This is the mail archive of the glibc-bugs-regex@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug regex/18040] New: use-after-free in regexec/get_subexp


https://sourceware.org/bugzilla/show_bug.cgi?id=18040

            Bug ID: 18040
           Summary: use-after-free in regexec/get_subexp
           Product: glibc
           Version: 2.21
            Status: NEW
          Severity: normal
          Priority: P2
         Component: regex
          Assignee: unassigned at sourceware dot org
          Reporter: konstantin.s.serebryany at gmail dot com
                CC: drepper.fsp at gmail dot com
             Flags: security+

#include <regex.h>
#include <stdio.h>
int main() {
  regex_t r;
  char *p  = "!(.*)*\\*)\\1";
  char *s = "!!(.*)*\\*)\\1";
  if (!regcomp(&r, p, REG_ICASE | REG_EXTENDED))
    regexec(&r, s, 0, 0, 0);
  regfree(&r);
  return 0;
} 

% gcc -c  re2.c  && valgrind -q  ./a.out
==38369== Invalid read of size 1
==38369==    at 0x4F11FEC: get_subexp (regexec.c:2788)
==38369==    by 0x4F11FEC: transit_state_bkref (regexec.c:2603)
==38369==    by 0x4F1438A: merge_state_with_log (regexec.c:2384)
==38369==    by 0x4F1438A: check_matching (regexec.c:1160)
==38369==    by 0x4F1438A: re_search_internal (regexec.c:829)
==38369==    by 0x4F19D84: regexec@@GLIBC_2.3.4 (regexec.c:253)
clang/fuzz/a.out)
==38369==  Address 0x51fd1d8 is 8 bytes inside a block of size 11 free'd
==38369==    at 0x4C2CB0A: realloc (vg_replace_malloc.c:692)
==38369==    by 0x4F0ADE3: re_string_realloc_buffers (regex_internal.c:157)
==38369==    by 0x4F0ADE3: extend_buffers (regexec.c:4110)
==38369==    by 0x4F11B84: clean_state_log_if_needed (regexec.c:1728)
==38369==    by 0x4F11B84: get_subexp_sub.isra.27 (regexec.c:2852)
==38369==    by 0x4F120FE: get_subexp (regexec.c:2819)
==38369==    by 0x4F120FE: transit_state_bkref (regexec.c:2603)
==38369==    by 0x4F1438A: merge_state_with_log (regexec.c:2384)
==38369==    by 0x4F1438A: check_matching (regexec.c:1160)
==38369==    by 0x4F1438A: re_search_internal (regexec.c:829)
==38369==    by 0x4F19D84: regexec@@GLIBC_2.3.4 (regexec.c:253)

2.19 and fresh trunk are affected. 

This is admittedly a use-after-realloc, so with a glibc's malloc it *may*
be hard to exploit, but if a different malloc is used this may become a true
use-after-free. So, conservatively applying security+. 

Found with the same fuzzer as bugs 18032, 18036, 18037

-- 
You are receiving this mail because:
You are on the CC list for the bug.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]