[pcre-dev] [Bug 2484] New: Stack overflow in internal_dfa_ma…

Top Page
This message is part of the following thread:
M+\the complete thread tree sorted by date
MMM 
admin at ->
Delete this message
Author: admin
Date:  
To: pcre-dev
New-Topics: [pcre-dev] [Bug 2484] Stack overflow in internal_dfa_match() (pcre2_dfa_match.c), [pcre-dev] [Bug 2484] Stack overflow in internal_dfa_match() (pcre2_dfa_match.c)
Subject: [pcre-dev] [Bug 2484] New: Stack overflow in internal_dfa_match() (pcre2_dfa_match.c)
https://bugs.exim.org/show_bug.cgi?id=2484 

            Bug ID: 2484
           Summary: Stack overflow in internal_dfa_match()
                    (pcre2_dfa_match.c)
           Product: PCRE
           Version: 10.34 (PCRE2)
          Hardware: x86
                OS: All
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: clickwithsk@???
                CC: pcre-dev@???


Created attachment 1238
--> https://bugs.exim.org/attachment.cgi?id=1238&action=edit
Crash input file that triggers the bug

The latest version of PCRE (pcre2-10.34-RC1, pcre2-10.33) is prone to a stack
overflow vulnerability in internal_dfa_match() (pcre2_dfa_match.c) which can be
triggered using a crafted regular expression. Upon execution of the crafted
regular expression, the function internal_dfa_match() calls itself recursively,
resulting into uncontrolled recursion. It exceeds the stack size limit (8 MB),
finally resulting into stack exhaustion. An attacker can potentially exploit
this issue to perform remote code execution or denial of service attack.

=====================
Output of ASAN compiled library (-fsanitize=address)

Run as: ./pcre2test sbovf-input (attached herewith)
--------------------
ASAN:DEADLYSIGNAL 

==17245==ERROR: AddressSanitizer: stack-overflow on address 0x7fffff7feff8 (pc
0x5555555afcc7 bp 0x7fffff7ff4b0 sp 0x7fffff7fefe0 T0)
    #0 0x5555555afcc6 in internal_dfa_match src/pcre2_dfa_match.c:2859
    #1 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #2 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #3 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #4 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #5 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #6 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #7 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #8 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #9 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #10 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    ...
    <skipped>
    ...
    #240 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #241 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #242 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #243 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #244 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #245 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #246 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #247 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #248 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #249 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #250 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871


SUMMARY: AddressSanitizer: stack-overflow src/pcre2_dfa_match.c:2859 in
internal_dfa_match
==17245==ABORTING

====================
With gdb
--------------------
$ gdb ./pcre2test 

(gdb) r sbovf-input
Program received signal SIGSEGV, Segmentation fault.
0x00005555555aaab4 in internal_dfa_match (mb=mb@entry=0x7fffffff5800,
this_start_code=this_start_code@entry=0x611000000acf "\210", 
    current_subject=current_subject@entry=0x629000002eb1 '\200' <repeats 200
times>..., start_offset=start_offset@entry=6522,
offsets=offsets@entry=0x7fffec780030, offsetcount=offsetcount@entry=1000, 
    workspace=0x7fffec781f70, wscount=1000, rlevel=6522, RWS=0x7fffeb8c5800) at
src/pcre2_dfa_match.c:533


