From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/7219 Path: news.gmane.org!not-for-mail From: Konstantin Serebryany Newsgroups: gmane.linux.lib.musl.general Subject: buffer overflow in regcomp and a way to find more of those Date: Fri, 20 Mar 2015 13:17:47 -0700 Message-ID: Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Trace: ger.gmane.org 1426882718 18431 80.91.229.3 (20 Mar 2015 20:18:38 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 20 Mar 2015 20:18:38 +0000 (UTC) To: musl@lists.openwall.com, Szabolcs Nagy Original-X-From: musl-return-7232-gllmg-musl=m.gmane.org@lists.openwall.com Fri Mar 20 21:18:31 2015 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1YZ3NC-0004t8-AP for gllmg-musl@m.gmane.org; Fri, 20 Mar 2015 21:18:26 +0100 Original-Received: (qmail 26538 invoked by uid 550); 20 Mar 2015 20:18:24 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 26500 invoked from network); 20 Mar 2015 20:18:19 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=USmOibya7ZJwMG92PT80IhtZ9Yed1gR3zB9SDWggvTw=; b=UylaC+in8/QmngSewUyeHaT4mqoTHPBKgs7oA5EjR9uYlCu+znWb1zXmK4gB5NC93v IBxc6Yc2Ft+rxxxoAmbhn8gChCeOl5A6oqmHyT0M2vdC3WFGzBUCYO0QEEZMKW6ZwQP3 ChuNeIz8MLGSOWfduLXA3qAwPjiTjYUOb+DLKyFpp87uiudHqFYd6RabGQsG4PUdOpkV 533am8s77niseIR84u7zCht6UiFg9R547+DzjCoIKBjYgD3QvKMYd7yUEM2rpewTvS8h 0L3OUYvD2IbCCKn9IDhGRXtwEevzvJn6/PUaMcni3LQswnNi/6M+qKKW6dlU8UowrA14 yEUw== X-Received: by 10.52.233.40 with SMTP id tt8mr86821983vdc.77.1426882688143; Fri, 20 Mar 2015 13:18:08 -0700 (PDT) Xref: news.gmane.org gmane.linux.lib.musl.general:7219 Archived-At: Hi, Following the discussion at the glibc mailing list (https://sourceware.org/ml/libc-alpha/2015-03/msg00662.html) I've tried to fuzz musl regcomp and the first bug popped up quickly. Please let me know if you would be interested in adding the fuzzer (http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/README.txt?view=markup) to the musl testing process. Exact repro steps, just copy-paste (assuming you have fresh clang) =================== =============== tar xf ~/Downloads/musl-1.1.7.tar.gz cd musl-1.1.7 ./configure && make -j cat << EOF > bug1.c #include #include #include "regex.h" int main() { regex_t preg; char a[] = {40, 123, 33, 124, 33, 19, 40, 96, 92, 253, 92, 123, 51, 48, 92, 125, 0}; char *s = strdup(a); if (0 == regcomp(&preg, s, 0)) { regfree(&preg); } free(s); return 0; } EOF clang -g -fsanitize=address ./src/regex/reg*.c src/regex/tre*.c src/locale/__lctrans.c src/internal/libc.c -I include -I src/internal/ -Iarch/x86_64 bug1.c ASAN_OPTIONS=strip_path_prefix=`pwd`/ ./a.out ==33356==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef44 at pc 0x0000004d8cb9 bp 0x7fff09d51b10 sp 0x7fff09d51b08 WRITE of size 4 at 0x60200000ef44 thread T0 #0 0x4d8cb8 in tre_copy_ast src/regex/regcomp.c:1697:27 #1 0x4cc332 in tre_expand_ast src/regex/regcomp.c:1884:16 #2 0x4c4de2 in regcomp src/regex/regcomp.c:2739:13 #3 0x4e9e06 in main bug1.c:9:12 #4 0x7f49f1086ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287 #5 0x416d45 in _start (a.out+0x416d45) 0x60200000ef44 is located 8 bytes to the right of 12-byte region [0x60200000ef30,0x60200000ef3c) allocated by thread T0 here: #0 0x4a20a4 in calloc /usr/local/google/home/kcc/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:56:3 #1 0x4c4bd9 in regcomp src/regex/regcomp.c:2721:28 #2 0x4e9e06 in main bug1.c:9:12