[pcre-dev] [Bug 1898] New: PCRE2 - Invalid memory access

[admin]

https://bugs.exim.org/show_bug.cgi?id=1898

            Bug ID: 1898
           Summary: PCRE2 - Invalid memory access
           Product: PCRE
           Version: 10.22 (PCRE2)
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Code
          Assignee: p...@hermes.cam.ac.uk
          Reporter: fumfi....@gmail.com
                CC: pcre-dev@exim.org

Created attachment 927
  --> https://bugs.exim.org/attachment.cgi?id=927&action=edit
POC to trigger segfault (pcre2test)

PCRE2 library is prone to a vulnerability which leads to invalid memory access.

Affected:
- PCRE2 version 10.23-RC1 2016-08-01 (Revision: 562)
- PCRE2 version 10.22 2016-07-29
- Other applications may also be affected

To reproduce the problem (pcre2test):
pcre2test segfault_1_min /dev/null

ASAN Output:

=================================================================
==18939==ERROR: AddressSanitizer: SEGV on unknown address 0x62900001a36f (pc
0x7f226aefad16 bp 0x7ffecb323940 sp 0x7ffecb3230c8 T0)
==18939==The signal is caused by a READ memory access.
  #0 0x7f226aefad15 in strlen (/lib/x86_64-linux-gnu/libc.so.6+0x8ad15)
  #1 0x4252da in __interceptor_strlen
/home/development/llvm/3.9.0/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:225:19
  #2 0x7f226bd83066 in regexec
/home/kamil/Desktop/Downloads/pcre/src/pcre2posix.c:327:13
  #3 0x4ecf17 in process_data
/home/kamil/Desktop/Downloads/pcre/src/pcre2test.c:6091:8
  #4 0x4e8318 in main
/home/kamil/Desktop/Downloads/pcre/src/pcre2test.c:7721:12
  #5 0x7f226ae9082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #6 0x41a828 in _start (/usr/local/bin/pcre2test+0x41a828)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x8ad15) in
strlen
==18939==ABORTING

Valgrind Output:

==12232== Memcheck, a memory error detector
==12232== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==12232== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==12232== Command: pcre2test segfault_1_min /dev/null
==12232==
==12232== Invalid read of size 1
==12232== at 0x4C30F62: strlen (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==12232== by 0x5085EE7: regexec (pcre2posix.c:327)
==12232== by 0x4069AC: process_data (pcre2test.c:6091)
==12232== by 0x408B98: main (pcre2test.c:7721)
==12232== Address 0x568146f is 69,743 bytes inside an unallocated block of size
4,066,272 in arena "client"
==12232==
==12232==
==12232== HEAP SUMMARY:
==12232== in use at exit: 0 bytes in 0 blocks
==12232== total heap usage: 17 allocs, 17 frees, 126,783 bytes allocated
==12232==
==12232== All heap blocks were freed -- no leaks are possible
==12232==
==12232== For counts of detected and suppressed errors, rerun with: -v
==12232== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Regards,
Kamil Frankowicz

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/pcre-dev