Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 30 Oct 2016 14:29:17 -0300
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request - integer overflow and crash parsing regex in mujs

Hi,

It seems there is an integer overflow somewhere affecting function
js_regcomp (line 843 in regexp.c) in mujs. To reproduce (tested in revision
5c337af4b3df80cf967e4f9f6a21522de84b392a):

$ echo '(/.{135303839468541,43}/);' | valgrind --quiet ./build/mujs
==29376== Argument 'size' of function malloc has a fishy (possibly
negative) value: -5152
==29376==    at 0x4C2AB8D: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29376==    by 0x415FCC: js_regcomp (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x41D127: js_newregexp (in
/home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40A0C1: jsR_run (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40A8C6: js_call (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40B9BB: js_pcall (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x401D63: eval_print (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40183A: main (in /home/g/Work/Code/mujs/build/mujs)
==29376==
==29376== Invalid write of size 2
==29376==    at 0x415FE1: js_regcomp (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x41D127: js_newregexp (in
/home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40A0C1: jsR_run (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40A8C6: js_call (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40B9BB: js_pcall (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x401D63: eval_print (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40183A: main (in /home/g/Work/Code/mujs/build/mujs)
==29376==  Address 0x2 is not stack'd, malloc'd or (recently) free'd
==29376==
==29376==
==29376== Process terminating with default action of signal 11 (SIGSEGV)
==29376==  Access not within mapped region at address 0x2
==29376==    at 0x415FE1: js_regcomp (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x41D127: js_newregexp (in
/home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40A0C1: jsR_run (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40A8C6: js_call (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40B9BB: js_pcall (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x401D63: eval_print (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40183A: main (in /home/g/Work/Code/mujs/build/mujs)

This test case was found using QuickFuzz. Please assign CVE is suitable.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.