, last1=last1@entry=0x7fffffffdf98) at
util.c:1522
#3  0x000000000040507d in diff_2_files (cmp=cmp@entry=0x7fffffffe060) at
analyze.c:620
#4  0x00000000004071f7 in compare_files (parent=parent@entry=0x0,
name0=0x7fffffffe6ec "/dev/fd/63", name1=<optimized out>) at diff.c:1434
#5  0x000000000040387e in main (argc=<optimized out>, argv=<optimized out>) at
diff.c:800

VALGRIND says:
==103798== Memcheck, a memory error detector
==103798== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==103798== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==103798== Command: src/diff -Ia -I\\ /dev/fd/63 /dev/fd/62
==103798==
src/diff: \: Trailing backslash
==103798== Invalid read of size 4
==103798==    at 0x4F21056: re_search_stub (regexec.c:413)
==103798==    by 0x4F21A6F: re_search (regexec.c:317)
==103798==    by 0x40CE1D: analyze_hunk (util.c:1522)
==103798==    by 0x40507C: diff_2_files (analyze.c:620)
==103798==    by 0x4071F6: compare_files (diff.c:1434)
==103798==    by 0x40387D: main (diff.c:800)
==103798==  Address 0xd8 is not stack'd, malloc'd or (recently) free'd
==103798==
diff: stack overflow
==103798==
==103798== HEAP SUMMARY:
==103798==     in use at exit: 4,970 bytes in 25 blocks
==103798==   total heap usage: 75 allocs, 50 frees, 28,030 bytes allocated
==103798==
==103798== LEAK SUMMARY:
==103798==    definitely lost: 136 bytes in 5 blocks
==103798==    indirectly lost: 120 bytes in 6 blocks
==103798==      possibly lost: 0 bytes in 0 blocks
==103798==    still reachable: 4,714 bytes in 14 blocks
==103798==         suppressed: 0 bytes in 0 blocks
==103798== Rerun with --leak-check=full to see details of leaked memory
==103798==
==103798== For counts of detected and suppressed errors, rerun with: -v
==103798== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Best regards,
- Marcel

---
Marcel Böhme
Senior Research Fellow
TSUNAMi Security Research Centre
National University of Singapore

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug regex/21442] Crash in re_search_stub

macro@linux-mips.org
https://sourceware.org/bugzilla/show_bug.cgi?id=21442

Adhemerval Zanella <adhemerval.zanella at linaro dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |adhemerval.zanella at linaro dot o
                   |                            |rg

--- Comment #1 from Adhemerval Zanella <adhemerval.zanella at linaro dot org> ---
Since re_exec is an GNU extension this API corner case should be documented and
afaik unfortunately they aren't (using the gnulib documentation [1]).

For these cases I tend to follow, if possible, the POSIX inspired API. On POSIX
regular expression API [2] states that:

"[...] If the preg argument to regexec() or regfree() is not a compiled regular
expression returned by regcomp(), the result is undefined. [...]"

So if I understood correctly the issue description, it is using an invalid
regular expression buffer description on re_search (since the expression
compilation failed). IMHO we should treat this as undefined (as POSIX
counterpart) and let the user handle it correctly.  In a short, I would say we
should close this as not a bug.

[1] https://www.gnu.org/software/gnulib/manual/html_node/GNU-Searching.html
[2] http://pubs.opengroup.org/onlinepubs/9699919799/

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug regex/21442] Crash in re_search_stub

macro@linux-mips.org
In reply to this post by macro@linux-mips.org
https://sourceware.org/bugzilla/show_bug.cgi?id=21442

Marcel Böhme <boehme.marcel at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |INVALID

--- Comment #2 from Marcel Böhme <boehme.marcel at gmail dot com> ---
Agreed. Thanks!

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug regex/21442] Crash in re_search_stub

macro@linux-mips.org
In reply to this post by macro@linux-mips.org
https://sourceware.org/bugzilla/show_bug.cgi?id=21442

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security-

--
You are receiving this mail because:
You are on the CC list for the bug.