Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Out of bounds read in onig_strcpy() #17

Closed
hannob opened this issue Aug 21, 2016 · 3 comments

Comments

Projects
None yet
2 participants
@hannob
Copy link

commented Aug 21, 2016

Passing a single byte with the value 0xD8 will cause an out of bounds read access.
This was found with libfuzzer and address sanitizer, tested against develop branch of oniguruma.

Example code:

#include <oniguruma.h>
int main()
{
    regex_t *reg;
    unsigned char inp[1] = { 0xd8 };

    onig_new(&reg, inp, inp + 1, ONIG_OPTION_DEFAULT,
         ONIG_ENCODING_UTF8, ONIG_SYNTAX_DEFAULT, 0);
}

Address Sanitizer stack trace:

==15218==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffea0eeb01 at pc 0x0000004ab6d5 bp 0x7fffea0edd70 sp 0x7fffea0ed520
READ of size 2 at 0x7fffea0eeb01 thread T0
    #0 0x4ab6d4 in __asan_memcpy (/mnt/ram/a.out+0x4ab6d4)
    #1 0x4f55e5 in onig_strcpy /mnt/ram/oniguruma/src/regparse.c:231:5
    #2 0x4f55e5 in onig_node_str_cat /mnt/ram/oniguruma/src/regparse.c:1350
    #3 0x506ee4 in node_new_str /mnt/ram/oniguruma/src/regparse.c:1409:7
    #4 0x506ee4 in parse_exp /mnt/ram/oniguruma/src/regparse.c:4912
    #5 0x505891 in parse_branch /mnt/ram/oniguruma/src/regparse.c:5206:7
    #6 0x50189a in parse_subexp /mnt/ram/oniguruma/src/regparse.c:5243:7
    #7 0x4f8040 in parse_regexp /mnt/ram/oniguruma/src/regparse.c:5288:7
    #8 0x4f8040 in onig_parse_make_tree /mnt/ram/oniguruma/src/regparse.c:5315
    #9 0x528d41 in onig_compile /mnt/ram/oniguruma/src/regcomp.c:5279:7
    #10 0x551d0f in onig_new /mnt/ram/oniguruma/src/regcomp.c:5518:7
    #11 0x4f21dc in main /mnt/ram/oob.c:7:5
    #12 0x7fa84b0a978f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289
    #13 0x419708 in _start (/mnt/ram/a.out+0x419708)

Address 0x7fffea0eeb01 is located in stack of thread T0 at offset 65 in frame
    #0 0x4f205f in main /mnt/ram/oob.c:3

  This frame has 2 object(s):
    [32, 40) 'reg'
    [64, 65) 'inp' <== Memory access at offset 65 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/mnt/ram/a.out+0x4ab6d4) in __asan_memcpy
Shadow bytes around the buggy address:
  0x10007d415d10: 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 f3 f3
  0x10007d415d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d415d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d415d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d415d50: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
=>0x10007d415d60:[01]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d415d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d415d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d415d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d415da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d415db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15218==ABORTING
@kkos

This comment has been minimized.

Copy link
Owner

commented Aug 22, 2016

Thank you for the report.
I have fixed it in develop branch.

@kkos kkos added the bug label Aug 23, 2016

@hannob

This comment has been minimized.

Copy link
Author

commented Aug 23, 2016

It seems this is not fully fixed, a different input (bytes 0x5c, 0xda) still cause an out of bounds. Test code:

#include <oniguruma.h>
int main()
{
    regex_t *reg;
    unsigned char inp[2] = { '\\', 0xd8 };

    onig_new(&reg, inp, inp + 2, ONIG_OPTION_DEFAULT,
         ONIG_ENCODING_UTF8, ONIG_SYNTAX_DEFAULT, 0);
}

ASAN error:

==29231==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffd81832a2 at pc 0x0000004ab6d5 bp 0x7fffd8181ae0 sp 0x7fffd8181290
READ of size 2 at 0x7fffd81832a2 thread T0
    #0 0x4ab6d4 in __asan_memcpy (/mnt/ram/oniguruma/a.out+0x4ab6d4)
    #1 0x4f276c in onig_strcpy /mnt/ram/oniguruma/src/regparse.c:230:5
    #2 0x4f7856 in onig_node_str_cat /mnt/ram/oniguruma/src/regparse.c:1349:7
    #3 0x4f8531 in node_new_str /mnt/ram/oniguruma/src/regparse.c:1408:7
    #4 0x511fe2 in parse_exp /mnt/ram/oniguruma/src/regparse.c:4911:13
    #5 0x51089b in parse_branch /mnt/ram/oniguruma/src/regparse.c:5205:7
    #6 0x50745d in parse_subexp /mnt/ram/oniguruma/src/regparse.c:5242:7
    #7 0x4faf0f in parse_regexp /mnt/ram/oniguruma/src/regparse.c:5287:7
    #8 0x4fa754 in onig_parse_make_tree /mnt/ram/oniguruma/src/regparse.c:5319:7
    #9 0x53e97f in onig_compile /mnt/ram/oniguruma/src/regcomp.c:5279:7
    #10 0x54ee52 in onig_new /mnt/ram/oniguruma/src/regcomp.c:5518:7
    #11 0x4f21dc in main (/mnt/ram/oniguruma/a.out+0x4f21dc)
    #12 0x7f540f06678f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289
    #13 0x419708 in _start (/mnt/ram/oniguruma/a.out+0x419708)

Address 0x7fffd81832a2 is located in stack of thread T0 at offset 66 in frame
    #0 0x4f205f in main (/mnt/ram/oniguruma/a.out+0x4f205f)

  This frame has 2 object(s):
    [32, 40) 'reg'
    [64, 66) 'inp' <== Memory access at offset 66 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/mnt/ram/oniguruma/a.out+0x4ab6d4) in __asan_memcpy
Shadow bytes around the buggy address:
  0x10007b028600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b028610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b028620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b028630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b028640: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x10007b028650: 00 f2 f2 f2[02]f3 f3 f3 00 00 00 00 00 00 00 00
  0x10007b028660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b028670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b028680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b028690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b0286a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29231==ABORTING
@kkos

This comment has been minimized.

Copy link
Owner

commented Aug 24, 2016

Thanks again.
I have fixed it in develop branch.
(commit: 873ba2d)

@kkos kkos closed this Aug 26, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.