Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 20 Mar 2015 13:17:47 -0700
From: Konstantin Serebryany <>
To:, Szabolcs Nagy <>
Subject: buffer overflow in regcomp and a way to find more of those


Following the discussion at the glibc mailing list
I've tried to fuzz musl regcomp and the first bug popped up quickly.
Please let me know if you would be interested in adding the fuzzer
to the musl testing process.

Exact repro steps, just copy-paste (assuming you have fresh clang)
===================  ===============
tar xf ~/Downloads/musl-1.1.7.tar.gz
cd musl-1.1.7
./configure && make -j
cat << EOF > bug1.c
#include <string.h>
#include <stdlib.h>
#include "regex.h"

int main() {
  regex_t preg;
  char a[] = {40, 123, 33, 124, 33, 19, 40, 96, 92, 253, 92, 123, 51,
48, 92, 125, 0};
  char *s = strdup(a);
  if (0 == regcomp(&preg, s, 0)) {
  return 0;
clang  -g  -fsanitize=address  ./src/regex/reg*.c src/regex/tre*.c
src/locale/__lctrans.c src/internal/libc.c -I include -I src/internal/
-Iarch/x86_64 bug1.c
ASAN_OPTIONS=strip_path_prefix=`pwd`/ ./a.out

==33356==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000ef44 at pc 0x0000004d8cb9 bp 0x7fff09d51b10 sp
WRITE of size 4 at 0x60200000ef44 thread T0
    #0 0x4d8cb8 in tre_copy_ast src/regex/regcomp.c:1697:27
    #1 0x4cc332 in tre_expand_ast src/regex/regcomp.c:1884:16
    #2 0x4c4de2 in regcomp src/regex/regcomp.c:2739:13
    #3 0x4e9e06 in main bug1.c:9:12
    #4 0x7f49f1086ec4 in __libc_start_main
    #5 0x416d45 in _start (a.out+0x416d45)

0x60200000ef44 is located 8 bytes to the right of 12-byte region
allocated by thread T0 here:
    #0 0x4a20a4 in calloc
    #1 0x4c4bd9 in regcomp src/regex/regcomp.c:2721:28
    #2 0x4e9e06 in main bug1.c:9:12

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.