Hello. Please see this report sent to the gawk list concerning regcomp.c. I have attached his "POCFILE".
Thanks, Arnold > From: ttfish <jiongch...@gmail.com> > Date: Tue, 19 Mar 2024 21:48:34 +0800 > Subject: Segmentation Fault via recursive loop in Gawk > To: bug-g...@gnu.org > Cc: secur...@gnu.org > > Content-Type: text/plain; charset="UTF-8" > > Dear GNU gawk developers, > > Greetings. I am writing to report a recursive loop bug found in gawk. > > ## Description > > The bug is located in the support/regcomp.c file within the parse_reg_exp > function. The vulnerability involves function "parse_expression", > "parse_branch" and "parse_sub_exp" and exists in latest stable release > (gawk 5.3.0) and the latest master branch > (ff873ce52bf6a1766935281883b74b49edc7d38f, updated on March 04, 2024). The > inner variable of `preg`, `token`, `syntax` and `nest` would stick with > unchanged values in loop calling and lead to segmentation fault. > > ## Proof of Concept > > The attached PoC could result segmentation fault and subsequent program > termination. > > It could be reproduced by the attached PoC file with input: > > ```bash > gawk -f POC-FILE {anyfile} > ``` > > The backtrace log could be found below: > > ```bash > #4 0x00000000006f3121 in parse_expression (regexp=0x7ffff5c09b30, > preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405, > nest=4466, err=0x7ffff5c09b20) at ./regcomp.c:2242 > #5 0x00000000006f243d in parse_branch (regexp=0x7ffff5c09b30, > preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405, > nest=4466, err=0x7ffff5c09b20) at ./regcomp.c:2169 > #6 0x00000000006ee668 in parse_reg_exp (regexp=0x7ffff5c09b30, > preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405, > nest=4466, err=0x7ffff5c09b20) at ./regcomp.c:2121 > #7 0x00000000006f4e72 in parse_sub_exp (regexp=0x7ffff5c09b30, > preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405, > nest=4466, err=0x7ffff5c09b20) at ./regcomp.c:2456 > #8 0x00000000006f3121 in parse_expression (regexp=0x7ffff5c09b30, > preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405, > nest=4465, err=0x7ffff5c09b20) at ./regcomp.c:2242 > #9 0x00000000006f243d in parse_branch (regexp=0x7ffff5c09b30, > preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405, > nest=4465, err=0x7ffff5c09b20) at ./regcomp.c:2169 > #10 0x00000000006ee668 in parse_reg_exp (regexp=0x7ffff5c09b30, > preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405, > > # repeat ... > > #17868 0x00000000006f3121 in parse_expression (regexp=0x7ffff5c09b30, > preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405, > nest=0, err=0x7ffff5c09b20) at ./regcomp.c:2242 > #17869 0x00000000006f265a in parse_branch (regexp=0x7ffff5c09b30, > preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405, > nest=0, err=0x7ffff5c09b20) at ./regcomp.c:2176 > #17870 0x00000000006ee668 in parse_reg_exp (regexp=0x7ffff5c09b30, > preg=0x50b00001a920, token=0x7ffff5aca4e0, syntax=2339405, > nest=0, err=0x7ffff5c09b20) at ./regcomp.c:2121 > #17871 0x00000000006e6db2 in parse (regexp=0x7ffff5c09b30, > preg=0x50b00001a920, syntax=2339405, err=0x7ffff5c09b20) > at ./regcomp.c:2089 > #17872 0x00000000006dd100 in re_compile_internal ( > preg=0x50b00001a920, > pattern=0x52c000010200 > "()\326*()+\\2+()*\\2\277()\326*))*\\W3^\\e<\"\003^*", '(' <repeats 166 > times>..., length=28345, syntax=2339405) > at ./regcomp.c:764 > #17873 0x00000000006dc5ca in re_compile_pattern ( > pattern=0x52c000010200 > "()\326*()+\\2+()*\\2\277()\326*))*\\W3^\\e<\"\003^*", '(' <repeats 166 > times>..., length=28345, > bufp=0x50b00001a920) at ./regcomp.c:217 > #17874 0x00000000006a4128 in make_regexp ( > s=0x52c000008200 > "()\326*()+\\5342+()*\\5342\277()\326*))*\\W3^\\e<\"\003^*", '(' <repeats > 160 times>..., len=28345, ignorecase=false, > dfa=true, canfatal=false) at re.c:257 > #17875 0x00000000005944c4 in make_regnode (type=Node_regex, > exp=0x526000009720) > at /home/ttfish/Project/2024/DSLFuzz/gawk/awkgram.y:5297 > #17876 0x00000000005728a6 in yyparse () > at /home/ttfish/Project/2024/DSLFuzz/gawk/awkgram.y:572 > #17877 0x000000000059fe3d in parse_program ( > pcode=0x113d8a0 <code_block>, from_eval=false) > at /home/ttfish/Project/2024/DSLFuzz/gawk/awkgram.y:2803 > #17878 0x00000000006783e8 in main (argc=4, argv=0x7fffffffd9c8) > at main.c:504 > ``` > > ## Impact > > This vulnerability allows attackers to cause a denial of service by > crashing the gawk instance or malicious memory manipulation. > > ## Attachments > > Please find the attached PoC file in the attachment. > > Please feel free to contact me if you have any further questions. > > Best regards, > ttfish
POCFILE
Description: Binary data