Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150320212803.GC16260@port70.net>
Date: Fri, 20 Mar 2015 22:28:03 +0100
From: Szabolcs Nagy <nsz@...t70.net>
To: musl@...ts.openwall.com
Cc: Szabolcs Nagy <szabolcs.nagy@....com>
Subject: Re: buffer overflow in regcomp and a way to find more of those

* Konstantin Serebryany <konstantin.s.serebryany@...il.com> [2015-03-20 13:17:47 -0700]:
> Following the discussion at the glibc mailing list
> (https://sourceware.org/ml/libc-alpha/2015-03/msg00662.html)
> I've tried to fuzz musl regcomp and the first bug popped up quickly.
> Please let me know if you would be interested in adding the fuzzer
> (http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/README.txt?view=markup)
> to the musl testing process.


thanks for doing this

i think i already know what's the bug is

(of course it's in an underspecified extension where applications
expect conflicting behaviour... but the segfault is my bug)

> Exact repro steps, just copy-paste (assuming you have fresh clang)
> ===================  ===============
> tar xf ~/Downloads/musl-1.1.7.tar.gz
> cd musl-1.1.7
> ./configure && make -j
> cat << EOF > bug1.c
> #include <string.h>
> #include <stdlib.h>
> #include "regex.h"
> 
> int main() {
>   regex_t preg;
>   char a[] = {40, 123, 33, 124, 33, 19, 40, 96, 92, 253, 92, 123, 51,
> 48, 92, 125, 0};
>   char *s = strdup(a);
>   if (0 == regcomp(&preg, s, 0)) {
>     regfree(&preg);
>   }
>   free(s);
>   return 0;
> }
> EOF
> clang  -g  -fsanitize=address  ./src/regex/reg*.c src/regex/tre*.c
> src/locale/__lctrans.c src/internal/libc.c -I include -I src/internal/
> -Iarch/x86_64 bug1.c
> ASAN_OPTIONS=strip_path_prefix=`pwd`/ ./a.out
> 

looks simple

i'll set up some glibc based virtual machine to be able to play with it

thanks again

> ==33356==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x60200000ef44 at pc 0x0000004d8cb9 bp 0x7fff09d51b10 sp
> 0x7fff09d51b08
> WRITE of size 4 at 0x60200000ef44 thread T0
>     #0 0x4d8cb8 in tre_copy_ast src/regex/regcomp.c:1697:27
>     #1 0x4cc332 in tre_expand_ast src/regex/regcomp.c:1884:16
>     #2 0x4c4de2 in regcomp src/regex/regcomp.c:2739:13
>     #3 0x4e9e06 in main bug1.c:9:12
>     #4 0x7f49f1086ec4 in __libc_start_main
> /build/buildd/eglibc-2.19/csu/libc-start.c:287
>     #5 0x416d45 in _start (a.out+0x416d45)
> 
> 0x60200000ef44 is located 8 bytes to the right of 12-byte region
> [0x60200000ef30,0x60200000ef3c)
> allocated by thread T0 here:
>     #0 0x4a20a4 in calloc
> /usr/local/google/home/kcc/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:56:3
>     #1 0x4c4bd9 in regcomp src/regex/regcomp.c:2721:28
>     #2 0x4e9e06 in main bug1.c:9:12

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.