From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/7232
Path: news.gmane.org!not-for-mail
From: Konstantin Serebryany <konstantin.s.serebryany@gmail.com>
Newsgroups: gmane.linux.lib.musl.general
Subject: Re: buffer overflow in regcomp and a way to find more of those
Date: Fri, 20 Mar 2015 18:10:18 -0700
Message-ID: <CAGQ9bdwOvNQFF-X+hR5i_Z_3Hsj7_fXmBx=-TUf8eYv0JpFK2w@mail.gmail.com>
References: <CAGQ9bdxBDFu+7cnBFxk_toa_C0qwVCgLG=Jc7zMs8cVB8y+UFA@mail.gmail.com>
 <20150320235227.GE16260@port70.net> <CAGQ9bdyZJmC_94EzSxxnogq8Z213LbgEOPE6==7KHNfTuCUSUQ@mail.gmail.com>
 <20150321002616.GF16260@port70.net> <20150321004637.GQ23507@brightrain.aerifal.cx>
 <CAGQ9bdxQO-xCLBeL_J7R9ywqN_FMAyHaccQLyWNCNfoBDXfBcA@mail.gmail.com>
 <20150321010043.GR23507@brightrain.aerifal.cx> <CAGQ9bdzxrkdGJb1z4e9m9QC97WKbRgG=jasvy4v1-sf0kX08AQ@mail.gmail.com>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-Trace: ger.gmane.org 1426900252 24889 80.91.229.3 (21 Mar 2015 01:10:52 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sat, 21 Mar 2015 01:10:52 +0000 (UTC)
Cc: musl@lists.openwall.com
To: Rich Felker <dalias@libc.org>
Original-X-From: musl-return-7245-gllmg-musl=m.gmane.org@lists.openwall.com Sat Mar 21 02:10:52 2015
Return-path: <musl-return-7245-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@m.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by plane.gmane.org with smtp (Exim 4.69)
	(envelope-from <musl-return-7245-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1YZ7wC-0008WR-1v
	for gllmg-musl@m.gmane.org; Sat, 21 Mar 2015 02:10:52 +0100
Original-Received: (qmail 15896 invoked by uid 550); 21 Mar 2015 01:10:50 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
Original-Received: (qmail 15870 invoked from network); 21 Mar 2015 01:10:49 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-type;
        bh=TF7lsn5+zpxOL4Z+baNCIytILnjl9ytWzu+V10RdS9c=;
        b=jAS057w3jYNengjlyPx56Pl+SHo2yq8I2+XU2srBEMKKGTJmpDGdt2KPeTL5wsKHWH
         jKz1waN1Drtw+6VtoAIz+VDdFixvCv0G756hvcg9k0mcQYwcdMpwRVX6WZxuyFRa1J3L
         uht3qaMFNoZsKNJs3biOF4PJmne2eqh1aaEyiF4KbH0OxVZtCTv4u28Ga4kLoKBwefEF
         IIihpQ28/VQNZUgzX8Olg0mfj1raMpdbjHrgW0d+aCGLTGG+3hSGaoO/5CiQ/3r4N7r3
         p++8v0Nz3g+vzkZsYrylf+GxO7rNq+3OirVRwjnke9xgWej+4+J+pm5rMMFb6+BrIBfJ
         iKbw==
X-Received: by 10.52.92.100 with SMTP id cl4mr21133949vdb.94.1426900238477;
 Fri, 20 Mar 2015 18:10:38 -0700 (PDT)
In-Reply-To: <CAGQ9bdzxrkdGJb1z4e9m9QC97WKbRgG=jasvy4v1-sf0kX08AQ@mail.gmail.com>
Xref: news.gmane.org gmane.linux.lib.musl.general:7232
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/7232>

After your fix the fuzzer did not find anything else so far, but it
suffers from slow performance on some cases.
Not sure if this qualifies for a bug, but the following example takes
~2 seconds to run (runs instantly with glibc):
int main() {
  regex_t preg;
  const char *s = ".****\\Z$<\\0)_";
  regmatch_t pmatch[2];
  if (0 == regcomp(&preg, s, 0)) {
    regexec(&preg, s, 0, pmatch, 0);
    regfree(&preg);
  }
  return 0;
}


On Fri, Mar 20, 2015 at 6:05 PM, Konstantin Serebryany
<konstantin.s.serebryany@gmail.com> wrote:
> On Fri, Mar 20, 2015 at 6:00 PM, Rich Felker <dalias@libc.org> wrote:
>> On Fri, Mar 20, 2015 at 05:54:49PM -0700, Konstantin Serebryany wrote:
>>> >> > > the question is how hard it is to do (1) ?
>>> >> > >
>>> >> > > i assume asan is non-trivial to set up for that (or is it
>>> >> > > enough to replace malloc calls? and some startup logic?)
>>> >> >
>>> >> > asan replaces malloc and a few more libc functions.
>>> >> > It works with various different libcs, so there is a good chance that
>>> >> > it will work here with no or minimal changes.
>>> >>
>>> >> ok i'll try it
>>> >
>>> > I would guess it works with no change for static linking, but some
>>> > changes might be needed for dynamic linking. I'm perfectly happy with
>>> > all the fuzzing being done with static linking anyway; I don't think
>>> > dynamic linking would have significant additional code paths whose
>>> > coverage need checking.
>>>
>>> sadly, asan does not support fully static linking.
>>
>> Is this just an oversight or something fundamental that's hard to fix?
>
> Quite fundamental.
> asan needs to be able to intercept certain libc functions and on all
> platforms (linux, android, OSX, Windows, etc) it works only when libc
> itself is dynamically linked.
>
> (Theoretically, it's possible to fix, but it'll be  too much work :( )
>
>> The sort of things it wants to do are much less likely to work with
>> dynamic linking. Dynamic-linked musl requires all internal symbol
>> references to be resolved at ld-time and does not support interposing
>> in front of them.
>>
>> Rich