https://bugs.exim.org/show_bug.cgi?id=2138
Bug ID: 2138
Summary: There is a stack-overflow in file pcre2_match.c of
libpcre2
Product: PCRE
Version: 10.23 (PCRE2)
Hardware: x86
OS: Linux
Status: NEW
Severity: security
Priority: medium
Component: Code
Assignee: ph10@???
Reporter: v.owl337@???
CC: pcre-dev@???
asan output is below:
$ ./pcre2test -d POC1
:(\S)+\V??
------------------------------------------------------------------
0 18 Bra
3 6 CBra 1
8 \S
9 6 KetRmax
12 \V??
14 \x{e3}\x07
18 18 Ket
21 End
------------------------------------------------------------------
Capturing subpattern count = 1
Starting code units: \x00 \x01 \x02 \x03 \x04 \x05 \x06 \x07 \x08 \x0e \x0f
\x10 \x11 \x12 \x13 \x14 \x15 \x16 \x17 \x18 \x19 \x1a \x1b \x1c \x1d \x1e
\x1f ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C
D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h
i j k l m n o p q r s t u v w x y z { | } ~ \x7f \x80 \x81 \x82 \x83 \x84
\x85 \x86 \x87 \x88 \x89 \x8a \x8b \x8c \x8d \x8e \x8f \x90 \x91 \x92 \x93
\x94 \x95 \x96 \x97 \x98 \x99 \x9a \x9b \x9c \x9d \x9e \x9f \xa0 \xa1 \xa2
\xa3 \xa4 \xa5 \xa6 \xa7 \xa8 \xa9 \xaa \xab \xac \xad \xae \xaf \xb0 \xb1
\xb2 \xb3 \xb4 \xb5 \xb6 \xb7 \xb8 \xb9 \xba \xbb \xbc \xbd \xbe \xbf \xc0
\xc1 \xc2 \xc3 \xc4 \xc5 \xc6 \xc7 \xc8 \xc9 \xca \xcb \xcc \xcd \xce \xcf
\xd0 \xd1 \xd2 \xd3 \xd4 \xd5 \xd6 \xd7 \xd8 \xd9 \xda \xdb \xdc \xdd \xde
\xdf \xe0 \xe1 \xe2 \xe3 \xe4 \xe5 \xe6 \xe7 \xe8 \xe9 \xea \xeb \xec \xed
\xee \xef \xf0 \xf1 \xf2 \xf3 \xf4 \xf5 \xf6 \xf7 \xf8 \xf9 \xfa \xfb \xfc
\xfd \xfe \xff
Last code unit = \x07
Subject length lower bound = 3
?+?
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++?+?++
ASAN:DEADLYSIGNAL
=================================================================
==41479==ERROR: AddressSanitizer: stack-overflow on address 0x7fff31b18e18 (pc
0x7f4c129b3efc bp 0x7fff31b19240 sp 0x7fff31b18e20 T0)
#0 0x7f4c129b3efb
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0x7aefb)
#1 0x7f4c12a02184
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)
#2 0x7f4c129efd90
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xb6d90)
#3 0x7f4c12a02184
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)
#4 0x7f4c129efd90
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xb6d90)
#5 0x7f4c12a02184
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)
#6 0x7f4c129efd90
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xb6d90)
#7 0x7f4c12a02184
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)
#8 0x7f4c129efd90
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xb6d90)
#9 0x7f4c12a02184
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)
#10 0x7f4c129efd90
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xb6d90)
#11 0x7f4c12a02184
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)
#12 0x7f4c129efd90
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xb6d90)
#13 0x7f4c12a02184
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)
#14 0x7f4c129efd90
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xb6d90)
#15 0x7f4c12a02184
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)
#16 0x7f4c129efd90
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xb6d90)
#17 0x7f4c12a02184
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)
#18 0x7f4c129efd90
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xb6d90)
#19 0x7f4c12a02184
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)
...
#251 0x7f4c12a02184
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0xc9184)
SUMMARY: AddressSanitizer: stack-overflow
(/home/icy/real/pcre2-10.23-asan/install/lib/libpcre2-8.so.0+0x7aefb)
==41479==ABORTING
It is the function match() called by line pcre2_match.c:6992 cause that
problem. The program doesn't
handle the parameter start_match properly and finally make parmenters eptr
stack overflow.
575 static int
576 match(PCRE2_SPTR eptr, PCRE2_SPTR ecode, PCRE2_SPTR mstart,
577 PCRE2_SIZE offset_top, match_block *mb, eptrblock *eptrb, uint32_t
rdepth)
578 {
...
}
6783 for(;;)
{
PCRE2_SPTR new_start_match;
mb->capture_last = 0;
{
...
6991 mb->skip_arg_count = 0;
6992 rc = match(start_match, mb->start_code, start_match, 2, mb, NULL, 0);
6993
6994 if (mb->hitend && start_partial == NULL)
6995 {
6996 start_partial = mb->start_used_ptr;
6997 match_partial = start_match;
6998 }
...
}
Credits:
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao@??? and chaoz@??? if you need
more info about the team, the tool or the vulnerability.
--
You are receiving this mail because:
You are on the CC list for the bug.