Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 20 Mar 2015 16:40:00 -0400
From: Rich Felker <dalias@...c.org>
To: Konstantin Serebryany <konstantin.s.serebryany@...il.com>
Cc: musl@...ts.openwall.com, Szabolcs Nagy <szabolcs.nagy@....com>
Subject: Re: buffer overflow in regcomp and a way to find more of those

On Fri, Mar 20, 2015 at 01:17:47PM -0700, Konstantin Serebryany wrote:
> Hi,
> 
> Following the discussion at the glibc mailing list
> (https://sourceware.org/ml/libc-alpha/2015-03/msg00662.html)
> I've tried to fuzz musl regcomp and the first bug popped up quickly.
> Please let me know if you would be interested in adding the fuzzer
> (http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/README.txt?view=markup)
> to the musl testing process.
> 
> Exact repro steps, just copy-paste (assuming you have fresh clang)
> ===================  ===============
> tar xf ~/Downloads/musl-1.1.7.tar.gz
> cd musl-1.1.7
> ../configure && make -j
> cat << EOF > bug1.c
> #include <string.h>
> #include <stdlib.h>
> #include "regex.h"
> 
> int main() {
>   regex_t preg;
>   char a[] = {40, 123, 33, 124, 33, 19, 40, 96, 92, 253, 92, 123, 51,
> 48, 92, 125, 0};

Simplified test case:
    char a[] = "\\\375\\{2\\}";

The problem seems to be handling of [backslash], [illegal sequence],
[repetition]. I haven't analyzed the cause, but that was my initial
guess and the minimal example I was able to reduce it to without the
crash disappearing.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.