https://bugs.exim.org/show_bug.cgi?id=1898
Bug ID: 1898
Summary: PCRE2 - Invalid memory access
Product: PCRE
Version: 10.22 (PCRE2)
Hardware: x86
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: Code
Assignee: ph10@???
Reporter: fumfi.255@???
CC: pcre-dev@???
Created attachment 927
-->
https://bugs.exim.org/attachment.cgi?id=927&action=edit
POC to trigger segfault (pcre2test)
PCRE2 library is prone to a vulnerability which leads to invalid memory access.
Affected:
- PCRE2 version 10.23-RC1 2016-08-01 (Revision: 562)
- PCRE2 version 10.22 2016-07-29
- Other applications may also be affected
To reproduce the problem (pcre2test):
pcre2test segfault_1_min /dev/null
ASAN Output:
=================================================================
==18939==ERROR: AddressSanitizer: SEGV on unknown address 0x62900001a36f (pc
0x7f226aefad16 bp 0x7ffecb323940 sp 0x7ffecb3230c8 T0)
==18939==The signal is caused by a READ memory access.
#0 0x7f226aefad15 in strlen (/lib/x86_64-linux-gnu/libc.so.6+0x8ad15)
#1 0x4252da in __interceptor_strlen
/home/development/llvm/3.9.0/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:225:19
#2 0x7f226bd83066 in regexec
/home/kamil/Desktop/Downloads/pcre/src/pcre2posix.c:327:13
#3 0x4ecf17 in process_data
/home/kamil/Desktop/Downloads/pcre/src/pcre2test.c:6091:8
#4 0x4e8318 in main
/home/kamil/Desktop/Downloads/pcre/src/pcre2test.c:7721:12
#5 0x7f226ae9082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x41a828 in _start (/usr/local/bin/pcre2test+0x41a828)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x8ad15) in
strlen
==18939==ABORTING
Valgrind Output:
==12232== Memcheck, a memory error detector
==12232== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==12232== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==12232== Command: pcre2test segfault_1_min /dev/null
==12232==
==12232== Invalid read of size 1
==12232== at 0x4C30F62: strlen (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==12232== by 0x5085EE7: regexec (pcre2posix.c:327)
==12232== by 0x4069AC: process_data (pcre2test.c:6091)
==12232== by 0x408B98: main (pcre2test.c:7721)
==12232== Address 0x568146f is 69,743 bytes inside an unallocated block of size
4,066,272 in arena "client"
==12232==
==12232==
==12232== HEAP SUMMARY:
==12232== in use at exit: 0 bytes in 0 blocks
==12232== total heap usage: 17 allocs, 17 frees, 126,783 bytes allocated
==12232==
==12232== All heap blocks were freed -- no leaks are possible
==12232==
==12232== For counts of detected and suppressed errors, rerun with: -v
==12232== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Regards,
Kamil Frankowicz
--
You are receiving this mail because:
You are on the CC list for the bug.