https://bugs.exim.org/show_bug.cgi?id=1889
Kamil Frankowicz <fumfi....@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|PCRE2 Heap Overflow |PCRE2 Stack Buffer Overflow
|Vulnerability |Vulnerability
--- Comment #4 from Kamil Frankowicz <fumfi....@gmail.com> ---
FYI, my fault - It was stack buffer overflow.
ASAN output:
==19226==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffc935e5fa6 at pc 0x0000004a1da4 bp 0x7ffc935e5e90 sp 0x7ffc935e5640
WRITE of size 7 at 0x7ffc935e5fa6 thread T0
#0 0x4a1da3 in __asan_memcpy
/home/development/llvm/3.9.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413:3
#1 0x7f8dbbadc514 in compile_branch XYZ/pcre2_compile.c:5211:9
#2 0x7f8dbbad125b in compile_regex XYZ/pcre2_compile.c:7687:8
#3 0x7f8dbbac9ccb in pcre2_compile_8 XYZ/pcre2_compile.c:8657:7
#4 0x4f0e2c in process_pattern XYZ/pcre2test.c:4949:1
#5 0x4e8333 in main XYZ/pcre2test.c:7607:10
#6 0x7f8dba9c782f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x41a828 in _start (/usr/local/bin/pcre2test+0x41a828)
Address 0x7ffc935e5fa6 is located in stack of thread T0 at offset 262 in frame
#0 0x7f8dbbad6a6f in compile_branch XYZ/pcre2_compile.c:3861
This frame has 28 object(s):
[32, 36) 'repeat_min'
[48, 52) 'repeat_max'
[64, 72) 'length_prevgroup'
[96, 104) 'tempcode'
[128, 136) 'ptr'
[160, 168) 'tempptr'
[192, 224) 'classbits'
[256, 262) 'utf_units' <== Memory access at offset 262 overflows this
variable
[288, 296) 'class_uchardata'
[320, 324) 'ec'
[336, 340) 'subreqcu'
[352, 356) 'subfirstcu'
[368, 372) 'subreqcuflags'
[384, 388) 'subfirstcuflags'
[400, 408) 'mcbuffer'
[432, 464) 'pbits'
[496, 500) 'negated'
[512, 516) 'ptype664'
[528, 532) 'pdata'
[544, 548) 'd'
[560, 564) 'count'
[576, 584) 'arg'
[608, 616) 'memcode'
[640, 644) 'set'
[656, 660) 'unset'
[672, 676) 'negated3050'
[688, 692) 'ptype3051'
[704, 708) 'pdata3052'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/development/llvm/3.9.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413:3
in __asan_memcpy
Shadow bytes around the buggy address:
0x1000126b4ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000126b4bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000126b4bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000126b4bd0: 00 00 00 00 f1 f1 f1 f1 04 f2 04 f2 00 f2 f2 f2
0x1000126b4be0: 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00
=>0x1000126b4bf0: f2 f2 f2 f2[06]f2 f2 f2 00 f2 f2 f2 04 f2 04 f2
0x1000126b4c00: 04 f2 04 f2 04 f2 00 f2 f2 f2 00 00 00 00 f2 f2
0x1000126b4c10: f2 f2 04 f2 04 f2 04 f2 04 f2 04 f2 00 f2 f2 f2
0x1000126b4c20: 00 f2 f2 f2 04 f2 04 f2 04 f2 04 f2 04 f3 f3 f3
0x1000126b4c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000126b4c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/pcre-dev
