Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Literal matching empty string buffer overflow #304

Closed
danlark1 opened this issue Feb 27, 2021 · 2 comments
Closed

Literal matching empty string buffer overflow #304

danlark1 opened this issue Feb 27, 2021 · 2 comments

Comments

@danlark1
Copy link

In this issue it compiles but hs_scan fails under ASAN

#undef NDEBUG
#include <hs.h>
#include <cassert>

/*
Explanation: ASAN segfault.
Version: 5.4.0
==162837==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000140324e at pc 0x0000005047a8 bp 0x7ffc2fc1f4d0 sp 0x7ffc2fc1f4c8
READ of size 4 at 0x00000140324e thread T0
    #0 0x5047a7 in unaligned_load_u32 contrib/hyperscan/src/util/unaligned.h:58:18
    #1 0x5047a7 in masked_move256_len contrib/hyperscan/src/util/masked_move.h:70:15
    #2 0x5047a7 in scanDoubleShort contrib/hyperscan/src/hwlm/noodle_engine_avx2.c:165:13
    #3 0x5047a7 in scanDoubleMain contrib/hyperscan/src/hwlm/noodle_engine.c:239:14
    #4 0x5047a7 in scanDoubleCase contrib/hyperscan/src/hwlm/noodle_engine.c:341:12
    #5 0x5047a7 in scanDouble contrib/hyperscan/src/hwlm/noodle_engine.c:352:16
    #6 0x5047a7 in scan contrib/hyperscan/src/hwlm/noodle_engine.c:369:16
    #7 0x5047a7 in noodExec contrib/hyperscan/src/hwlm/noodle_engine.c:383:12
    #8 0x4d207f in pureLiteralBlockExec contrib/hyperscan/src/runtime.c:218:5
    #9 0x4d207f in hs_scan contrib/hyperscan/src/runtime.c:422:9
    #10 0x4d0cce in main hyperscan_bugs/empty_string_buffer_overflow.cpp:59:11
    #11 0x7f682e4f3d09 in __libc_start_main csu/../csu/libc-start.c:308:16
    #12 0x4243c9 in _start (build_asan/hyperscan_bugs/empty_string_buffer_overflow+0x4243c9)
*/

int on_match(unsigned int id,
             unsigned long long from,
             unsigned long long to,
             unsigned int /* flags */,
             void * context) {
    return 0;
}

int main() {
    hs_database_t *db = nullptr;
    hs_compile_error_t *compile_err = nullptr;
    // Haystack:
    const char* data = "\xb1\xb1\x0a\xb1\xb1\x0a\x0a\x0a\x0a\x0a\x00\x00\x00";
    const size_t size = 13;
    // Patterns:
    const char *expr[] = {
        "",
        "",
    };
    unsigned ids[] = {0, 1};
    size_t lens[] = {0, 0};
    unsigned flags[] = {HS_FLAG_SINGLEMATCH, HS_FLAG_SOM_LEFTMOST};
    hs_error_t err = hs_compile_lit_multi(expr, flags, ids, lens, sizeof(ids)/sizeof(*ids), HS_MODE_BLOCK, nullptr, &db, &compile_err);

    assert(HS_SUCCESS == err);
    assert(db != nullptr);
        hs_scratch_t *scratch = nullptr;
    err = hs_alloc_scratch(db, &scratch);
    assert(HS_SUCCESS == err);
    assert(scratch != nullptr);

    err = hs_scan(db, data, size, 0, scratch, on_match, nullptr);
    assert(HS_SUCCESS == err);

    hs_free_database(db);
    err = hs_free_scratch(scratch);
    assert(HS_SUCCESS == err);
}
@Nor7th
Copy link

Nor7th commented Mar 9, 2021

Similar to fix for #302

fatchanghao pushed a commit that referenced this issue Apr 21, 2022
@hongyang7 @fatchanghao
literal API: add empty string check.
5b2e1eb 
fixes github issue #302, #304
@hongyang7
Copy link
Contributor

Please refer to latest develop branch.

markos pushed a commit to VectorCamp/vectorscan that referenced this issue Aug 29, 2022
@hongyang7 @markos
literal API: add empty string check.
70b2a28 
fixes github issue intel#302, intel#304
fatchanghao pushed a commit that referenced this issue Feb 15, 2023
@hongyang7
literal API: add empty string check.
9e17e85 
fixes github issue #302, #304
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@danlark1 @fatchanghao @Nor7th @hongyang7