Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 30 Oct 2016 14:29:17 -0300
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request - integer overflow and crash parsing regex in mujs

Hi,

It seems there is an integer overflow somewhere affecting function
js_regcomp (line 843 in regexp.c) in mujs. To reproduce (tested in revision
5c337af4b3df80cf967e4f9f6a21522de84b392a):

$ echo '(/.{135303839468541,43}/);' | valgrind --quiet ./build/mujs
==29376== Argument 'size' of function malloc has a fishy (possibly
negative) value: -5152
==29376==    at 0x4C2AB8D: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29376==    by 0x415FCC: js_regcomp (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x41D127: js_newregexp (in
/home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40A0C1: jsR_run (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40A8C6: js_call (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40B9BB: js_pcall (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x401D63: eval_print (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40183A: main (in /home/g/Work/Code/mujs/build/mujs)
==29376==
==29376== Invalid write of size 2
==29376==    at 0x415FE1: js_regcomp (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x41D127: js_newregexp (in
/home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40A0C1: jsR_run (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40A8C6: js_call (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40B9BB: js_pcall (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x401D63: eval_print (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40183A: main (in /home/g/Work/Code/mujs/build/mujs)
==29376==  Address 0x2 is not stack'd, malloc'd or (recently) free'd
==29376==
==29376==
==29376== Process terminating with default action of signal 11 (SIGSEGV)
==29376==  Access not within mapped region at address 0x2
==29376==    at 0x415FE1: js_regcomp (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x41D127: js_newregexp (in
/home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40A0C1: jsR_run (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40A8C6: js_call (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40B9BB: js_pcall (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x401D63: eval_print (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40183A: main (in /home/g/Work/Code/mujs/build/mujs)

This test case was found using QuickFuzz. Please assign CVE is suitable.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