Hi Matthew, hi Philip
I tried to follow the status for CVE-2017-7246 (#858679), and it looks
they fail still on "current" revision from upstrema VCS.
I'm on r1689 ("Fix DFA match handling of possessive repeated character
class (Bugzilla 2086).") and compiling locally wit ASAN:
(basically only CFLAGS="-g -O0 -fsanitize=address"
LDFLAGS="-fsanitize=address" and I'm explicitly calling configure with
--enable-pcre32 --disable-shared to explicitly catch the issues):
CVE-2017-7246:
$ ./pcretest -32 -d ~/poc/00209-pcre-stackoverflow2-read_capture_name32
PCRE version 8.41-RC1 2017-02-01
��S++C
------------------------------------------------------------------
0 6 Bra
2 Callout 255 0 0
6 6 Ket
8 End
------------------------------------------------------------------
Capturing subpattern count = 0
May match empty string
Options:
No first char
No need char
Study returned NULL
JIT support is not available in this version of PCRE
Ì
--->\xcc\x80
+0 ^
0:
`\C0 c
--->` c
+0 ^
0:
0C (0)
NXe*007å\C0 c
--->NXe*007\xe5 c
+0 ^
0:
0C (0)
��\C*0999999999999999
--->\x16\x10
+0 ^
Callout data = -1530494977
Error -1530494977 (Unexpected value)
>
--->>
+0 ^
0:
W+
--->W+
+0 ^
0:
�
--->\x10
+0 ^
0:
--->\x98
+0 ^
0:
t�
--->t\x12
+0 ^
0:
8 <b
--->8 <b
+0 ^
0:
�W+
--->\x16W+
+0 ^
0:
��>� t�
--->\x10\x0f>\x03 t\x12
+0 ^
0:
��
--->\x02\x10
+0 ^
0:
++C
--->++C
+0 ^
0:
Ì
--->\xcc\x80
+0 ^
0:
`\C0 c
--->` c
+0 ^
0:
0C (0)
��\C*7 c
--->\x16\x10 c
+0 ^
Callout data = 7
+0 ^
Callout data = 7
+0 ^
Callout data = 7
+0 ^
Callout data = 7
+0 ^
Callout data = 7
+0 ^
Callout data = 7
No match
��\C777K
--->\x16\x10K
+0 ^
0:
copy substring 9 failed -7
�W+
--->\x16W+
+0 ^
0:
��>� t�
--->\x10\x0f>\x03 t\x12
+0 ^
0:
�\S+\d+�W+
------------------------------------------------------------------
0 10 Bra
2 notprop Xsp +
6 prop Nd ++
10 10 Ket
12 End
------------------------------------------------------------------
Capturing subpattern count = 0
Options: ucp
No first char
No need char
�
No match
++C
No match
Ì
No match
`\C0 c
No match
��\C*7777K777!777707å\C0 c
0: \x16\x10K777!7777\x7f07
0+ \xe5 c
0C \x16\x10K777!7777\x7f07 (14)
���è*0999
0: \x16\x10\x03\xe8*0999
0+
>
No match
777!7777NXe*007å\C0 c
0: 777!7777\x7fNXe*007
0+ \xe5 c
0C 777!7777\x7fNXe*007 (16)
��\C*0999999999999999
No match
>
No match
W+
No match
�
No match
No match
t�
No match
8 <b
No match
�W+
No match
��>� t�
No match
�\S+\d+�W+
=================================================================
==29702==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffdd3606a90 at pc 0x7f18d6253d7b bp 0x7ffdd3605de0 sp 0x7ffdd3605590
WRITE of size 268 at 0x7ffdd3606a90 thread T0
#0 0x7f18d6253d7a (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a)
#1 0x563daf372570 in pcre32_copy_substring /root/pcre/pcre_get.c:357
#2 0x563daf1f1e1b in main /root/pcre/pcretest.c:5342
#3 0x7f18d5e792b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#4 0x563daf1dfde9 in _start (/root/pcre/pcretest+0x1bde9)
Address 0x7ffdd3606a90 is located in stack of thread T0 at offset 2336 in frame
#0 0x563daf1e5fa5 in main /root/pcre/pcretest.c:2987
This frame has 35 object(s):
[32, 36) 'erroroffset'
[96, 100) 'first_char'
[160, 164) 'need_char'
[224, 228) 'match_limit'
[288, 292) 'recursion_limit'
[352, 356) 'count'
[416, 420) 'backrefmax'
[480, 484) 'first_char_set'
[544, 548) 'need_char_set'
[608, 612) 'okpartial'
[672, 676) 'jchanged'
[736, 740) 'hascrorlf'
[800, 804) 'maxlookbehind'
[864, 868) 'match_empty'
[928, 932) 'callout_data'
[992, 996) 'count'
[1056, 1060) 'd'
[1120, 1128) 'cn32ptr'
[1184, 1192) 'gn32ptr'
[1248, 1256) 'cn16ptr'
[1312, 1320) 'gn16ptr'
[1376, 1384) 'cn8ptr'
[1440, 1448) 'gn8ptr'
[1504, 1512) 'error'
[1568, 1576) 'markptr'
[1632, 1640) 'get_options'
[1696, 1704) 'size'
[1760, 1768) 'nametable'
[1824, 1832) 'sbuf'
[1888, 1904) 'rlim'
[1952, 1976) 'lockout'
[2016, 2040) 'preg'
[2080, 2336) 'copybuffer'
[2368, 6464) 'copynames' <== Memory access at offset 2336 partially
underflows this variable
[6496, 10592) 'getnames'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a)
Shadow bytes around the buggy address:
0x10003a6b8d00: f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2
0x10003a6b8d10: f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2
0x10003a6b8d20: f2 f2 00 00 00 f4 f2 f2 f2 f2 00 00 00 f4 f2 f2
0x10003a6b8d30: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003a6b8d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10003a6b8d50: 00 00[f2]f2 f2 f2 00 00 00 00 00 00 00 00 00 00
0x10003a6b8d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003a6b8d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003a6b8d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003a6b8d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003a6b8da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==29702==ABORTING
(the reproducer files are from Agostino Sarubbo git repository).
Regards,
Salvatore
