bug#66835: Heap buffer overread in expr in regexec.c in the check_arrival_add_next_nodes function.

2023-11-07 Thread Paul Eggert 
Thanks. This is a bug in the glibc regular expression matcher. It's part 
of a well known series of bugs. See, for example:


https://sourceware.org/bugzilla/show_bug.cgi?id=12896
https://sourceware.org/bugzilla/show_bug.cgi?id=17356

It's not of much practical concern since the attacker should not have 
control of B in invocations like 'expr "$A" : "$B"'.

bug#66835: Heap buffer overread in expr in regexec.c in the check_arrival_add_next_nodes function.

2023-10-30 Thread Some Dickhead 
Hi! I was fuzzing expr in coreutils and found a bug. I compiled expr with
asan and ubsan. I cloned the repository from
https://github.com/coreutils/coreutils and I am using
commit f7e25d5bb53e35bcdea8512dd6db07dd7e6cf452 . After compiling expr,
just run './expr $(printf "\x30\x98\xc8\x9d") : $(printf
"\x5c\x28\x5c\x29\x2e\x2a\x5c\x53\x98\xc8\x30\x2a\x5c\x31")' and observe
the crash. I have attached the ASAN report which I got from my run to this
email.
=
==1894136==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x60300360 at pc 0x55eb14272845 bp 0x7ffe1d19f7b0 sp 0x7ffe1d19f7a8
READ of size 8 at 0x60300360 thread T0
#0 0x55eb14272844 in check_arrival_add_next_nodes 
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:3001:21
#1 0x55eb14272844 in check_arrival 
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:2914:10
#2 0x55eb14268496 in get_subexp_sub 
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:2766:9
#3 0x55eb1421b754 in get_subexp 
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:2741:10
#4 0x55eb1421b754 in transit_state_bkref 
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:2525:13
#5 0x55eb1423711b in merge_state_with_log 
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:2312:11
#6 0x55eb141fe557 in check_matching 
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:1109:14
#7 0x55eb141fe557 in re_search_internal 
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:784:20
#8 0x55eb14160c56 in re_search_stub 
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:420:12
#9 0x55eb14160c56 in rpl_re_match 
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:274:10
#10 0x55eb14160c56 in docolon 
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/src/expr.c:714:14
#11 0x55eb1415b0b2 in eval5 
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/src/expr.c:894:19
#12 0x55eb1415b0b2 in eval4 
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/src/expr.c:917:7
#13 0x55eb1415a274 in eval3 
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/src/expr.c:956:7
#14 0x55eb14154bf6 in eval2 
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/src/expr.c:986:7
#15 0x55eb14154071 in eval1 
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/src/expr.c:1065:7
#16 0x55eb141531a1 in eval 
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/src/expr.c:1096:7
#17 0x55eb141529f7 in main 
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/src/expr.c:454:7
#18 0x7f5ca4d81082 in __libc_start_main 
/build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
#19 0x55eb14056d9d in _start 
(/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/fuzz/passing/poopooexpr+0xafd9d)

0x60300360 is located 0 bytes to the right of 32-byte region 
[0x60300340,0x60300360)
allocated by thread T0 here:
#0 0x55eb1410707f in __interceptor_realloc.part.0 
/home/cyberhacker/Asioita/newaflfuzz/shit/llvm-project-llvmorg-15.0.7/compiler-rt/lib/asan/asan_malloc_linux.cpp:85:3
#1 0x55eb14271656 in check_arrival 
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:2835:19
#2 0x55eb14268496 in get_subexp_sub 
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:2766:9

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:3001:21 
in check_arrival_add_next_nodes
Shadow bytes around the buggy address:
  0x0c067fff8010: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
  0x0c067fff8020: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff8030: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fff8040: fd fa fa fa 00 00 00 00 fa fa 00 00 04 fa fa fa
  0x0c067fff8050: fd fd fd fd fa fa 00 00 00 fa fa fa 00 00 00 fa
=>0x0c067fff8060: fa fa 00 00 00 fa fa fa 00 00 00 00[fa]fa fa fa
  0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:   fa
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra