[pcre-dev] [Bug 2138] New: There is a stack-overflow in file…

Top Page

Reply to this message
Author: admin
Date:  
To: pcre-dev
Subject: [pcre-dev] [Bug 2138] New: There is a stack-overflow in file pcre2_match.c of libpcre2
https://bugs.exim.org/show_bug.cgi?id=2138

            Bug ID: 2138
           Summary: There is a stack-overflow in file pcre2_match.c of
                    libpcre2
           Product: PCRE
           Version: 10.23 (PCRE2)
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: security
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: v.owl337@???
                CC: pcre-dev@???


asan output is below:

$ ./pcre2test -d POC1

:(\S)+\V??
------------------------------------------------------------------
  0  18 Bra
  3   6 CBra 1
  8     \S
  9   6 KetRmax
 12     \V??
 14     \x{e3}\x07
 18  18 Ket
 21     End
------------------------------------------------------------------
Capturing subpattern count = 1
Starting code units: \x00 \x01 \x02 \x03 \x04 \x05 \x06 \x07 \x08 \x0e \x0f 
  \x10 \x11 \x12 \x13 \x14 \x15 \x16 \x17 \x18 \x19 \x1a \x1b \x1c \x1d \x1e 
  \x1f ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C 
  D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h 
  i j k l m n o p q r s t u v w x y z { | } ~ \x7f \x80 \x81 \x82 \x83 \x84 
  \x85 \x86 \x87 \x88 \x89 \x8a \x8b \x8c \x8d \x8e \x8f \x90 \x91 \x92 \x93 
  \x94 \x95 \x96 \x97 \x98 \x99 \x9a \x9b \x9c \x9d \x9e \x9f \xa0 \xa1 \xa2 
  \xa3 \xa4 \xa5 \xa6 \xa7 \xa8 \xa9 \xaa \xab \xac \xad \xae \xaf \xb0 \xb1 
  \xb2 \xb3 \xb4 \xb5 \xb6 \xb7 \xb8 \xb9 \xba \xbb \xbc \xbd \xbe \xbf \xc0 
  \xc1 \xc2 \xc3 \xc4 \xc5 \xc6 \xc7 \xc8 \xc9 \xca \xcb \xcc \xcd \xce \xcf 
  \xd0 \xd1 \xd2 \xd3 \xd4 \xd5 \xd6 \xd7 \xd8 \xd9 \xda \xdb \xdc \xdd \xde 
  \xdf \xe0 \xe1 \xe2 \xe3 \xe4 \xe5 \xe6 \xe7 \xe8 \xe9 \xea \xeb \xec \xed 
  \xee \xef \xf0 \xf1 \xf2 \xf3 \xf4 \xf5 \xf6 \xf7 \xf8 \xf9 \xfa \xfb \xfc 
  \xfd \xfe \xff 
Last code unit = \x07
Subject length lower bound = 3
?+?
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++?+?++
ASAN:DEADLYSIGNAL
=================================================================
==41479==ERROR: AddressSanitizer: stack-overflow on address 0x7fff31b18e18 (pc
0x7f4c129b3efc bp 0x7fff31b19240 sp 0x7fff31b18e20 T0)
    #0 0x7f4c129b3efb 
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0x7aefb)
    #1 0x7f4c12a02184 
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)
    #2 0x7f4c129efd90 
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xb6d90)
    #3 0x7f4c12a02184 
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)
    #4 0x7f4c129efd90 
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xb6d90)
    #5 0x7f4c12a02184 
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)
    #6 0x7f4c129efd90 
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xb6d90)
    #7 0x7f4c12a02184 
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)
    #8 0x7f4c129efd90 
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xb6d90)
    #9 0x7f4c12a02184 
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)
    #10 0x7f4c129efd90 
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xb6d90)
    #11 0x7f4c12a02184 
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)
    #12 0x7f4c129efd90 
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xb6d90)
    #13 0x7f4c12a02184 
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)
    #14 0x7f4c129efd90 
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xb6d90)
    #15 0x7f4c12a02184 
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)
    #16 0x7f4c129efd90 
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xb6d90)
    #17 0x7f4c12a02184 
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)
    #18 0x7f4c129efd90 
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xb6d90)
    #19 0x7f4c12a02184 
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)
...
    #251 0x7f4c12a02184 
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)


SUMMARY: AddressSanitizer: stack-overflow
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0x7aefb)
==41479==ABORTING

It is the function match() called by line pcre2_match.c:6992 cause that
problem. The program doesn't
handle the parameter start_match properly and finally make parmenters eptr
stack overflow.

575 static int 
576 match(PCRE2_SPTR eptr, PCRE2_SPTR ecode, PCRE2_SPTR mstart,
577   PCRE2_SIZE offset_top, match_block *mb, eptrblock *eptrb, uint32_t
rdepth)
578 {
     ...
     }


6783 for(;;)
  {
  PCRE2_SPTR new_start_match;
  mb->capture_last = 0;
       {
...
6991   mb->skip_arg_count = 0;
6992   rc = match(start_match, mb->start_code, start_match, 2, mb, NULL, 0);
6993 
6994   if (mb->hitend && start_partial == NULL)
6995     {
6996     start_partial = mb->start_used_ptr;
6997     match_partial = start_match;
6998     }
...
       }


Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao@??? and chaoz@??? if you need
more info about the team, the tool or the vulnerability.

--
You are receiving this mail because:
You are on the CC list for the bug.