[pcre-dev] [Bug 2661] New: Use of uninitialized-value from …

Pàgina inicial
Delete this message
Autor: admin
Data:  
A: pcre-dev
Assumpte: [pcre-dev] [Bug 2661] New: Use of uninitialized-value from pcre_compile2
https://bugs.exim.org/show_bug.cgi?id=2661

            Bug ID: 2661
           Summary: Use of uninitialized-value from pcre_compile2
           Product: PCRE
           Version: 8.44
          Hardware: x86
                OS: All
            Status: NEW
          Severity: security
          Priority: medium
         Component: Code
          Assignee: Philip.Hazel@???
          Reporter: p.antoine@???
                CC: pcre-dev@???


Found by fuzzing Suricata on oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26226

Reproducer is program

```
#include <pcre.h>

int main(int argc, char *argv[]) {
    int ec;
    const char *eb;
    int eo;


    pcre *p = pcre_compile2(argv[1], PCRE_NO_AUTO_CAPTURE | PCRE_CASELESS, &ec,
&eb, &eo, NULL);
    return 0;
}
```


compiled so
`clang++ -fsanitize=memory -fsanitize=fuzzer-no-link poc.c
/usr/local/lib/libpcre.a`

and run with
`./a.out "(?<f>)(?<fir>)"`

It gives stack trace from MSAN :
```
Uninitialized bytes in MemcmpInterceptorCommon at offset 2 inside
[0x707000000042, 3)
==69977==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x44cc5e in memcmp
/src/llvm-project/compiler-rt/lib/msan/../sanitizer_common/sanitizer_common_interceptors.inc:873:10
    #1 0x4a350d in add_name /src/pcre/pcre_compile.c:8982:13
    #2 0x49dd85 in pcre_compile2 /src/pcre/pcre_compile.c:9484:5
    #3 0x49a5a8 in main (/src/a.out+0x49a5a8)
    #4 0x7fde91eac83f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #5 0x41c3f8 in _start (/src/a.out+0x41c3f8)


  Uninitialized value was created by a heap allocation
    #0 0x448eed in malloc
/src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:901:3
    #1 0x49d77e in pcre_compile2 /src/pcre/pcre_compile.c:9419:19
    #2 0x49a5a8 in main (/src/a.out+0x49a5a8)
    #3 0x7fde91eac83f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2083f)


SUMMARY: MemorySanitizer: use-of-uninitialized-value
/src/llvm-project/compiler-rt/lib/msan/../sanitizer_common/sanitizer_common_interceptors.inc:873:10
in memcmp
Exiting
```

I think the patch is to use memset to set to 0 all the bytes, and not only the
one after the name, because memcmp does not read the bytes one by one

--
You are receiving this mail because:
You are on the CC list for the bug.