New submission from JohnLeitch: The Python 2.7 regular expression module suffers from an integer underflow in the SRE_SEARCH function of _sre.c, which leads to a buffer over-read condition. The issue is caused by unchecked subtraction performed while handling SR_OP_INFO blocks:
if (pattern[0] == SRE_OP_INFO) { /* optimization info block */ /* <INFO> <1=skip> <2=flags> <3=min> <4=max> <5=prefix info> */ flags = pattern[2]; if (pattern[3] > 1) { /* adjust end point (but make sure we leave at least one character in there, so literal search will work) */ end -= pattern[3]-1; <<<< Pattern[3] is a potentially untrusted value controllable via regex. if (end <= ptr) <<<< A check is performed end is less than or equal to ptr (which is still start at this point), but no check is performed to determine if end has been underflowed to a value greater than ptr. end = ptr+1; } [...] } A script that demonstrates control of Pattern[3] is as follows: import re re.search(r"\b((A){304665458})",u"A") When the script is executed, the min quantifier value ends up in pattern[3] of an SRE_OP_INFO block. The value underflows end, resulting in a large number that satisfies the existing validation. In cases where the regular expression is exposed as attack surface, it may be possible to exploit this vulnerability to scan and read arbitrary memory. This could then potentially be used to disclose secrets and/or bypass mitigations such as ASLR/DEP. An exception produced by this condition is as follows: 0:000> !analyze -v -nodb ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: python27!sre_uat+b7 [c:\build27\cpython\modules\_sre.c @ 369] 1e010dd7 0fb746fe movzx eax,word ptr [esi-2] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 1e010dd7 (python27!sre_uat+0x000000b7) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 01e0f000 Attempt to read from address 01e0f000 CONTEXT: 00000000 -- (.cxr 0x0;r) eax=01d38518 ebx=0027f8b0 ecx=0027f8b0 edx=01d23eb4 esi=01e0f002 edi=01d3851a eip=1e010dd7 esp=0027f82c ebp=01f2b010 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010212 python27!sre_uat+0xb7: 1e010dd7 0fb746fe movzx eax,word ptr [esi-2] ds:002b:01e0f000=???? FAULTING_THREAD: 00000518 DEFAULT_BUCKET_ID: INVALID_POINTER_READ PROCESS_NAME: python.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 01e0f000 READ_ADDRESS: 01e0f000 FOLLOWUP_IP: python27!sre_uat+b7 [c:\build27\cpython\modules\_sre.c @ 369] 1e010dd7 0fb746fe movzx eax,word ptr [esi-2] NTGLOBALFLAG: 70 APPLICATION_VERIFIER_FLAGS: 0 APP: python.exe ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) x86fre PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ LAST_CONTROL_TRANSFER: from 1e0115e8 to 1e010dd7 STACK_TEXT: 0027f834 1e0115e8 01d23eb4 0027f8b0 01e0f004 python27!sre_uat+0xb7 0027f85c 1e012882 01d23e78 01ddb9f0 00000000 python27!sre_umatch+0x178 0027f888 1e014995 01d23eb4 1e0148b0 01f3ea08 python27!sre_usearch+0x212 0027fc08 1e0aafeb 01d23e78 01ddb9f0 00000000 python27!pattern_search+0xe5 0027fc24 1e0edd10 01f3ea08 01ddb9f0 00000000 python27!PyCFunction_Call+0x5b 0027fc50 1e0f017a 0027fca8 01d9df98 00000001 python27!call_function+0x2b0 0027fcc0 1e0f1150 01f49198 00000000 01dce030 python27!PyEval_EvalFrameEx+0x239a 0027fcf4 1e0ec862 01d9df98 01f49198 00000000 python27!PyEval_EvalCodeEx+0x690 0027fd30 1e0edd87 0027fdb4 00000002 00000000 python27!fast_function+0xe2 0027fd5c 1e0f017a 0027fdb4 01d46b18 01d46b18 python27!call_function+0x327 0027fdcc 1e0f1150 01d74030 00000000 01d46b18 python27!PyEval_EvalFrameEx+0x239a 0027fe00 1e0f11b2 01d46b18 01d74030 01d4aa50 python27!PyEval_EvalCodeEx+0x690 0027fe2c 1e11707a 01d46b18 01d4aa50 01d4aa50 python27!PyEval_EvalCode+0x22 0027fe44 1e1181c5 01e0a3b0 01d4aa50 01d4aa50 python27!run_mod+0x2a 0027fe64 1e118760 68e87408 01f02e63 00000101 python27!PyRun_FileExFlags+0x75 0027fea4 1e1190d9 68e87408 01f02e63 00000001 python27!PyRun_SimpleFileExFlags+0x190 0027fec0 1e038d35 68e87408 01f02e63 00000001 python27!PyRun_AnyFileExFlags+0x59 0027ff3c 1d00116d 00000002 01f02e40 01f01928 python27!Py_Main+0x965 0027ff80 75847c04 7ffde000 75847be0 ba7d18ea python!__tmainCRTStartup+0x10f 0027ff94 77c9b90f 7ffde000 b83a1635 00000000 KERNEL32!BaseThreadInitThunk+0x24 0027ffdc 77c9b8da ffffffff 77c80707 00000000 ntdll!__RtlUserThreadStart+0x2f 0027ffec 00000000 1d001314 7ffde000 00000000 ntdll!_RtlUserThreadStart+0x1b STACK_COMMAND: .cxr 0x0 ; kb FAULTING_SOURCE_LINE: c:\build27\cpython\modules\_sre.c FAULTING_SOURCE_FILE: c:\build27\cpython\modules\_sre.c FAULTING_SOURCE_LINE_NUMBER: 369 FAULTING_SOURCE_CODE: 365: case SRE_AT_BOUNDARY: 366: if (state->beginning == state->end) 367: return 0; 368: thatp = ((void*) ptr > state->beginning) ? > 369: SRE_IS_WORD((int) ptr[-1]) : 0; 370: thisp = ((void*) ptr < state->end) ? 371: SRE_IS_WORD((int) ptr[0]) : 0; 372: return thisp != thatp; 373: 374: case SRE_AT_NON_BOUNDARY: SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: python27!sre_uat+b7 FOLLOWUP_NAME: MachineOwner MODULE_NAME: python27 IMAGE_NAME: python27.dll DEBUG_FLR_IMAGE_TIMESTAMP: 5488ac17 FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_python27.dll!sre_uat BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_python27!sre_uat+b7 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:invalid_pointer_read_c0000005_python27.dll!sre_uat FAILURE_ID_HASH: {a7161322-9fae-40b8-8c7f-dd4ebe6d6b79} Followup: MachineOwner --------- To fix this issue, SRE_SEARCH should check end following the subtraction operation to ensure that the value has not underflowed. A proposed patch is attached. ---------- components: Regular Expressions files: _sre.c.patch keywords: patch messages: 246540 nosy: JohnLeitch, ezio.melotti, mrabarnett priority: normal severity: normal status: open title: SRE_SEARCH Integer Underflow type: security versions: Python 2.7 Added file: http://bugs.python.org/file39887/_sre.c.patch _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue24602> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com