(gdb) bt 10
#0  0x00005555555aaab4 in internal_dfa_match (mb=mb@entry=0x7fffffff5800,
this_start_code=this_start_code@entry=0x611000000acf "\210", 
    current_subject=current_subject@entry=0x629000002eb1 '\200' <repeats 200
times>..., start_offset=start_offset@entry=6522,
offsets=offsets@entry=0x7fffec780030, offsetcount=offsetcount@entry=1000, 
    workspace=0x7fffec781f70, wscount=1000, rlevel=6522, RWS=0x7fffeb8c5800) at
src/pcre2_dfa_match.c:533
#1  0x00005555555b4021 in internal_dfa_match (mb=mb@entry=0x7fffffff5800,
this_start_code=this_start_code@entry=0x611000000acf "\210", 
    current_subject=current_subject@entry=0x629000002eb0 '\200' <repeats 200
times>..., start_offset=start_offset@entry=6521,
offsets=offsets@entry=0x7fffec77d150, offsetcount=offsetcount@entry=1000, 
    workspace=<optimized out>, wscount=166, rlevel=6522, RWS=0x7fffeb8c5800) at
src/pcre2_dfa_match.c:2871
#2  0x00005555555b4021 in internal_dfa_match (mb=mb@entry=0x7fffffff5800,
this_start_code=this_start_code@entry=0x611000000acf "\210", 
    current_subject=current_subject@entry=0x629000002eaf '\200' <repeats 200
times>..., start_offset=start_offset@entry=6520,
offsets=offsets@entry=0x7fffec77a270, offsetcount=offsetcount@entry=1000, 
    workspace=<optimized out>, wscount=166, rlevel=6521, RWS=0x7fffeb8c5800) at
src/pcre2_dfa_match.c:2871
#3  0x00005555555b4021 in internal_dfa_match (mb=mb@entry=0x7fffffff5800,
this_start_code=this_start_code@entry=0x611000000acf "\210", 
    current_subject=current_subject@entry=0x629000002eae '\200' <repeats 200
times>..., start_offset=start_offset@entry=6519,
offsets=offsets@entry=0x7fffec777390, offsetcount=offsetcount@entry=1000, 
    workspace=<optimized out>, wscount=166, rlevel=6520, RWS=0x7fffeb8c5800) at
src/pcre2_dfa_match.c:2871
#4  0x00005555555b4021 in internal_dfa_match (mb=mb@entry=0x7fffffff5800,
this_start_code=this_start_code@entry=0x611000000acf "\210", 
    current_subject=current_subject@entry=0x629000002ead '\200' <repeats 200
times>..., start_offset=start_offset@entry=6518,
offsets=offsets@entry=0x7fffec7744b0, offsetcount=offsetcount@entry=1000, 
    workspace=<optimized out>, wscount=166, rlevel=6519, RWS=0x7fffeb8c5800) at
src/pcre2_dfa_match.c:2871
#5  0x00005555555b4021 in internal_dfa_match (mb=mb@entry=0x7fffffff5800,
this_start_code=this_start_code@entry=0x611000000acf "\210", 
    current_subject=current_subject@entry=0x629000002eac '\200' <repeats 200
times>..., start_offset=start_offset@entry=6517,
offsets=offsets@entry=0x7fffec7715d0, offsetcount=offsetcount@entry=1000, 
    workspace=<optimized out>, wscount=166, rlevel=6518, RWS=0x7fffeb8c5800) at
src/pcre2_dfa_match.c:2871
#6  0x00005555555b4021 in internal_dfa_match (mb=mb@entry=0x7fffffff5800,
this_start_code=this_start_code@entry=0x611000000acf "\210", 
    current_subject=current_subject@entry=0x629000002eab '\200' <repeats 200
times>..., start_offset=start_offset@entry=6516,
offsets=offsets@entry=0x7fffec76e6f0, offsetcount=offsetcount@entry=1000, 
    workspace=<optimized out>, wscount=166, rlevel=6517, RWS=0x7fffeb8c5800) at
src/pcre2_dfa_match.c:2871
#7  0x00005555555b4021 in internal_dfa_match (mb=mb@entry=0x7fffffff5800,
this_start_code=this_start_code@entry=0x611000000acf "\210", 
    current_subject=current_subject@entry=0x629000002eaa '\200' <repeats 200
times>..., start_offset=start_offset@entry=6515,
offsets=offsets@entry=0x7fffec76b810, offsetcount=offsetcount@entry=1000, 
    workspace=<optimized out>, wscount=166, rlevel=6516, RWS=0x7fffeb8c5800) at
src/pcre2_dfa_match.c:2871
#8  0x00005555555b4021 in internal_dfa_match (mb=mb@entry=0x7fffffff5800,
this_start_code=this_start_code@entry=0x611000000acf "\210", 
    current_subject=current_subject@entry=0x629000002ea9 '\200' <repeats 200
times>..., start_offset=start_offset@entry=6514,
offsets=offsets@entry=0x7fffec768930, offsetcount=offsetcount@entry=1000, 
    workspace=<optimized out>, wscount=166, rlevel=6515, RWS=0x7fffeb8c5800) at
src/pcre2_dfa_match.c:2871
#9  0x00005555555b4021 in internal_dfa_match (mb=mb@entry=0x7fffffff5800,
this_start_code=this_start_code@entry=0x611000000acf "\210", 
    current_subject=current_subject@entry=0x629000002ea8 '\200' <repeats 200
times>..., start_offset=start_offset@entry=6513,
offsets=offsets@entry=0x7fffec765a50, offsetcount=offsetcount@entry=1000, 
    workspace=<optimized out>, wscount=166, rlevel=6514, RWS=0x7fffeb8c5800) at
src/pcre2_dfa_match.c:2871
(More stack frames follow...)
(gdb) bt -10
#6516 0x00005555555b4021 in internal_dfa_match (mb=mb@entry=0x7fffffff5800,
this_start_code=this_start_code@entry=0x611000000acf "\210", 
    current_subject=current_subject@entry=0x62900000153d ")*    # If comment
found, al", '\200' <repeats 172 times>..., start_offset=start_offset@entry=6,
offsets=offsets@entry=0x6300001a90b0, 
    offsetcount=offsetcount@entry=1000, workspace=<optimized out>, wscount=166,
rlevel=7, RWS=0x6300001a0400) at src/pcre2_dfa_match.c:2871
#6517 0x00005555555b4021 in internal_dfa_match (mb=mb@entry=0x7fffffff5800,
this_start_code=this_start_code@entry=0x611000000acf "\210", 
    current_subject=current_subject@entry=0x62900000153c " )*    # If comment
found, al", '\200' <repeats 171 times>..., start_offset=start_offset@entry=5,
offsets=offsets@entry=0x6300001a61d0, 
    offsetcount=offsetcount@entry=1000, workspace=<optimized out>, wscount=166,
rlevel=6, RWS=0x6300001a0400) at src/pcre2_dfa_match.c:2871
#6518 0x00005555555b4021 in internal_dfa_match (mb=mb@entry=0x7fffffff5800,
this_start_code=this_start_code@entry=0x611000000acf "\210", 
    current_subject=current_subject@entry=0x62900000153b "* )*    # If comment
found, al", '\200' <repeats 170 times>..., start_offset=start_offset@entry=4,
offsets=offsets@entry=0x6300001a32f0, 
    offsetcount=offsetcount@entry=1000, workspace=<optimized out>, wscount=166,
rlevel=5, RWS=0x6300001a0400) at src/pcre2_dfa_match.c:2871
#6519 0x00005555555b4021 in internal_dfa_match (mb=mb@entry=0x7fffffff5800,
this_start_code=this_start_code@entry=0x611000000acf "\210", 
    current_subject=current_subject@entry=0x62900000153a "]* )*    # If comment
found, al", '\200' <repeats 169 times>..., start_offset=start_offset@entry=3,
offsets=offsets@entry=0x6300001a0410, 
    offsetcount=offsetcount@entry=1000, workspace=<optimized out>, wscount=166,
rlevel=4, RWS=0x6300001a0400) at src/pcre2_dfa_match.c:2871
#6520 0x00005555555b4021 in internal_dfa_match (mb=mb@entry=0x7fffffff5800,
this_start_code=this_start_code@entry=0x611000000acf "\210", 
    current_subject=current_subject@entry=0x629000001539 "\t]* )*    # If
comment found, al", '\200' <repeats 168 times>...,
start_offset=start_offset@entry=2, offsets=offsets@entry=0x7fffffff87d0, 
    offsetcount=offsetcount@entry=1000, workspace=<optimized out>, wscount=166,
rlevel=3, RWS=0x6300001a0400) at src/pcre2_dfa_match.c:2871
#6521 0x00005555555b4021 in internal_dfa_match (mb=mb@entry=0x7fffffff5800,
this_start_code=this_start_code@entry=0x611000000acf "\210", 
    current_subject=current_subject@entry=0x629000001538 " \t]* )*    # If
comment found, al", '\200' <repeats 167 times>...,
start_offset=start_offset@entry=1, offsets=offsets@entry=0x7fffffff58f0, 
    offsetcount=offsetcount@entry=1000, workspace=<optimized out>, wscount=166,
rlevel=2, RWS=0x7fffffff58e0) at src/pcre2_dfa_match.c:2871
#6522 0x00005555555b4021 in internal_dfa_match (mb=mb@entry=0x7fffffff5800,
this_start_code=<optimized out>, 
    current_subject=current_subject@entry=0x629000001537 "[ \t]* )*    # If
comment found, al", '\200' <repeats 166 times>...,
start_offset=start_offset@entry=0, offsets=offsets@entry=0x612000000090, 
    offsetcount=30, workspace=<optimized out>, wscount=166, rlevel=1,
RWS=0x7fffffff58e0) at src/pcre2_dfa_match.c:2871
#6523 0x00005555555bdb07 in pcre2_dfa_match_8 (code=<optimized out>,
subject=<optimized out>, length=11465, start_offset=<optimized out>, options=0,
match_data=<optimized out>, mcontext=<optimized out>, 
    workspace=<optimized out>, wscount=<optimized out>) at
src/pcre2_dfa_match.c:3885
#6524 0x0000555555576bc2 in process_data () at src/pcre2test.c:7522
#6525 0x000055555557cd62 in main (argc=<optimized out>, argv=<optimized out>)
at src/pcre2test.c:9002


