Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Erlang's regular expressions vulnerable to heap overflow #1108

Closed
wants to merge 3 commits into from

Conversation

Projects
None yet
8 participants
@zv
Copy link

commented Jun 18, 2016

While I was crafting a concolic execution workload l I discovered that Erlang's generation of compiled regular expressions is vulnerable to a modestly complex heap overflow. Regular expressions using malformed extpattern can indirectly specify an offset that is used as an array index. This ordinal permits arbitrary regions within the erts_alloc arena can be both read and wrote to.

While ERTS maintains numerous allocators with different internal structures, a single expression can "switch" on internal type information, generalized across the alignment of heap chunk headers, this permits internal pointer value leaks as well as more indirect control over the instruction pointer.

@zv zv changed the title Pcre fixedlen heap overflow Erlang's regular expressions vulnerable to heap overflow Jun 18, 2016

@zv zv force-pushed the zv:pcre_fixedlen_heap_overflow branch from 94890ba to b3a7bdb Jun 18, 2016

@zv zv force-pushed the zv:pcre_fixedlen_heap_overflow branch from df8578f to 4945fab Jun 18, 2016

zv added some commits Jun 18, 2016

Fix heap overflow with unmatched closing parens
This bug can trigger vulnerable code in find_fixedlength for forward reference
within backward assertion with excess closing parenthesis.

@zv zv force-pushed the zv:pcre_fixedlen_heap_overflow branch from 4945fab to 498cf26 Jun 18, 2016

@OTP-Maintainer

This comment has been minimized.

Copy link

commented Jun 19, 2016

Patch has passed first testings and has been assigned to be reviewed


I am a script, I am not human


@proxyles proxyles added license and removed license labels Jun 20, 2016

@garazdawi

This comment has been minimized.

Copy link
Contributor

commented Jun 30, 2016

PR put in waiting for patch to comply with same format as mentioned in #1107

@garazdawi

This comment has been minimized.

Copy link
Contributor

commented Aug 8, 2016

Closing this due to inactivity, please open a new PR when/if you decide to get back to it.

@garazdawi garazdawi closed this Aug 8, 2016

@olalundqvist

This comment has been minimized.

Copy link

commented Mar 20, 2017

This problem has been assigned CVE-2016-10253. Will this be merged to master?

@zv

This comment has been minimized.

Copy link
Author

commented Mar 20, 2017

Forgot about this issue, I'm working on it now. Thank you @garazdawi for being patient with me here.

@okeuday

This comment has been minimized.

Copy link
Contributor

commented Mar 20, 2017

@zv zv referenced this pull request Mar 20, 2017

Closed

Fix CVE-2016-10253 #1384

@solarsea

This comment has been minimized.

Copy link

commented Feb 8, 2018

Is this fix applied in the 19.x series ? Thanks

@garazdawi

This comment has been minimized.

Copy link
Contributor

commented Feb 8, 2018

no, only in OTP-20+

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.