{"id":1495,"date":"2017-03-20T12:19:44","date_gmt":"2017-03-20T10:19:44","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1495"},"modified":"2017-03-24T11:42:08","modified_gmt":"2017-03-24T09:42:08","slug":"libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/03\/20\/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c\/","title":{"rendered":"libpcre: invalid memory read in _pcre32_xclass (pcre_xclass.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"http:\/\/www.pcre.org\">libpcre<\/a> is a perl-compatible regular expression library.<\/p>\n<p>A fuzz on libpcre1 through the pcretest utility revealed an invalid memory read. Upstream says that this bug is fixed by one of the previous commit. However I&#8217;m providing as usual the stacktrace and the reproducer, so if you are not running the latest upstream release, like happen on debian\/rhel based distros, you may want to check better the status of this bug.<\/p>\n<p>The complete ASan output:<\/p>\n<pre><font size=\"2\"># pcretest -32 -d $FILE\r\n==27914==ERROR: AddressSanitizer: SEGV on unknown address 0x7f3f580efe04 (pc 0x7f3f577b8048 bp 0x7ffcb035b390 sp 0x7ffcb035b320 T0)\r\n==27914==The signal is caused by a READ memory access.\r\n    #0 0x7f3f577b8047 in _pcre32_xclass \/tmp\/portage\/dev-libs\/libpcre-8.40\/work\/pcre-8.40\/pcre_xclass.c:135:30\r\n    #1 0x7f3f576137ca in match \/tmp\/portage\/dev-libs\/libpcre-8.40\/work\/pcre-8.40\/pcre_exec.c:3203:16\r\n    #2 0x7f3f575e7226 in pcre32_exec \/tmp\/portage\/dev-libs\/libpcre-8.40\/work\/pcre-8.40\/pcre_exec.c:6936:8\r\n    #3 0x527d6c in main \/tmp\/portage\/dev-libs\/libpcre-8.40\/work\/pcre-8.40\/pcretest.c:5218:9\r\n    #4 0x7f3f565b478f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x41b438 in _init (\/usr\/bin\/pcretest+0x41b438)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/dev-libs\/libpcre-8.40\/work\/pcre-8.40\/pcre_xclass.c:135:30 in _pcre32_xclass\r\n==27914==ABORTING\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n8.40<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\n8.41 (not released atm)<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2017-7244<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00206-pcre-invalidread-_pcre32_xclass\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00206-pcre-invalidread-_pcre32_xclass<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2017-02-24: bug discovered and reported to upstream<br \/>\n2017-03-20: blog post about the issue<br \/>\n2017-03-23: CVE assigned<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"FLjcdosQ13\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2017\/03\/20\/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c\/\">libpcre: invalid memory read in _pcre32_xclass (pcre_xclass.c)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2017\/03\/20\/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c\/embed\/#?secret=FLjcdosQ13\" data-secret=\"FLjcdosQ13\" width=\"600\" height=\"338\" title=\"&#8220;libpcre: invalid memory read in _pcre32_xclass (pcre_xclass.c)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: libpcre is a perl-compatible regular expression library. A fuzz on libpcre1 through the pcretest utility revealed an invalid memory read. Upstream says that this bug is fixed by one of the previous commit. However I&#8217;m providing as usual the &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/03\/20\/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-o7","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1495"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=1495"}],"version-history":[{"count":3,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1495\/revisions"}],"predecessor-version":[{"id":1511,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1495\/revisions\/1511"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=1495"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=1495"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=1495"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}