Re: fuzzing found regcomp bug

To: "tech-userlevel%netbsd.org@localhost User-Level Technical" <tech-userlevel%netbsd.org@localhost>
Subject: Re: fuzzing found regcomp bug
From: enh <enh%google.com@localhost>
Date: Sat, 12 Sep 2015 10:01:54 -0700

this doesn't seem to have made it to the list?

On Fri, Sep 4, 2015 at 10:47 AM, enh <enh%google.com@localhost> wrote:
> ==14961==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x61400000fdee at pc 0x0000004f9cba bp 0x7ffefa993d70 sp
> 0x7ffefa993d68
> READ of size 1 at 0x61400000fdee thread T0
>     #0 0x4f9cb9 in ordinary
> bionic/libc/upstream-netbsd/lib/libc/regex/regcomp.c:1087:7
>     #1 0x4e47dc in p_simp_re
> bionic/libc/upstream-netbsd/lib/libc/regex/regcomp.c:696:3
>     #2 0x4e47dc in p_bre
> bionic/libc/upstream-netbsd/lib/libc/regex/regcomp.c:596
>     #3 0x4d2d9c in my_regcomp
> bionic/libc/upstream-netbsd/lib/libc/regex/regcomp.c:311:3
>     #4 0x4d230d in LLVMFuzzerTestOneInput (a.out+0x4d230d)
>
> 0x61400000fdee is located 42 bytes to the right of 388-byte region
> [0x61400000fc40,0x61400000fdc4)
> allocated by thread T0 here:
>     #0 0x4a873b in malloc
> /usr/local/google/home/kcc/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3
>     #1 0x4d27d5 in my_regcomp
> bionic/libc/upstream-netbsd/lib/libc/regex/regcomp.c:270:13
>     #2 0x4d230d in LLVMFuzzerTestOneInput (a.out+0x4d230d)
>
>
> It happens if you build bionic with AddressSanitizer and then pass
> more or less any non-ascii byte to
> regcomp:
>
>   char x[2] = {0x89, 0};
>   regex_t preg;
>   regcomp(&X.preg, x, 0);
>
>
> missing (unsigned char) casts in ordinary()?
>
> cvs diff: Diffing .
> Index: regcomp.c
> ===================================================================
> RCS file: /cvsroot/src/lib/libc/regex/regcomp.c,v
> retrieving revision 1.35
> diff -u -r1.35 regcomp.c
> --- regcomp.c   17 Feb 2015 20:30:44 -0000      1.35
> +++ regcomp.c   4 Sep 2015 17:47:11 -0000
> @@ -1083,10 +1083,11 @@
>                 bothcases(p, (unsigned char) ch);
>         else {
>                 EMIT(OCHAR, (sopno)(unsigned char)ch);
> -               if (cap[ch] == 0) {
> +               if (cap[(unsigned char)ch] == 0) {
>                         _DIAGASSERT(__type_fit(unsigned char,
>                             p->g->ncategories + 1));
> -                       cap[ch] = (unsigned char)p->g->ncategories++;
> +                       cap[(unsigned char)ch] =
> +                           (unsigned char)p->g->ncategories++;
>                 }
>         }
>  }
>
>
>
> --
> Elliott Hughes - http://who/enh - http://jessies.org/~enh/
> Android native code/tools questions? Mail me/drop by/add me as a reviewer.



-- 
Elliott Hughes - http://who/enh - http://jessies.org/~enh/
Android native code/tools questions? Mail me/drop by/add me as a reviewer.

Follow-Ups:
- Re: fuzzing found regcomp bug
  - From: Christos Zoulas

Prev by Date: Re: port-amd64/45391: pow(3) wrong result for x = 0.0 and y < 0
Next by Date: Re: fuzzing found regcomp bug
Previous by Thread: Re: port-amd64/45391: pow(3) wrong result for x = 0.0 and y < 0
Next by Thread: Re: fuzzing found regcomp bug
Indexes:

Home | Main Index | Thread Index | Old Index