Segmentation Fault via recursive loop in Gawk

bug-gawk

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Segmentation Fault via recursive loop in Gawk

From:	ttfish
Subject:	Segmentation Fault via recursive loop in Gawk
Date:	Tue, 19 Mar 2024 21:48:34 +0800

Dear GNU gawk developers,

Greetings. I am writing to report a recursive loop bug found in gawk.

## Description

The bug is located in the support/regcomp.c file within the parse_reg_exp
function. The vulnerability involves function "parse_expression",
"parse_branch" and "parse_sub_exp" and exists in latest stable release
(gawk 5.3.0) and the latest master branch
(ff873ce52bf6a1766935281883b74b49edc7d38f, updated on March 04, 2024). The
inner variable of `preg`, `token`, `syntax` and `nest` would stick with
unchanged values in loop calling and lead to segmentation fault.

## Proof of Concept

The attached PoC could result segmentation fault and subsequent program
termination.

It could be reproduced by the attached PoC file with input:

```bash
gawk -f POC-FILE {anyfile}
```

The backtrace log could be found below:

```bash
#4  0x00000000006f3121 in parse_expression (regexp=0x7ffff5c09b30,
    preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
    nest=4466, err=0x7ffff5c09b20) at ./regcomp.c:2242
#5  0x00000000006f243d in parse_branch (regexp=0x7ffff5c09b30,
    preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
    nest=4466, err=0x7ffff5c09b20) at ./regcomp.c:2169
#6  0x00000000006ee668 in parse_reg_exp (regexp=0x7ffff5c09b30,
    preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
    nest=4466, err=0x7ffff5c09b20) at ./regcomp.c:2121
#7  0x00000000006f4e72 in parse_sub_exp (regexp=0x7ffff5c09b30,
    preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
    nest=4466, err=0x7ffff5c09b20) at ./regcomp.c:2456
#8  0x00000000006f3121 in parse_expression (regexp=0x7ffff5c09b30,
    preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
    nest=4465, err=0x7ffff5c09b20) at ./regcomp.c:2242
#9  0x00000000006f243d in parse_branch (regexp=0x7ffff5c09b30,
    preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
    nest=4465, err=0x7ffff5c09b20) at ./regcomp.c:2169
#10 0x00000000006ee668 in parse_reg_exp (regexp=0x7ffff5c09b30,
    preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,

# repeat ...

#17868 0x00000000006f3121 in parse_expression (regexp=0x7ffff5c09b30,
    preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
    nest=0, err=0x7ffff5c09b20) at ./regcomp.c:2242
#17869 0x00000000006f265a in parse_branch (regexp=0x7ffff5c09b30,
    preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
    nest=0, err=0x7ffff5c09b20) at ./regcomp.c:2176
#17870 0x00000000006ee668 in parse_reg_exp (regexp=0x7ffff5c09b30,
    preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
    nest=0, err=0x7ffff5c09b20) at ./regcomp.c:2121
#17871 0x00000000006e6db2 in parse (regexp=0x7ffff5c09b30,
    preg=0x50b00001a920, syntax=2339405, err=0x7ffff5c09b20)
    at ./regcomp.c:2089
#17872 0x00000000006dd100 in re_compile_internal (
    preg=0x50b00001a920,
    pattern=0x52c000010200
"()\326*()+\\2+()*\\2\277()\326*))*\\W3^\\e<\"\003^*", '(' <repeats 166
times>..., length=28345, syntax=2339405)
    at ./regcomp.c:764
#17873 0x00000000006dc5ca in re_compile_pattern (
    pattern=0x52c000010200
"()\326*()+\\2+()*\\2\277()\326*))*\\W3^\\e<\"\003^*", '(' <repeats 166
times>..., length=28345,
    bufp=0x50b00001a920) at ./regcomp.c:217
#17874 0x00000000006a4128 in make_regexp (
    s=0x52c000008200
"()\326*()+\\5342+()*\\5342\277()\326*))*\\W3^\\e<\"\003^*", '(' <repeats
160 times>..., len=28345, ignorecase=false,
    dfa=true, canfatal=false) at re.c:257
#17875 0x00000000005944c4 in make_regnode (type=Node_regex,
    exp=0x526000009720)
    at /home/ttfish/Project/2024/DSLFuzz/gawk/awkgram.y:5297
#17876 0x00000000005728a6 in yyparse ()
    at /home/ttfish/Project/2024/DSLFuzz/gawk/awkgram.y:572
#17877 0x000000000059fe3d in parse_program (
    pcode=0x113d8a0 <code_block>, from_eval=false)
    at /home/ttfish/Project/2024/DSLFuzz/gawk/awkgram.y:2803
#17878 0x00000000006783e8 in main (argc=4, argv=0x7fffffffd9c8)
    at main.c:504
```

## Impact

This vulnerability allows attackers to cause a denial of service by
crashing the gawk instance or malicious memory manipulation.

## Attachments

Please find the attached PoC file in the attachment.

Please feel free to contact me if you have any further questions.

Best regards,
ttfish

POCFILE
Description: Binary data

[Prev in Thread]

Current Thread

[Next in Thread]

Segmentation Fault via recursive loop in Gawk, ttfish <=
- Re: Segmentation Fault via recursive loop in Gawk, arnold, 2024/03/19
  - Re: Segmentation Fault via recursive loop in Gawk, ttfish, 2024/03/21

Prev by Date: Re: gawk -i inplace is an order of magnitude faster when also redirecting stdout
Next by Date: Re: Segmentation Fault via recursive loop in Gawk
Previous by thread: Re: gawk -i inplace is an order of magnitude faster when also redirecting stdout
Next by thread: Re: Segmentation Fault via recursive loop in Gawk
Index(es):
- Date
- Thread