Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Out of bounds read in mbc_to_code() #16

Closed
hannob opened this Issue Aug 21, 2016 · 3 comments

Comments

Projects
None yet
2 participants
@hannob
Copy link

commented Aug 21, 2016

For certain inputs to the regular expression parser via onig_new() an out of bounds read access will happen. This can be seen by compiling oniguruma with address sanitizer (-fsanitize=address). See code example below.

I found this bug while fuzzing PHP with american fuzzy lop, yet it seems the bug is not in PHP itself, but in it's bundled oniguruma copy. Tested both with the git code and version 5.9.5.

#include <oniguruma.h>
#include <string.h>
int main()
{
    regex_t *reg;
    unsigned char *inp = "0000\xfb";

    onig_new(&reg, inp, inp + strlen(inp), ONIG_OPTION_DEFAULT,
         ONIG_ENCODING_UTF8, ONIG_SYNTAX_DEFAULT, 0);
}

The Address Sanitizer stack trace:

==11030==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000044ad86 at pc 0x4433f3 bp 0x7fff0e435ba0 sp 0x7fff0e435b98
READ of size 1 at 0x00000044ad86 thread T0
    #0 0x4433f2 in mbc_to_code /mnt/ram/oniguruma/src/utf8.c:105
    #1 0x41063c in fetch_token /mnt/ram/oniguruma/src/regparse.c:3039
    #2 0x41d161 in parse_exp /mnt/ram/oniguruma/src/regparse.c:4905
    #3 0x41ebd7 in parse_branch /mnt/ram/oniguruma/src/regparse.c:5195
    #4 0x41efc6 in parse_subexp /mnt/ram/oniguruma/src/regparse.c:5232
    #5 0x41f375 in parse_regexp /mnt/ram/oniguruma/src/regparse.c:5277
    #6 0x41f7c1 in onig_parse_make_tree /mnt/ram/oniguruma/src/regparse.c:5304
    #7 0x43c593 in onig_compile /mnt/ram/oniguruma/src/regcomp.c:5263
    #8 0x43d54a in onig_new /mnt/ram/oniguruma/src/regcomp.c:5500
    #9 0x40113f in main /tmp/oniguruma-heap-oob-mbc_to_code.c:8
    #10 0x7f7379eea78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #11 0x400f08 in _start (/tmp/a.out+0x400f08)

0x00000044ad86 is located 0 bytes to the right of global variable '*.LC1' from 'oniguruma-heap-oob-mbc_to_code.c' (0x44ad80) of size 6
SUMMARY: AddressSanitizer: global-buffer-overflow /mnt/ram/oniguruma/src/utf8.c:105 mbc_to_code
Shadow bytes around the buggy address:
  0x000080081560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080081570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080081580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080081590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800815a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800815b0:[06]f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000800815c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800815d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800815e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800815f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080081600: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==11030==ABORTING
@kkos

This comment has been minimized.

Copy link
Owner

commented Aug 21, 2016

Thank you for the report.
I have fixed it in develop branch.

@kkos kkos closed this Aug 22, 2016

@kkos kkos added the bug label Aug 23, 2016

@hannob

This comment has been minimized.

Copy link
Author

commented Aug 24, 2016

This fix also seems incomplete. Passing bytes 0xfb, 0x0a still triggers an out of bounds in the same code line:

#include <oniguruma.h>
int main()
{
    regex_t *reg;
    unsigned char inp[2] = { 0xfb, 0x0a };

    onig_new(&reg, inp, inp + 2, ONIG_OPTION_DEFAULT,
         ONIG_ENCODING_UTF8, ONIG_SYNTAX_DEFAULT, 0);
}

kkos pushed a commit that referenced this issue Aug 24, 2016

@kkos kkos reopened this Aug 24, 2016

@kkos

This comment has been minimized.

Copy link
Owner

commented Aug 24, 2016

Thanks again.
I have fixed it in develop branch.

@kkos kkos closed this Aug 26, 2016

staabm referenced this issue in php/php-src Sep 2, 2016

Fix bug #72910
Merge upstream patch from kkos/oniguruma@65bdf2a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.