====================
Crash triage:
--------------------

Function: internal_dfa_match() recursively calls itself at
src/pcre2_dfa_match.c:2871, exceeding the stack size limit (8 MB), thus
resulting into stack corruption (exhaustion). 

(gdb) list src/pcre2_dfa_match.c:2871
2866            new_recursive.group_num = recno;
2867            new_recursive.subject_position = ptr;
2868            new_recursive.prevrec = mb->recursive;
2869            mb->recursive = &new_recursive;
2870
2871            rc = internal_dfa_match(
2872              mb,                                   /* fixed match data */
2873              callpat,                              /* this subexpression's
code */
2874              ptr,                                  /* where we currently
are */
2875              (PCRE2_SIZE)(ptr - start_subject),    /* start offset */
2876              local_offsets,                        /* offset vector */
2877              RWS_OVEC_RSIZE/OVEC_UNIT,             /* size of same */
2878              local_workspace,                      /* workspace vector */
2879              RWS_RSIZE,                            /* size of same */
2880              rlevel,                               /* function recursion
level */
2881              RWS);                                 /* recursion workspace
*/
====================


--
You are receiving this mail because:
You are on the CC list for the bug.
This message was posted to the following mailing lists:
Pcre-dev
Mailing List Info | Nearby Messages		<-[pcre-dev] [Bug 2483] New: Out-of-bounds memory read in internal_dfa_match() (internal_dfa_match.c)[pcre-dev] [Bug 2484] Stack overflow in internal_dfa_match() (pcre2_dfa_match.c)->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)