From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/7222 Path: news.gmane.org!not-for-mail From: Szabolcs Nagy Newsgroups: gmane.linux.lib.musl.general Subject: Re: buffer overflow in regcomp and a way to find more of those Date: Fri, 20 Mar 2015 22:28:03 +0100 Message-ID: <20150320212803.GC16260@port70.net> References: Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1426886910 21939 80.91.229.3 (20 Mar 2015 21:28:30 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 20 Mar 2015 21:28:30 +0000 (UTC) Cc: Szabolcs Nagy To: musl@lists.openwall.com Original-X-From: musl-return-7235-gllmg-musl=m.gmane.org@lists.openwall.com Fri Mar 20 22:28:26 2015 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1YZ4Sn-0001Mu-F7 for gllmg-musl@m.gmane.org; Fri, 20 Mar 2015 22:28:17 +0100 Original-Received: (qmail 27857 invoked by uid 550); 20 Mar 2015 21:28:15 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 27836 invoked from network); 20 Mar 2015 21:28:15 -0000 Mail-Followup-To: musl@lists.openwall.com, Szabolcs Nagy Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Xref: news.gmane.org gmane.linux.lib.musl.general:7222 Archived-At: * Konstantin Serebryany [2015-03-20 13:17:47 -0700]: > Following the discussion at the glibc mailing list > (https://sourceware.org/ml/libc-alpha/2015-03/msg00662.html) > I've tried to fuzz musl regcomp and the first bug popped up quickly. > Please let me know if you would be interested in adding the fuzzer > (http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/README.txt?view=markup) > to the musl testing process. thanks for doing this i think i already know what's the bug is (of course it's in an underspecified extension where applications expect conflicting behaviour... but the segfault is my bug) > Exact repro steps, just copy-paste (assuming you have fresh clang) > =================== =============== > tar xf ~/Downloads/musl-1.1.7.tar.gz > cd musl-1.1.7 > ./configure && make -j > cat << EOF > bug1.c > #include > #include > #include "regex.h" > > int main() { > regex_t preg; > char a[] = {40, 123, 33, 124, 33, 19, 40, 96, 92, 253, 92, 123, 51, > 48, 92, 125, 0}; > char *s = strdup(a); > if (0 == regcomp(&preg, s, 0)) { > regfree(&preg); > } > free(s); > return 0; > } > EOF > clang -g -fsanitize=address ./src/regex/reg*.c src/regex/tre*.c > src/locale/__lctrans.c src/internal/libc.c -I include -I src/internal/ > -Iarch/x86_64 bug1.c > ASAN_OPTIONS=strip_path_prefix=`pwd`/ ./a.out > looks simple i'll set up some glibc based virtual machine to be able to play with it thanks again > ==33356==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x60200000ef44 at pc 0x0000004d8cb9 bp 0x7fff09d51b10 sp > 0x7fff09d51b08 > WRITE of size 4 at 0x60200000ef44 thread T0 > #0 0x4d8cb8 in tre_copy_ast src/regex/regcomp.c:1697:27 > #1 0x4cc332 in tre_expand_ast src/regex/regcomp.c:1884:16 > #2 0x4c4de2 in regcomp src/regex/regcomp.c:2739:13 > #3 0x4e9e06 in main bug1.c:9:12 > #4 0x7f49f1086ec4 in __libc_start_main > /build/buildd/eglibc-2.19/csu/libc-start.c:287 > #5 0x416d45 in _start (a.out+0x416d45) > > 0x60200000ef44 is located 8 bytes to the right of 12-byte region > [0x60200000ef30,0x60200000ef3c) > allocated by thread T0 here: > #0 0x4a20a4 in calloc > /usr/local/google/home/kcc/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:56:3 > #1 0x4c4bd9 in regcomp src/regex/regcomp.c:2721:28 > #2 0x4e9e06 in main bug1.c:9:12