[pcre-dev] [Bug 2483] New: Out-of-bounds memory read in int…

Top Page

Reply to this message
Author: admin
Date:  
To: pcre-dev
Subject: [pcre-dev] [Bug 2483] New: Out-of-bounds memory read in internal_dfa_match() (internal_dfa_match.c)
https://bugs.exim.org/show_bug.cgi?id=2483

            Bug ID: 2483
           Summary: Out-of-bounds memory read in internal_dfa_match()
                    (internal_dfa_match.c)
           Product: PCRE
           Version: 10.34 (PCRE2)
          Hardware: x86-64
                OS: All
            Status: NEW
          Severity: security
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: clickwithsk@???
                CC: pcre-dev@???


The lack of boundary check in internal_dfa_match() (internal_dfa_match.c)
allows out of bounds memory read via a crafted regular expression, causing
memory access violation, and subsequently resulting into a crash. This bug was
found using our custom guided fuzzer.

====================
Output of ASAN compiled library (-fsanitize=address)
Run as: ./pcre2test crash_file (attached herewith)
---------------------
==24121==ERROR: AddressSanitizer: SEGV on unknown address 0x555555679700 (pc
0x5555555adb94 bp 0x7fffffff55b0 sp 0x7fffffff50e0 T0)
==24121==The signal is caused by a READ memory access.
    #0 0x5555555adb93 in internal_dfa_match src/pcre2_dfa_match.c:1171
    #1 0x5555555bdb06 in pcre2_dfa_match_8 src/pcre2_dfa_match.c:3885
    #2 0x555555576bc1 in process_data src/pcre2test.c:7522
    #3 0x55555557cd61 in main src/pcre2test.c:9004
    #4 0x7ffff681db96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #5 0x55555557dbf9 in _start
(pcre-gcc/pcre2test-addrsan-fno-omit-gdwarf-g3+0x29bf9)


AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/pcre2_dfa_match.c:1171 in
internal_dfa_match
==24121==ABORTING

=====================
valgrind output:
    valgrind -v --leak-check=full ./pcre2test crash_file (attached herewith)
--------------------
==2613== Invalid read of size 2
==2613==    at 0x1290BB: internal_dfa_match (in pcre-gcc/pcre2test)
==2613==    by 0x12D4DE: pcre2_dfa_match_8 (in pcre-gcc/pcre2test)
==2613==    by 0x111BEF: process_data (in pcre-gcc/pcre2test)
==2613==    by 0x115703: main (in pcre-gcc/pcre2test)
==2613==  Address 0x19c840 is not stack'd, malloc'd or (recently) free'd
==2613==
==2613==
==2613== Process terminating with default action of signal 11 (SIGSEGV)
==2613==  Access not within mapped region at address 0x19C840
==2613==    at 0x1290BB: internal_dfa_match (in pcre-gcc/pcre2test)
==2613==    by 0x12D4DE: pcre2_dfa_match_8 (in pcre-gcc/pcre2test)
==2613==    by 0x111BEF: process_data (in pcre-gcc/pcre2test)
==2613==    by 0x115703: main (in pcre-gcc/pcre2test)
==2613==  If you believe this happened as a result of a stack
==2613==  overflow in your program's main thread (unlikely but
==2613==  possible), you can try to increase the size of the
==2613==  main thread stack using the --main-stacksize= flag.
==2613==  The main thread stack size used in this run was 8388608.
==2613==
==2613== HEAP SUMMARY:
==2613==     in use at exit: 121,852 bytes in 15 blocks
==2613==   total heap usage: 23 allocs, 8 frees, 127,864 bytes allocated
==2613==
==2613== Searching for pointers to 15 not-freed blocks
==2613== Checked 76,408 bytes
==2613==
==2613== LEAK SUMMARY:
==2613==    definitely lost: 0 bytes in 0 blocks
==2613==    indirectly lost: 0 bytes in 0 blocks
==2613==      possibly lost: 0 bytes in 0 blocks
==2613==    still reachable: 121,852 bytes in 15 blocks
==2613==         suppressed: 0 bytes in 0 blocks
==2613== Rerun with --leak-check=full to see details of leaked memory
==2613==
==2613== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==2613==
==2613== 1 errors in context 1 of 1:
==2613== Invalid read of size 2
==2613==    at 0x1290BB: internal_dfa_match (in pcre-gcc/pcre2test)
==2613==    by 0x12D4DE: pcre2_dfa_match_8 (in pcre-gcc/pcre2test)
==2613==    by 0x111BEF: process_data (in pcre-gcc/pcre2test)
==2613==    by 0x115703: main (in pcre-gcc/pcre2test)
==2613==  Address 0x19c840 is not stack'd, malloc'd or (recently) free'd
==2613==
==2613== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)



====================
Crash triage:
--------------------
Function: internal_dfa_match()

const ucd_record * prop = GET_UCD(c);       //c = 13697024


expands to
const ucd_record * prop = (_pcre2_ucd_records_8 +
_pcre2_ucd_stage2_8[_pcre2_ucd_stage1_8[(int)(c) / 128] * 128 + (int)(c) %
128]);

Error while accessing _pcre2_ucd_stage1_8[(int)(c) / 128]
"Cannot access memory at address 0x555555679700"
====================

--
You are receiving this mail because:
You are on the CC list for the bug.