[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: regex_internal: uninitialized memory access (long)
From: |
Assaf Gordon |
Subject: |
Re: regex_internal: uninitialized memory access (long) |
Date: |
Fri, 24 Aug 2018 17:59:03 -0600 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 |
Hello,
On 13/08/18 03:51 PM, Assaf Gordon wrote:
I suspect there is an uninitialized memory access deep inside
regex_internal.c under very particular circumstances.
(continuation of https://lists.gnu.org/r/bug-gnulib/2018-08/msg00071.html )
I've pin-pointed the change that causes the segfault,
and this likely also affect glibc.
1. The input regex contains multibyte character with
different uppper/lower case representation.
2. The input regex also contains a NUL character.
3. In regex_internal.c function build_wcs_upper_buffer(),
the code was changed like so:
- if (BE ((size_t) (mbclen + 2) > 2, 1))
+ if (BE (mbclen < (size_t) -2, 1))
And this changed code subtly treats case of "mbclen==0"
differently, which eventually leads to incorrect code flow,
and then to a crash.
In gnulib, this was changed long ago:
===
https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=8335a4d6
commit 8335a4d6c7b4448cd0bcb6d0bebf1d456bcfdb17
Date: Mon Apr 10 06:43:33 2006 +0000
Merge regex changes from libc, removing some of our
POSIX-conformance changes that were rejected and redoing them in a
less-intrusive way.
===
And recently it was ported back to glibc:
===
https://sourceware.org/git/?p=glibc.git;a=commit;h=eb04c213
commit eb04c21373e2a2885f3d52ff192b0499afe3c672
Date: Wed Dec 20 09:47:44 2017 -0200
posix: Sync gnulib regex implementation
===
To reproduce (using gnulib's code), try the following:
git clone git://git.sv.gnu.org/sed.git
cd sed
./bootstrap
This patch adds the old code vs new code with "#ifdef REGEX_FIX"
patch -p1 < regex-internal-bug.patch
./configure --with-included-regex CFLAGS="-O0 -g"
make
printf "/\xe1\xbe\xbe\x5c\x00/I" > 1.sed
This will segfault:
./sed/sed -f 1.sed < /dev/null
Rebuild with the old code, will not segfault
rm lib/regex.o ; make CFLAGS="-DREGEX_FIX"
./sed/sed -f 1.sed < /dev/null
====
Perhaps it is sufficient to just revert these two lines - but I'm
not sure if there will be other side effects.
Comments welcomed,
- assaf
regex-internal-bug.patch
Description: Text Data