{"id":1483,"date":"2017-03-14T16:47:57","date_gmt":"2017-03-14T14:47:57","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1483"},"modified":"2017-03-20T11:16:35","modified_gmt":"2017-03-20T09:16:35","slug":"libpcre-invalid-memory-read-in-match-pcre_exec-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/03\/14\/libpcre-invalid-memory-read-in-match-pcre_exec-c\/","title":{"rendered":"libpcre: invalid memory read in match (pcre_exec.c)"},"content":{"rendered":"

Description<\/strong>:
\nlibpcre<\/a> is a perl-compatible regular expression library.<\/p>\n

A fuzz on libpcre1 through the pcretest utility revealed an invalid read in the library. For who is interested in a detailed description of the bug, will follow a feedback from upstream:<\/p>\n

This was a genuine bug in the 32-bit library. Thanks for finding it. The crash was caused by trying to find a Unicode property for a code value greater than 0x10ffff, the Unicode maximum, when running in non-UTF mode (where character values can be up to 0xffffffff). The bug was in both PCRE1 and PCRE2. I have fixed both of them.<\/p><\/blockquote>\n

The complete ASan output:<\/p>\n

# pcretest -32 -d $FILE\r\n==14788==ERROR: AddressSanitizer: SEGV on unknown address 0x7f1bbffed4df (pc 0x7f1bbee3fe6b bp 0x7fff8b50d8c0 sp 0x7fff8b50d3a0 T0)\r\n==14788==The signal is caused by a READ memory access.\r\n    #0 0x7f1bbee3fe6a in match \/tmp\/portage\/dev-libs\/libpcre-8.40\/work\/pcre-8.40\/pcre_exec.c:5473:18\r\n    #1 0x7f1bbee09226 in pcre32_exec \/tmp\/portage\/dev-libs\/libpcre-8.40\/work\/pcre-8.40\/pcre_exec.c:6936:8\r\n    #2 0x527d6c in main \/tmp\/portage\/dev-libs\/libpcre-8.40\/work\/pcre-8.40\/pcretest.c:5218:9\r\n    #3 0x7f1bbddd678f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #4 0x41b438 in _init (\/usr\/bin\/pcretest+0x41b438)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/dev-libs\/libpcre-8.40\/work\/pcre-8.40\/pcre_exec.c:5473:18 in match\r\n==14788==ABORTING<\/font><\/pre>\n
Affected version:<\/strong>
\n8.40 and 10.23<\/p>\n
Fixed version:<\/strong>
\n8.41 and 10.24 (not released atm)<\/p>\n
Commit fix for libpcre1:<\/strong>
\nhttps:\/\/vcs.pcre.org\/pcre\/code\/trunk\/pcre_internal.h?r1=1649&r2=1688&sortby=date<\/a>
\nhttps:\/\/vcs.pcre.org\/pcre\/code\/trunk\/pcre_ucd.c?r1=1490&r2=1688&sortby=date<\/a><\/p>\n
Commit fix for libpcre2:<\/strong>
\nhttps:\/\/vcs.pcre.org\/pcre2\/code\/trunk\/src\/pcre2_ucd.c?r1=316&r2=670&sortby=date<\/a>
\nhttps:\/\/vcs.pcre.org\/pcre2\/code\/trunk\/src\/pcre2_internal.h?r1=600&r2=670&sortby=date<\/a><\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n
CVE:<\/strong>
\nCVE-2017-7186<\/p>\n
Reproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00204-pcre-invalidread1-pcre_exec<\/a><\/p>\n
Timeline:<\/strong>
\n2017-02-23: bug discovered and reported to upstream
\n2017-02-24: upstream released a patch
\n2017-03-14: blog post about the issue
\n2017-03-19: CVE assigned<\/p>\n
Note:<\/strong>
\nThis bug was found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
libpcre: invalid memory read in match (pcre_exec.c)<\/a><\/p><\/blockquote>\n