Erlang's regular expressions vulnerable to heap overflow #1108

wants to merge 3 commits into


None yet

5 participants

zv commented Jun 18, 2016 edited

Erlang's generation of compiled regular expressions are vulnerable to a heap overflow. Regular expressions using malformed extpattern can indirectly specify an offset that is used as an array index. This ordinal permits arbitrary regions within the erts_alloc arena can be both read and wrote to.

While ERTS maintains numerous allocators with different internal structures, a single expression can "switch" on internal type information, generalized across the alignment of heap chunk headers, this permits internal pointer value leaks as well as more indirect control over the instruction pointer.

@zv zv changed the title from Pcre fixedlen heap overflow to Erlang's regular expressions vulnerable to heap overflow Jun 18, 2016
zv added some commits Jun 18, 2016
@zv zv Add structure for mutual recursion detection in ePCRE 949850d
@zv zv fix find_fixedlen stk overflow w/ mutual recursion f74cdcf
@zv zv Fix heap overflow with unmatched closing parens
This bug can trigger vulnerable code in find_fixedlength for forward reference
within backward assertion with excess closing parenthesis.

Patch has passed first testings and has been assigned to be reviewed

I am a script, I am not human

@proxyles proxyles added license and removed license labels Jun 20, 2016

PR put in waiting for patch to comply with same format as mentioned in #1107

@garazdawi garazdawi added the waiting label Jun 30, 2016
@garazdawi garazdawi was assigned by psyeugenic Aug 1, 2016

Closing this due to inactivity, please open a new PR when/if you decide to get back to it.

@garazdawi garazdawi closed this Aug 8, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment