https://bugs.exim.org/show_bug.cgi?id=1672
Bug ID: 1672
Summary: PCRE Library Heap Overflow in compile_regex()
Product: PCRE
Version: 8.37
Hardware: All
OS: All
Status: NEW
Severity: security
Priority: medium
Component: Code
Assignee: ph10@???
Reporter: rubymail@???
CC: pcre-dev@???
I. Summary
PCRE is a regular expression C library inspired by the regular expression
capabilities in the Perl programming language. The PCRE library is incorporated
into a number of prominent programs, such as Adobe Flash, Apache, Nginx, PHP.
PCRE library is prone to a vulnerability which leads to Heap Overflow. During
the compilation of a malformed regular expression, more data is written on the
malloced block than the expected size output by compile_regex. Exploits with
advanced Heap Fengshui techniques may allow an attacker to execute arbitrary
code in the context of the user running the affected application.
------------------------------------------------------------------
II. Description
Latest version of PCRE is prone to a Heap Overflow vulnerability which could
caused by the following regular expression.
/(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/
A dry run of this particular regular expression with pcretest will reports
"double free or corruption (!prev)".
But it is actually a heap overflow problem.
It is a similar problem as
https://bugs.exim.org/show_bug.cgi?id=1667
discussed.
Following test is conveyed with svn updated version of pcre,
Here is the memory layout of re(its size is 248) just before the second
compile_regexp():
==============================================================
(gdb) x/256b 0x1f8a8a0
0x1f8a8a0: [0x45 0x52 0x43 0x50 0xf8 0x00 0x00 0x00
0x1f8a8a8: 0x00 0x00 0x00 0x00 0x00 0x04 0x00 0x00
0x1f8a8b0: 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff
0x1f8a8b8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x1f8a8c0: 0x00 0x00 0x40 0x00 0x04 0x00 0x05 0x00
0x1f8a8c8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x1f8a8d0: 0x50 0xaf 0xf8 0x01 0x00 0x00 0x00 0x00
0x1f8a8d8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x1f8a8e0: 0x00 0x02 0x52 0x00 0x00 0x04 0x52 0x00
0x1f8a8e8: 0x00 0x05 0x52 0x00 0x00 0x03 0x52 0x00
0x1f8a8f0: 0x00 0x01 0x52 0x00 0x00 0x00 0x00 0x00
0x1f8a8f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x1f8a900: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x1f8a908: 0xc0 0x91 0x34 0xf7 0xff 0x7f 0x00 0x00
0x1f8a910: 0xff 0xff 0xff 0xff 0x00 0x00 0x00 0x00
0x1f8a918: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x1f8a920: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x1f8a928: 0x80 0xa9 0xf8 0x01 0x00 0x00 0x00 0x00
0x1f8a930: 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff
0x1f8a938: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x1f8a940: 0x90 0xa9 0xf8 0x01 0x00 0x00 0x00 0x00
0x1f8a948: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x1f8a950: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x1f8a958: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x1f8a960: 0xff 0xff 0xff 0xff 0x00 0x00 0x00 0x00
0x1f8a968: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x1f8a970: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x1f8a978: 0xa0 0x76 0x34 0xf7 0xff 0x7f 0x00 0x00
0x1f8a980: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x1f8a988: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x1f8a990: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00]
0x1f8a998: 0x41 0x01 0x00 0x00 0x00 0x00 0x00 0x00
==============================================================
After the second compile_regexp:
==============================================================
(gdb) x/192b 0x1f8a8a0
0x1f8a8a0: [0x45 0x52 0x43 0x50 0xf8 0x00 0x00 0x00
0x1f8a8a8: 0x00 0x00 0x00 0x00 0x00 0x04 0x00 0x00
0x1f8a8b0: 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff
0x1f8a8b8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x1f8a8c0: 0x00 0x00 0x40 0x00 0x04 0x00 0x05 0x00
0x1f8a8c8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x1f8a8d0: 0x50 0xaf 0xf8 0x01 0x00 0x00 0x00 0x00
0x1f8a8d8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x1f8a8e0: 0x00 0x02 0x52 0x00 0x00 0x04 0x52 0x00
0x1f8a8e8: 0x00 0x05 0x52 0x00 0x00 0x03 0x52 0x00
0x1f8a8f0: 0x00 0x01 0x52 0x00 0x83 0x00 0xa6 0x83
0x1f8a8f8: 0x00 0xa0 0x83 0x00 0x8d 0x81 0x00 0x87
0x1f8a900: 0x85 0x00 0x81 0x00 0x01 0x1d 0x3a 0x83
0x1f8a908: 0x00 0x56 0x85 0x00 0x05 0x00 0x02 0x78
0x1f8a910: 0x00 0x05 0x81 0x00 0x48 0x85 0x00 0x42
0x1f8a918: 0x00 0x03 0x18 0x83 0x00 0x1e 0x85 0x00
0x1f8a920: 0x05 0x00 0x04 0x78 0x00 0x05 0x81 0x00
0x1f8a928: 0x10 0x85 0x00 0x0a 0x00 0x05 0x73 0x00
0x1f8a930: 0x00 0x00 0x05 0x78 0x00 0x0a 0x78 0x00
0x1f8a938: 0x10 0x77 0x00 0x13 0x85 0x00 0x0d 0x00
0x1f8a940: 0x04 0x85 0x00 0x05 0x00 0x05 0x78 0x00
0x1f8a948: 0x05 0x78 0x00 0x0d 0x78 0x00 0x31 0x1d
0x1f8a950: 0x6b 0x1d 0x27 0x1d 0x52 0x1d 0x27 0x78
0x1f8a958: 0x00 0x42 0x78 0x00 0x48 0x77 0x00 0x13
0x1f8a960: 0x85 0x00 0x0d 0x00 0x02 0x85 0x00 0x05
0x1f8a968: 0x00 0x03 0x78 0x00 0x05 0x78 0x00 0x0d
0x1f8a970: 0x78 0x00 0x69 0x1d 0x48 0x1d 0x27 0x1d
0x1f8a978: 0x41 0x1d 0x6b 0x1d 0x27 0x1d 0x52 0x1d
0x1f8a980: 0x66 0x78 0x00 0x81 0x78 0x00 0x87 0x77
0x1f8a988: 0x00 0x0d 0x1d 0x73 0x85 0x00 0x05 0x00
0x1f8a990: 0x01 0x78 0x00 0x05 0x78 0x00 0x9a 0x78]
0x1f8a998: 0x00 0xa0 0x78 0x00 0xa6 0x00 0x00 0x00
==============================================================
At least 5 more bytes are written to the heap.
------------------------------------------------------------------
III. Impact
Heap Overflow
------------------------------------------------------------------
IV. Affected
latest version of PCRE is confirmed to be vulnerable.
PCRE2 is not affected.
Other applications may also be affected.
------------------------------------------------------------------
V. Credit
Wen Guanxing from Venustech ADLAB is credited for this vulnerability.
--
You are receiving this mail because:
You are on the CC list for the bug.
