Forwarded: Segmentation Fault via recursive loop in Gawk

arnold Tue, 19 Mar 2024 08:21:32 -0700

Hello.

Please see this report sent to the gawk list concerning regcomp.c.
I have attached his "POCFILE".


Thanks,

Arnold

> From: ttfish <jiongch...@gmail.com>
> Date: Tue, 19 Mar 2024 21:48:34 +0800
> Subject: Segmentation Fault via recursive loop in Gawk
> To: bug-g...@gnu.org
> Cc: secur...@gnu.org
>
> Content-Type: text/plain; charset="UTF-8"
>
> Dear GNU gawk developers,
>
> Greetings. I am writing to report a recursive loop bug found in gawk.
>
> ## Description
>
> The bug is located in the support/regcomp.c file within the parse_reg_exp
> function. The vulnerability involves function "parse_expression",
> "parse_branch" and "parse_sub_exp" and exists in latest stable release
> (gawk 5.3.0) and the latest master branch
> (ff873ce52bf6a1766935281883b74b49edc7d38f, updated on March 04, 2024). The
> inner variable of `preg`, `token`, `syntax` and `nest` would stick with
> unchanged values in loop calling and lead to segmentation fault.
>
> ## Proof of Concept
>
> The attached PoC could result segmentation fault and subsequent program
> termination.
>
> It could be reproduced by the attached PoC file with input:
>
> ```bash
> gawk -f POC-FILE {anyfile}
> ```
>
> The backtrace log could be found below:
>
> ```bash
> #4  0x00000000006f3121 in parse_expression (regexp=0x7ffff5c09b30,
>     preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
>     nest=4466, err=0x7ffff5c09b20) at ./regcomp.c:2242
> #5  0x00000000006f243d in parse_branch (regexp=0x7ffff5c09b30,
>     preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
>     nest=4466, err=0x7ffff5c09b20) at ./regcomp.c:2169
> #6  0x00000000006ee668 in parse_reg_exp (regexp=0x7ffff5c09b30,
>     preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
>     nest=4466, err=0x7ffff5c09b20) at ./regcomp.c:2121
> #7  0x00000000006f4e72 in parse_sub_exp (regexp=0x7ffff5c09b30,
>     preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
>     nest=4466, err=0x7ffff5c09b20) at ./regcomp.c:2456
> #8  0x00000000006f3121 in parse_expression (regexp=0x7ffff5c09b30,
>     preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
>     nest=4465, err=0x7ffff5c09b20) at ./regcomp.c:2242
> #9  0x00000000006f243d in parse_branch (regexp=0x7ffff5c09b30,
>     preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
>     nest=4465, err=0x7ffff5c09b20) at ./regcomp.c:2169
> #10 0x00000000006ee668 in parse_reg_exp (regexp=0x7ffff5c09b30,
>     preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
>
> # repeat ...
>
> #17868 0x00000000006f3121 in parse_expression (regexp=0x7ffff5c09b30,
>     preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
>     nest=0, err=0x7ffff5c09b20) at ./regcomp.c:2242
> #17869 0x00000000006f265a in parse_branch (regexp=0x7ffff5c09b30,
>     preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
>     nest=0, err=0x7ffff5c09b20) at ./regcomp.c:2176
> #17870 0x00000000006ee668 in parse_reg_exp (regexp=0x7ffff5c09b30,
>     preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405,
>     nest=0, err=0x7ffff5c09b20) at ./regcomp.c:2121
> #17871 0x00000000006e6db2 in parse (regexp=0x7ffff5c09b30,
>     preg=0x50b00001a920, syntax=2339405, err=0x7ffff5c09b20)
>     at ./regcomp.c:2089
> #17872 0x00000000006dd100 in re_compile_internal (
>     preg=0x50b00001a920,
>     pattern=0x52c000010200
> "()\326*()+\\2+()*\\2\277()\326*))*\\W3^\\e<\"\003^*", '(' <repeats 166
> times>..., length=28345, syntax=2339405)
>     at ./regcomp.c:764
> #17873 0x00000000006dc5ca in re_compile_pattern (
>     pattern=0x52c000010200
> "()\326*()+\\2+()*\\2\277()\326*))*\\W3^\\e<\"\003^*", '(' <repeats 166
> times>..., length=28345,
>     bufp=0x50b00001a920) at ./regcomp.c:217
> #17874 0x00000000006a4128 in make_regexp (
>     s=0x52c000008200
> "()\326*()+\\5342+()*\\5342\277()\326*))*\\W3^\\e<\"\003^*", '(' <repeats
> 160 times>..., len=28345, ignorecase=false,
>     dfa=true, canfatal=false) at re.c:257
> #17875 0x00000000005944c4 in make_regnode (type=Node_regex,
>     exp=0x526000009720)
>     at /home/ttfish/Project/2024/DSLFuzz/gawk/awkgram.y:5297
> #17876 0x00000000005728a6 in yyparse ()
>     at /home/ttfish/Project/2024/DSLFuzz/gawk/awkgram.y:572
> #17877 0x000000000059fe3d in parse_program (
>     pcode=0x113d8a0 <code_block>, from_eval=false)
>     at /home/ttfish/Project/2024/DSLFuzz/gawk/awkgram.y:2803
> #17878 0x00000000006783e8 in main (argc=4, argv=0x7fffffffd9c8)
>     at main.c:504
> ```
>
> ## Impact
>
> This vulnerability allows attackers to cause a denial of service by
> crashing the gawk instance or malicious memory manipulation.
>
> ## Attachments
>
> Please find the attached PoC file in the attachment.
>
> Please feel free to contact me if you have any further questions.
>
> Best regards,
> ttfish

POCFILE
Description: Binary data

Forwarded: Segmentation Fault via recursive loop in Gawk

Reply via email to