{"id":2443,"date":"2020-04-19T16:54:53","date_gmt":"2020-04-19T14:54:53","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=2443"},"modified":"2020-04-21T09:34:03","modified_gmt":"2020-04-21T07:34:03","slug":"re2c-heap-overflow-in-scannerfill-scanner-cc","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2020\/04\/19\/re2c-heap-overflow-in-scannerfill-scanner-cc\/","title":{"rendered":"re2c: heap overflow in Scanner::fill (scanner.cc)"},"content":{"rendered":"

Description<\/strong>:
\nre2c<\/a> is a tool for generating C-based recognizers from regular expressions.<\/p>\n

There is an heap overflow reproducible with a crafted file.<\/p>\n

~ $ re2c -o \/tmp\/out $FILE\r\n=================================================================\r\n==43995==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000004212 at pc 0x00000049937f bp 0x7ffc0521bc00 sp 0x7ffc0521b3c8\r\nWRITE of size 18 at 0x629000004212 thread T0\r\n    #0 0x49937e in __asan_memset \/var\/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-9.0.0\/work\/compiler-rt-9.0.0.src\/lib\/asan\/asan_interceptors_memintrinsics.cc:26:3\r\n    #1 0x67a291 in re2c::Scanner::fill(unsigned long) \/var\/tmp\/portage\/dev-util\/re2c-1.3\/work\/re2c-1.3\/src\/parse\/scanner.cc:167:9\r\n    #2 0x682a51 in re2c::Scanner::echo(re2c::Output&) \/var\/tmp\/portage\/dev-util\/re2c-1.3\/work\/re2c-1.3\/src\/parse\/lex.cc:94:33\r\n    #3 0x61d5f4 in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) \/var\/tmp\/portage\/dev-util\/re2c-1.3\/work\/re2c-1.3\/src\/compile.cc:148:41\r\n    #4 0x4cc668 in main \/var\/tmp\/portage\/dev-util\/re2c-1.3\/work\/re2c-1.3\/src\/main.cc:33:5\r\n    #5 0x7f26392c9dca in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.29-r2\/work\/glibc-2.29\/csu\/..\/csu\/libc-start.c:308:16\r\n    #6 0x421d39  (\/usr\/bin\/re2c+0x421d39)\r\n\r\n0x629000004212 is located 0 bytes to the right of 16402-byte region [0x629000000200,0x629000004212)\r\nallocated by thread T0 here:\r\n    #0 0x4c949d in operator new[](unsigned long) \/var\/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-9.0.0\/work\/compiler-rt-9.0.0.src\/lib\/asan\/asan_new_delete.cc:102:3\r\n    #1 0x67a0f2 in re2c::Scanner::fill(unsigned long) \/var\/tmp\/portage\/dev-util\/re2c-1.3\/work\/re2c-1.3\/src\/parse\/scanner.cc:154:22\r\n    #2 0x682a51 in re2c::Scanner::echo(re2c::Output&) \/var\/tmp\/portage\/dev-util\/re2c-1.3\/work\/re2c-1.3\/src\/parse\/lex.cc:94:33\r\n    #3 0x61d5f4 in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) \/var\/tmp\/portage\/dev-util\/re2c-1.3\/work\/re2c-1.3\/src\/compile.cc:148:41\r\n    #4 0x4cc668 in main \/var\/tmp\/portage\/dev-util\/re2c-1.3\/work\/re2c-1.3\/src\/main.cc:33:5\r\n    #5 0x7f26392c9dca in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.29-r2\/work\/glibc-2.29\/csu\/..\/csu\/libc-start.c:308:16\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/var\/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-9.0.0\/work\/compiler-rt-9.0.0.src\/lib\/asan\/asan_interceptors_memintrinsics.cc:26:3 in __asan_memset<\/font><\/pre>\n
Affected version:<\/strong>
\n1.3<\/p>\n
Fixed version:<\/strong>
\nWill be 2.0<\/p>\n
Commit fix:<\/strong>
\nhttps:\/\/github.com\/skvadrik\/re2c\/commit\/c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a<\/a><\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo.<\/p>\n
CVE:<\/strong>
\nCVE-2020-11958<\/p>\n
Timeline:<\/strong>
\n2020-04-17: bug discovered and reported to upstream
\n2020-04-17: upstream fixed the issue
\n2020-04-19: blog post about the issue
\n2020-04-21: CVE assigned<\/p>\n
Note:<\/strong>
\nThis bug was found with American Fuzzy Lop<\/a>.
\nThis bug was identified with bare metal servers donated by Packet<\/a>. This work is also supported by the Core Infrastructure Initiative<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
re2c: heap overflow in Scanner::fill (scanner.cc)<\/a><\/p><\/blockquote>\n