Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 20 Mar 2015 13:17:47 -0700
From: Konstantin Serebryany <konstantin.s.serebryany@...il.com>
To: musl@...ts.openwall.com, Szabolcs Nagy <szabolcs.nagy@....com>
Subject: buffer overflow in regcomp and a way to find more of those

Hi,

Following the discussion at the glibc mailing list
(https://sourceware.org/ml/libc-alpha/2015-03/msg00662.html)
I've tried to fuzz musl regcomp and the first bug popped up quickly.
Please let me know if you would be interested in adding the fuzzer
(http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/README.txt?view=markup)
to the musl testing process.

Exact repro steps, just copy-paste (assuming you have fresh clang)
===================  ===============
tar xf ~/Downloads/musl-1.1.7.tar.gz
cd musl-1.1.7
./configure && make -j
cat << EOF > bug1.c
#include <string.h>
#include <stdlib.h>
#include "regex.h"

int main() {
  regex_t preg;
  char a[] = {40, 123, 33, 124, 33, 19, 40, 96, 92, 253, 92, 123, 51,
48, 92, 125, 0};
  char *s = strdup(a);
  if (0 == regcomp(&preg, s, 0)) {
    regfree(&preg);
  }
  free(s);
  return 0;
}
EOF
clang  -g  -fsanitize=address  ./src/regex/reg*.c src/regex/tre*.c
src/locale/__lctrans.c src/internal/libc.c -I include -I src/internal/
-Iarch/x86_64 bug1.c
ASAN_OPTIONS=strip_path_prefix=`pwd`/ ./a.out

==33356==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000ef44 at pc 0x0000004d8cb9 bp 0x7fff09d51b10 sp
0x7fff09d51b08
WRITE of size 4 at 0x60200000ef44 thread T0
    #0 0x4d8cb8 in tre_copy_ast src/regex/regcomp.c:1697:27
    #1 0x4cc332 in tre_expand_ast src/regex/regcomp.c:1884:16
    #2 0x4c4de2 in regcomp src/regex/regcomp.c:2739:13
    #3 0x4e9e06 in main bug1.c:9:12
    #4 0x7f49f1086ec4 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287
    #5 0x416d45 in _start (a.out+0x416d45)

0x60200000ef44 is located 8 bytes to the right of 12-byte region
[0x60200000ef30,0x60200000ef3c)
allocated by thread T0 here:
    #0 0x4a20a4 in calloc
/usr/local/google/home/kcc/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:56:3
    #1 0x4c4bd9 in regcomp src/regex/regcomp.c:2721:28
    #2 0x4e9e06 in main bug1.c:9:12

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.