[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Segmentation Fault via recursive loop in Gawk
From: |
ttfish |
Subject: |
Segmentation Fault via recursive loop in Gawk |
Date: |
Tue, 19 Mar 2024 21:48:34 +0800 |
Dear GNU gawk developers,
Greetings. I am writing to report a recursive loop bug found in gawk.
## Description
The bug is located in the support/regcomp.c file within the parse_reg_exp
function. The vulnerability involves function "parse_expression",
"parse_branch" and "parse_sub_exp" and exists in latest stable release
(gawk 5.3.0) and the latest master branch
(ff873ce52bf6a1766935281883b74b49edc7d38f, updated on March 04, 2024). The
inner variable of `preg`, `token`, `syntax` and `nest` would stick with
unchanged values in loop calling and lead to segmentation fault.
## Proof of Concept
The attached PoC could result segmentation fault and subsequent program
termination.
It could be reproduced by the attached PoC file with input:
```bash
gawk -f POC-FILE {anyfile}
```
The backtrace log could be found below:
```bash
#4 0x00000000006f3121 in parse_expression (regexp=0x7ffff5c09b30,
preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
nest=4466, err=0x7ffff5c09b20) at ./regcomp.c:2242
#5 0x00000000006f243d in parse_branch (regexp=0x7ffff5c09b30,
preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
nest=4466, err=0x7ffff5c09b20) at ./regcomp.c:2169
#6 0x00000000006ee668 in parse_reg_exp (regexp=0x7ffff5c09b30,
preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
nest=4466, err=0x7ffff5c09b20) at ./regcomp.c:2121
#7 0x00000000006f4e72 in parse_sub_exp (regexp=0x7ffff5c09b30,
preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
nest=4466, err=0x7ffff5c09b20) at ./regcomp.c:2456
#8 0x00000000006f3121 in parse_expression (regexp=0x7ffff5c09b30,
preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
nest=4465, err=0x7ffff5c09b20) at ./regcomp.c:2242
#9 0x00000000006f243d in parse_branch (regexp=0x7ffff5c09b30,
preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
nest=4465, err=0x7ffff5c09b20) at ./regcomp.c:2169
#10 0x00000000006ee668 in parse_reg_exp (regexp=0x7ffff5c09b30,
preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
# repeat ...
#17868 0x00000000006f3121 in parse_expression (regexp=0x7ffff5c09b30,
preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
nest=0, err=0x7ffff5c09b20) at ./regcomp.c:2242
#17869 0x00000000006f265a in parse_branch (regexp=0x7ffff5c09b30,
preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
nest=0, err=0x7ffff5c09b20) at ./regcomp.c:2176
#17870 0x00000000006ee668 in parse_reg_exp (regexp=0x7ffff5c09b30,
preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
nest=0, err=0x7ffff5c09b20) at ./regcomp.c:2121
#17871 0x00000000006e6db2 in parse (regexp=0x7ffff5c09b30,
preg=0x50b00001a920, syntax=2339405, err=0x7ffff5c09b20)
at ./regcomp.c:2089
#17872 0x00000000006dd100 in re_compile_internal (
preg=0x50b00001a920,
pattern=0x52c000010200
"()\326*()+\\2+()*\\2\277()\326*))*\\W3^\\e<\"\003^*", '(' <repeats 166
times>..., length=28345, syntax=2339405)
at ./regcomp.c:764
#17873 0x00000000006dc5ca in re_compile_pattern (
pattern=0x52c000010200
"()\326*()+\\2+()*\\2\277()\326*))*\\W3^\\e<\"\003^*", '(' <repeats 166
times>..., length=28345,
bufp=0x50b00001a920) at ./regcomp.c:217
#17874 0x00000000006a4128 in make_regexp (
s=0x52c000008200
"()\326*()+\\5342+()*\\5342\277()\326*))*\\W3^\\e<\"\003^*", '(' <repeats
160 times>..., len=28345, ignorecase=false,
dfa=true, canfatal=false) at re.c:257
#17875 0x00000000005944c4 in make_regnode (type=Node_regex,
exp=0x526000009720)
at /home/ttfish/Project/2024/DSLFuzz/gawk/awkgram.y:5297
#17876 0x00000000005728a6 in yyparse ()
at /home/ttfish/Project/2024/DSLFuzz/gawk/awkgram.y:572
#17877 0x000000000059fe3d in parse_program (
pcode=0x113d8a0 <code_block>, from_eval=false)
at /home/ttfish/Project/2024/DSLFuzz/gawk/awkgram.y:2803
#17878 0x00000000006783e8 in main (argc=4, argv=0x7fffffffd9c8)
at main.c:504
```
## Impact
This vulnerability allows attackers to cause a denial of service by
crashing the gawk instance or malicious memory manipulation.
## Attachments
Please find the attached PoC file in the attachment.
Please feel free to contact me if you have any further questions.
Best regards,
ttfish
POCFILE
Description: Binary data
- Segmentation Fault via recursive loop in Gawk,
ttfish <=