[pcre-dev] [Bug 1889] PCRE2 Stack Buffer Overflow Vulnerabil…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Author: admin
Date:  
To: pcre-dev
Old-Topics: [pcre-dev] [Bug 1889] New: PCRE2 Heap Overflow Vulnerability
Subject: [pcre-dev] [Bug 1889] PCRE2 Stack Buffer Overflow Vulnerability
https://bugs.exim.org/show_bug.cgi?id=1889

Kamil Frankowicz <fumfi.255@???> changed: 

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|PCRE2 Heap Overflow         |PCRE2 Stack Buffer Overflow
                   |Vulnerability               |Vulnerability


--- Comment #4 from Kamil Frankowicz <fumfi.255@???> ---
FYI, my fault - It was stack buffer overflow.

ASAN output: 

==19226==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffc935e5fa6 at pc 0x0000004a1da4 bp 0x7ffc935e5e90 sp 0x7ffc935e5640
WRITE of size 7 at 0x7ffc935e5fa6 thread T0
    #0 0x4a1da3 in __asan_memcpy
/home/development/llvm/3.9.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413:3
    #1 0x7f8dbbadc514 in compile_branch XYZ/pcre2_compile.c:5211:9
    #2 0x7f8dbbad125b in compile_regex XYZ/pcre2_compile.c:7687:8
    #3 0x7f8dbbac9ccb in pcre2_compile_8 XYZ/pcre2_compile.c:8657:7
    #4 0x4f0e2c in process_pattern XYZ/pcre2test.c:4949:1
    #5 0x4e8333 in main XYZ/pcre2test.c:7607:10
    #6 0x7f8dba9c782f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x41a828 in _start (/usr/local/bin/pcre2test+0x41a828)


Address 0x7ffc935e5fa6 is located in stack of thread T0 at offset 262 in frame
    #0 0x7f8dbbad6a6f in compile_branch XYZ/pcre2_compile.c:3861


  This frame has 28 object(s):
    [32, 36) 'repeat_min'
    [48, 52) 'repeat_max'
    [64, 72) 'length_prevgroup'
    [96, 104) 'tempcode'
    [128, 136) 'ptr'
    [160, 168) 'tempptr'
    [192, 224) 'classbits'
    [256, 262) 'utf_units' <== Memory access at offset 262 overflows this
variable
    [288, 296) 'class_uchardata'
    [320, 324) 'ec'
    [336, 340) 'subreqcu'
    [352, 356) 'subfirstcu'
    [368, 372) 'subreqcuflags'
    [384, 388) 'subfirstcuflags'
    [400, 408) 'mcbuffer'
    [432, 464) 'pbits'
    [496, 500) 'negated'
    [512, 516) 'ptype664'
    [528, 532) 'pdata'
    [544, 548) 'd'
    [560, 564) 'count'
    [576, 584) 'arg'
    [608, 616) 'memcode'
    [640, 644) 'set'
    [656, 660) 'unset'
    [672, 676) 'negated3050'
    [688, 692) 'ptype3051'
    [704, 708) 'pdata3052'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/development/llvm/3.9.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413:3
in __asan_memcpy
Shadow bytes around the buggy address:
  0x1000126b4ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000126b4bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000126b4bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000126b4bd0: 00 00 00 00 f1 f1 f1 f1 04 f2 04 f2 00 f2 f2 f2
  0x1000126b4be0: 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00
=>0x1000126b4bf0: f2 f2 f2 f2[06]f2 f2 f2 00 f2 f2 f2 04 f2 04 f2
  0x1000126b4c00: 04 f2 04 f2 04 f2 00 f2 f2 f2 00 00 00 00 f2 f2
  0x1000126b4c10: f2 f2 04 f2 04 f2 04 f2 04 f2 04 f2 00 f2 f2 f2
  0x1000126b4c20: 00 f2 f2 f2 04 f2 04 f2 04 f2 04 f2 04 f3 f3 f3
  0x1000126b4c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000126b4c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


--
You are receiving this mail because:
You are on the CC list for the bug.
This message was posted to the following mailing lists:
Pcre-dev
Mailing List Info | Nearby Messages		<-[pcre-dev] [Bug 1898] New: PCRE2 - Invalid memory access[pcre-dev] [Bug 1898] PCRE2 - Invalid memory access->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)