[pcre-dev] [Bug 2320] New: Buffer Overflow in PCRE2 jit

Top Page
Delete this message
Author: admin
Date:  
To: pcre-dev
New-Topics: [pcre-dev] [Bug 2320] Buffer Overflow in PCRE2 jit, [pcre-dev] [Bug 2320] Buffer Overflow in PCRE2 jit, [pcre-dev] [Bug 2320] Buffer Overflow in PCRE2 jit, [pcre-dev] [Bug 2320] Buffer Overflow in PCRE2 jit, [pcre-dev] [Bug 2320] Buffer Overflow in PCRE2 jit, [pcre-dev] [Bug 2320] Buffer Overflow in PCRE2 jit, [pcre-dev] [Bug 2320] Buffer Overflow in PCRE2 jit, [pcre-dev] [Bug 2320] Buffer Overflow in PCRE2 jit
Subject: [pcre-dev] [Bug 2320] New: Buffer Overflow in PCRE2 jit
https://bugs.exim.org/show_bug.cgi?id=2320

            Bug ID: 2320
           Summary: Buffer Overflow in PCRE2 jit
           Product: PCRE
           Version: 10.31 (PCRE2)
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: vita500@???
                CC: pcre-dev@???


Created attachment 1124
--> https://bugs.exim.org/attachment.cgi?id=1124&action=edit
Regular expression that causes a buffer overflow in PCRE2 jit.

We have found a buffer overflow issue in PCRE2.
The crash input is automatically generated by our test generation tool FOCAL.
You can find crash.txt in the attachement.

Here are details to reproduce the buffer overflow.
- OS & Compiler
Ubuntu Linux 16.04 x64 and GCC 5.4.0
- Build command
$ LDFLAGS="-fsanitize=address" CFLAGS="-fsanitize=address" ./configure
--disable-shared --enable-pcre2-16 --enable-pcre2-32 --enable-jit && make clean
all
- Run command 
$ ./pcre2test -32 -jit ./crash.txt
- Outputs
PCRE2 version 10.31 2018-02-12
/p0-9q+Ea-g0-9q+Ea-\X{3,|\X{3,}l
... OMITTED ... 
No match
\n
=================================================================
==990==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000009200
at pc 0x0000008ccc24 bp 0x7fff6779dc90 sp 0x7fff6779dc80
READ of size 4 at 0x629000009200 thread T0
    #0 0x8ccc23 in do_extuni_no_utf src/pcre2_jit_compile.c:7280
    #1 0x7fc32766a2dc  (<unknown module>)


0x629000009200 is located 0 bytes to the right of 16384-byte region
[0x629000005200,0x629000009200)
allocated by thread T0 here:
    #0 0x7fc3265cf961 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
    #1 0x41fa6e in process_data src/pcre2test.c:6362


SUMMARY: AddressSanitizer: heap-buffer-overflow src/pcre2_jit_compile.c:7280
do_extuni_no_utf
Shadow bytes around the buggy address:
  0x0c527fff91f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff9200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff9210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff9220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff9230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c527fff9240:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==990==ABORTING


--
You are receiving this mail because:
You are on the CC list for the bug.