Hi Hilko, On Fri, Mar 25, 2016 at 07:48:42PM +0100, Hilko Bengen wrote: > * Salvatore Bonaccorso: > > > Can you confirm that the packages at > > https://people.debian.org/~carnil/tmp/pcre3/jessie/ fix as well the > > case reported in #819050? The package at above link contain the > > proposed fixes which I submitted for the next Jessie point release and > > on top of it r1475 commit from upstream. > > After installing libpcre3_8.35-3.3+deb8u3_amd64.deb, pcregrep no longer > crashes. Thank you very much. > > > Can you otherwise provide a complete test case for #819050? > > It turns out that this regex does not crash pcre on just any input. The > following line reproduces the bug for me using an with unpatched > libpcre3. Is this good enough? > > echo /a/eaa | pcregrep > '\/(?:(?:s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|(?:rogcicic|atr)ic|osts?\/[a-z0-9]+)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|(?:sala|kee)m|live)|(?:i(?:mage\/flags|nvoice)|xml\/load)\/[^\x2f]+|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|m(?:edia\/files\/\w+|arch)|~.+?\/\.[^\x2f]+\/.+?|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|Ozonecrytedserver|w(?:or[dk]|insys)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|(?:tes|ve)t|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)'
Thanks for the testcase, this helps! I think I will propose the attached debdiff for the SRM, to fix this case (separate debdiff, since +deb8u3 was already acceted by Adam just some minutes ago). But I suspect there is more. Florian suggested/mentioned in his first reply, if possibly suricata should not explicitly enable the PCRE JIT compiler at least in jessie. Regards, Salvatore
diff -Nru pcre3-8.35/debian/changelog pcre3-8.35/debian/changelog --- pcre3-8.35/debian/changelog 2016-03-25 17:34:14.000000000 +0100 +++ pcre3-8.35/debian/changelog 2016-03-25 19:58:37.000000000 +0100 @@ -1,3 +1,11 @@ +pcre3 (2:8.35-3.3+deb8u4) jessie; urgency=medium + + * Non-maintainer upload. + * Add 0001-Fixed-an-issue-with-nested-table-jumps.patch. + Fixes issue with nested table jumps. (Closes: #819050) + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 25 Mar 2016 19:58:10 +0100 + pcre3 (2:8.35-3.3+deb8u3) jessie; urgency=medium * Non-maintainer upload. diff -Nru pcre3-8.35/debian/patches/0001-Fixed-an-issue-with-nested-table-jumps.patch pcre3-8.35/debian/patches/0001-Fixed-an-issue-with-nested-table-jumps.patch --- pcre3-8.35/debian/patches/0001-Fixed-an-issue-with-nested-table-jumps.patch 1970-01-01 01:00:00.000000000 +0100 +++ pcre3-8.35/debian/patches/0001-Fixed-an-issue-with-nested-table-jumps.patch 2016-03-25 19:58:37.000000000 +0100 @@ -0,0 +1,102 @@ +Description: Fixed an issue with nested table jumps +Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1475 +Bug-Debian: https://bugs.debian.org/819050 +Forwarded: not-needed +Author: Zoltan Herczeg <hzmes...@freemail.hu> +Reviewed-by: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2016-03-25 +Applied-Upstream: 8.36 +--- + +--- a/pcre_jit_compile.c ++++ b/pcre_jit_compile.c +@@ -200,7 +200,7 @@ typedef struct stub_list { + + typedef struct label_addr_list { + struct sljit_label *label; +- sljit_uw *addr; ++ sljit_uw *update_addr; + struct label_addr_list *next; + } label_addr_list; + +@@ -2070,7 +2070,7 @@ while (list_item) + common->stubs = NULL; + } + +-static void add_label_addr(compiler_common *common) ++static void add_label_addr(compiler_common *common, sljit_uw *update_addr) + { + DEFINE_COMPILER; + label_addr_list *label_addr; +@@ -2079,10 +2079,9 @@ label_addr = sljit_alloc_memory(compiler + if (label_addr == NULL) + return; + label_addr->label = LABEL(); +-label_addr->addr = common->read_only_data_ptr; ++label_addr->update_addr = update_addr; + label_addr->next = common->label_addrs; + common->label_addrs = label_addr; +-common->read_only_data_ptr++; + } + + static SLJIT_INLINE void count_match(compiler_common *common) +@@ -8819,6 +8818,7 @@ pcre_uchar *ccprev; + pcre_uchar bra = OP_BRA; + pcre_uchar ket; + assert_backtrack *assert; ++sljit_uw *next_update_addr; + BOOL has_alternatives; + BOOL needs_control_head = FALSE; + struct sljit_jump *brazero = NULL; +@@ -8988,8 +8988,10 @@ else if (has_alternatives) + if (alt_max > 4) + { + /* Table jump if alt_max is greater than 4. */ +- sljit_emit_ijump(compiler, SLJIT_JUMP, SLJIT_MEM1(TMP1), (sljit_sw)common->read_only_data_ptr); +- add_label_addr(common); ++ next_update_addr = common->read_only_data_ptr; ++ common->read_only_data_ptr += alt_max; ++ sljit_emit_ijump(compiler, SLJIT_JUMP, SLJIT_MEM1(TMP1), (sljit_sw)next_update_addr); ++ add_label_addr(common, next_update_addr++); + } + else + { +@@ -9121,7 +9123,7 @@ if (has_alternatives) + if (opcode != OP_ONCE) + { + if (alt_max > 4) +- add_label_addr(common); ++ add_label_addr(common, next_update_addr++); + else + { + if (alt_count != 2 * sizeof(sljit_uw)) +@@ -10316,7 +10318,7 @@ executable_size = sljit_get_generated_co + label_addr = common->label_addrs; + while (label_addr != NULL) + { +- *label_addr->addr = sljit_get_label_addr(label_addr->label); ++ *label_addr->update_addr = sljit_get_label_addr(label_addr->label); + label_addr = label_addr->next; + } + sljit_free_compiler(compiler); +--- a/testdata/testinput1 ++++ b/testdata/testinput1 +@@ -5675,4 +5675,7 @@ AbcdCBefgBhiBqz + "(?|(\k'Pm')|(?'Pm'))" + abcd + ++/(?:x|(?:(xx|yy)+|x|x|x|x|x)|a|a|a)bc/ ++ acb ++ + /-- End of testinput1 --/ +--- a/testdata/testoutput1 ++++ b/testdata/testoutput1 +@@ -9328,4 +9328,8 @@ No match + 0: + 1: + ++/(?:x|(?:(xx|yy)+|x|x|x|x|x)|a|a|a)bc/ ++ acb ++No match ++ + /-- End of testinput1 --/ diff -Nru pcre3-8.35/debian/patches/series pcre3-8.35/debian/patches/series --- pcre3-8.35/debian/patches/series 2016-03-25 17:34:14.000000000 +0100 +++ pcre3-8.35/debian/patches/series 2016-03-25 19:58:37.000000000 +0100 @@ -24,3 +24,4 @@ 0001-Give-error-for-x-and-o.patch 0001-Fix-workspace-overflow-for-ACCEPT-with-deeply-nested.patch 0001-Yet-another-duplicate-name-bugfix-by-overestimating-.patch +0001-Fixed-an-issue-with-nested-table-jumps.patch
signature.asc
Description: PGP signature