[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: regex_internal: uninitialized memory access (long)

From: Assaf Gordon
Subject: Re: regex_internal: uninitialized memory access (long)
Date: Fri, 24 Aug 2018 17:59:03 -0600
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1


On 13/08/18 03:51 PM, Assaf Gordon wrote:
I suspect there is an uninitialized memory access deep inside
regex_internal.c under very particular circumstances.

(continuation of https://lists.gnu.org/r/bug-gnulib/2018-08/msg00071.html )

I've pin-pointed the change that causes the segfault,
and this likely also affect glibc.

1. The input regex contains multibyte character with
   different uppper/lower case representation.
2. The input regex also contains a NUL character.
3. In regex_internal.c function build_wcs_upper_buffer(),
   the code was changed like so:

-       if (BE ((size_t) (mbclen + 2) > 2, 1))
+       if (BE (mbclen < (size_t) -2, 1))

And this changed code subtly treats case of "mbclen==0"
differently, which eventually leads to incorrect code flow,
and then to a crash.

In gnulib, this was changed long ago:
commit 8335a4d6c7b4448cd0bcb6d0bebf1d456bcfdb17
Date:   Mon Apr 10 06:43:33 2006 +0000

    Merge regex changes from libc, removing some of our
    POSIX-conformance changes that were rejected and redoing them in a
    less-intrusive way.

And recently it was ported back to glibc:
commit eb04c21373e2a2885f3d52ff192b0499afe3c672
Date:   Wed Dec 20 09:47:44 2017 -0200

    posix: Sync gnulib regex implementation

To reproduce (using gnulib's code), try the following:

   git clone git://git.sv.gnu.org/sed.git
   cd sed

This patch adds the old code vs new code with "#ifdef REGEX_FIX"

   patch -p1 < regex-internal-bug.patch
   ./configure --with-included-regex CFLAGS="-O0 -g"
   printf "/\xe1\xbe\xbe\x5c\x00/I" > 1.sed

This will segfault:

 ./sed/sed -f 1.sed < /dev/null

Rebuild with the old code, will not segfault

 rm lib/regex.o ; make CFLAGS="-DREGEX_FIX"
 ./sed/sed -f 1.sed < /dev/null


Perhaps it is sufficient to just revert these two lines - but I'm
not sure if there will be other side effects.

Comments welcomed,
 - assaf

Attachment: regex-internal-bug.patch
Description: Text Data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]