Bug#858678: Issue CVE-2017-7245 persist on current upstream r1689

Sun, 26 Mar 2017 01:27:35 -0700 

Hi Matthew, hi Philip

I tried to follow the status for CVE-2017-7245 (#858678), and it looks
they fail still on "current" revision from upstrema VCS.

I'm on r1689 ("Fix DFA match handling of possessive repeated character
class (Bugzilla 2086).") and compiling locally wit ASAN:

(basically only CFLAGS="-g -O0 -fsanitize=address"
LDFLAGS="-fsanitize=address" and I'm explicitly calling configure with
--enable-pcre32 --disable-shared to explicitly catch the issues):

CVE-2017-7245:

$ ./pcretest -32 -d ~/poc/00207-pcre-stackoverflow-pcre32_copy_substring

PCRE version 8.41-RC1 2017-02-01


\v+S+5
------------------------------------------------------------------
  0   4 Bra
  2     \v++
  4   4 Ket
  6     End
------------------------------------------------------------------
Capturing subpattern count = 0
No options
No first char
No need char
Subject length lower bound = 1
Starting chars: \x0a \x0b \x0c \x0d \x85 \xff 
JIT support is not available in this version of PCRE
ïnn{ÿê|:)rÿ/;˜  /=>D
No match
        ßïnn{ÿê|:)>  ““+
No match
Š>
No match
999
No match
>/;((((((((((((((((___ÃDD 
No match
 >:$$$€€€ÿ      ù 999
No match
7NXe  c
No match
9
No match
>
No match
 W+
No match

No match
˜
No match
  t
No match
8 <b
No match
W+
No match
t
No match

\S+\d+W+
=================================================================
==29699==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7ffc66c02600 at pc 0x5618f712d5bd bp 0x7ffc66c01950 sp 0x7ffc66c01948
WRITE of size 4 at 0x7ffc66c02600 thread T0
    #0 0x5618f712d5bc in pcre32_copy_substring /root/pcre/pcre_get.c:358
    #1 0x5618f6face1b in main /root/pcre/pcretest.c:5342
    #2 0x7f5ce5d2a2b0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #3 0x5618f6f9ade9 in _start (/root/pcre/pcretest+0x1bde9)

Address 0x7ffc66c02600 is located in stack of thread T0 at offset 2336 in frame
    #0 0x5618f6fa0fa5 in main /root/pcre/pcretest.c:2987

  This frame has 35 object(s):
    [32, 36) 'erroroffset'
    [96, 100) 'first_char'
    [160, 164) 'need_char'
    [224, 228) 'match_limit'
    [288, 292) 'recursion_limit'
    [352, 356) 'count'
    [416, 420) 'backrefmax'
    [480, 484) 'first_char_set'
    [544, 548) 'need_char_set'
    [608, 612) 'okpartial'
    [672, 676) 'jchanged'
    [736, 740) 'hascrorlf'
    [800, 804) 'maxlookbehind'
    [864, 868) 'match_empty'
    [928, 932) 'callout_data'
    [992, 996) 'count'
    [1056, 1060) 'd'
    [1120, 1128) 'cn32ptr'
    [1184, 1192) 'gn32ptr'
    [1248, 1256) 'cn16ptr'
    [1312, 1320) 'gn16ptr'
    [1376, 1384) 'cn8ptr'
    [1440, 1448) 'gn8ptr'
    [1504, 1512) 'error'
    [1568, 1576) 'markptr'
    [1632, 1640) 'get_options'
    [1696, 1704) 'size'
    [1760, 1768) 'nametable'
    [1824, 1832) 'sbuf'
    [1888, 1904) 'rlim'
    [1952, 1976) 'lockout'
    [2016, 2040) 'preg'
    [2080, 2336) 'copybuffer' <== Memory access at offset 2336 overflows this 
variable
    [2368, 6464) 'copynames'
    [6496, 10592) 'getnames'
HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/pcre/pcre_get.c:358 in 
pcre32_copy_substring
Shadow bytes around the buggy address:
  0x10000cd78470: 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2
  0x10000cd78480: 00 f4 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2
  0x10000cd78490: 00 00 00 f4 f2 f2 f2 f2 00 00 00 f4 f2 f2 f2 f2
  0x10000cd784a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000cd784b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10000cd784c0:[f2]f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000cd784d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000cd784e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000cd784f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000cd78500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000cd78510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29699==ABORTING

(the reproducer files are from Agostino Sarubbo git repository).

Regards,
Salvatore

Reply via email to