[pcre-dev] [Bug 2421] New: Array cross-border reading/global variable coverage in PCRE Library

Sat, 27 Jul 2019 23:59:40 -0700 

https://bugs.exim.org/show_bug.cgi?id=2421

            Bug ID: 2421
           Summary: Array cross-border reading/global variable coverage in
                    PCRE Library
           Product: PCRE
           Version: 10.33 (PCRE2)
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: security
          Priority: medium
         Component: Code
          Assignee: p...@hermes.cam.ac.uk
          Reporter: 3556158...@qq.com
                CC: pcre-dev@exim.org

Created attachment 1202
  --> https://bugs.exim.org/attachment.cgi?id=1202&action=edit
input file for the php script

The latest version of PHP(7.4) use PCRE2(10.33), while I using the PHP's
preg_match() function, I find a security problem in PCRE library.

Here are the details:
Get the latest version of PHP:
git clone https://github.com/php/php-src

The test script is very easy:
<?php
$fuzz=file_get_contents($argv[1]);
preg_match($fuzz,$fuzz);

The input file is in the attachment.
Unzip this file and use the "input_file.txt" as input file

Then run php like this:
./php-src/sapi/cli/php ./test.php ./input_file.txt
you will see "Segmentation fault (core dumped)"

Use gdb to see the details:
Program received signal SIGSEGV, Segmentation fault.
0x0000555555710367 in do_extuni_no_utf (args=0x7fffffffa150, 
    cc=0x7ffff3a58808 "\377\066\250\250\250\066\066\066zzzz=*\377/\n")
    at
/home/daige/Desktop/test/php-src/ext/pcre/pcre2lib/pcre2_jit_compile.c:8546
8546    lgb = UCD_GRAPHBREAK(c);
(gdb) print cc
$1 = (PCRE2_SPTR8) 0x7ffff3a58808
"\377\066\250\250\250\066\066\066zzzz=*\377/\n"
(gdb) print c
$2 = 1994129407

I analyse this crash,it is caused by array cross-border reading.

8546    lgb = UCD_GRAPHBREAK(c);
   0x000055555571034d <+549>:    mov    -0x20(%rbp),%eax
   0x0000555555710350 <+552>:    lea    0x7f(%rax),%edx
   0x0000555555710353 <+555>:    test   %eax,%eax
   0x0000555555710355 <+557>:    cmovs  %edx,%eax
   0x0000555555710358 <+560>:    sar    $0x7,%eax
   0x000055555571035b <+563>:    mov    %eax,%edx
   0x000055555571035d <+565>:    lea    0x4fcb9c(%rip),%rax        #
0x555555c0cf00 <_pcre2_ucd_stage1_8>
   0x0000555555710364 <+572>:    movslq %edx,%rdx
=> 0x0000555555710367 <+575>:    movzwl (%rax,%rdx,2),%eax


Then I use AFL to fuzz preg_match function,it reports some global variable
coverage,you can see the crash cases in "input.zip".

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/pcre-dev

Reply via email to