https://bugs.exim.org/show_bug.cgi?id=1653
Bug ID: 1653 Summary: Security issue: Overwriting stack content from JIT Product: PCRE Version: 10.10 (PCRE2) Hardware: x86 OS: All Status: NEW Severity: bug Priority: medium Component: Code Assignee: p...@hermes.cam.ac.uk Reporter: hzmes...@freemail.hu CC: pcre-dev@exim.org Hi, I have been working on optimization lately, and I found a serious security issue in JIT. In set_private_data_ptrs() function: if (private_data_ptr > SLJIT_MAX_LOCAL_SIZE) return; // This should be changed to break; This function computes the stack scape for the compiled function, and returns with an error if there is not enough space. Unfortunately it only returns at the moment, but it does not report anything back. The compilation continues, and the resulting code allocates only a small stack, but overwrites things outside of thsi stack. With a well crafted pattern, it allows executing any code. Namely: /a*a*a*a*a*a*a*a*a*(*COMMIT)(*FAIL)|b*b*b*b*...b*/ We need a lots of b*, around 9000 is enough even on 32 bit systems. These b*-s are just dummy stuff to increase stack size, they are never executed. If they would be executed, we might write data outside the starting position of the stack, resulting a segmentation fault. We want to execute code now, not just crash the program. If a* does not match, it puts the starting position of the input twice onto the stack. Since the function return value is overwritten, the JIT code will return to the starting offset of the input string (i.e. the string the pattern is matched against). If the input string contains valid machine code, we can do bad things. The input string should not start with 'a'. If it is, just change a* to b*. This code was introduced in r1306 (2013-04-01). It affects both PCRE/PCRE2 (but not the upcoming PCRE2 release). I am sorry for this unfortunate check. Here is a fix: https://lists.exim.org/lurker/message/20150628.133124.e06b7a2c.en.html -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/pcre-dev