This is the mail archive of the
glibc-bugs-regex@sourceware.org
mailing list for the glibc project.
[Bug regex/18040] New: use-after-free in regexec/get_subexp
- From: "konstantin.s.serebryany at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs-regex at sourceware dot org
- Date: Thu, 26 Feb 2015 21:31:05 +0000
- Subject: [Bug regex/18040] New: use-after-free in regexec/get_subexp
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=18040
Bug ID: 18040
Summary: use-after-free in regexec/get_subexp
Product: glibc
Version: 2.21
Status: NEW
Severity: normal
Priority: P2
Component: regex
Assignee: unassigned at sourceware dot org
Reporter: konstantin.s.serebryany at gmail dot com
CC: drepper.fsp at gmail dot com
Flags: security+
#include <regex.h>
#include <stdio.h>
int main() {
regex_t r;
char *p = "!(.*)*\\*)\\1";
char *s = "!!(.*)*\\*)\\1";
if (!regcomp(&r, p, REG_ICASE | REG_EXTENDED))
regexec(&r, s, 0, 0, 0);
regfree(&r);
return 0;
}
% gcc -c re2.c && valgrind -q ./a.out
==38369== Invalid read of size 1
==38369== at 0x4F11FEC: get_subexp (regexec.c:2788)
==38369== by 0x4F11FEC: transit_state_bkref (regexec.c:2603)
==38369== by 0x4F1438A: merge_state_with_log (regexec.c:2384)
==38369== by 0x4F1438A: check_matching (regexec.c:1160)
==38369== by 0x4F1438A: re_search_internal (regexec.c:829)
==38369== by 0x4F19D84: regexec@@GLIBC_2.3.4 (regexec.c:253)
clang/fuzz/a.out)
==38369== Address 0x51fd1d8 is 8 bytes inside a block of size 11 free'd
==38369== at 0x4C2CB0A: realloc (vg_replace_malloc.c:692)
==38369== by 0x4F0ADE3: re_string_realloc_buffers (regex_internal.c:157)
==38369== by 0x4F0ADE3: extend_buffers (regexec.c:4110)
==38369== by 0x4F11B84: clean_state_log_if_needed (regexec.c:1728)
==38369== by 0x4F11B84: get_subexp_sub.isra.27 (regexec.c:2852)
==38369== by 0x4F120FE: get_subexp (regexec.c:2819)
==38369== by 0x4F120FE: transit_state_bkref (regexec.c:2603)
==38369== by 0x4F1438A: merge_state_with_log (regexec.c:2384)
==38369== by 0x4F1438A: check_matching (regexec.c:1160)
==38369== by 0x4F1438A: re_search_internal (regexec.c:829)
==38369== by 0x4F19D84: regexec@@GLIBC_2.3.4 (regexec.c:253)
2.19 and fresh trunk are affected.
This is admittedly a use-after-realloc, so with a glibc's malloc it *may*
be hard to exploit, but if a different malloc is used this may become a true
use-after-free. So, conservatively applying security+.
Found with the same fuzzer as bugs 18032, 18036, 18037
--
You are receiving this mail because:
You are on the CC list for the bug.