Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

out of bounds heap read in add_bytes / regcomp.c #19

Closed
hannob opened this Issue Aug 24, 2016 · 1 comment

Comments

Projects
None yet
2 participants
@hannob
Copy link

hannob commented Aug 24, 2016

Passing a sequence of 19 bytes followed by 0xfd causes an out of bounds heap read. Tested against latest develop branch, found with libfuzzer+asan.

Test code:

#include <oniguruma.h>
int main()
{
    regex_t *reg;
    unsigned char inp[20] = {
'0','0','0','0','0','0','0','0',
'0','0','0','0','0','0','0','0',
'0','0','0',0xfd };

    onig_new(&reg, inp, inp + 20, ONIG_OPTION_DEFAULT,
         ONIG_ENCODING_UTF8, ONIG_SYNTAX_DEFAULT, 0);
}

Asan error:

==18957==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000eff8 at pc 0x0000004ab6d5 bp 0x7ffd83e081e0 sp 0x7ffd83e07990
READ of size 6 at 0x60600000eff8 thread T0
    #0 0x4ab6d4 in __asan_memcpy (/mnt/ram/oniguruma/a.out+0x4ab6d4)
    #1 0x582be1 in add_bytes /mnt/ram/oniguruma/src/regcomp.c:284:3
    #2 0x58263c in add_compile_string /mnt/ram/oniguruma/src/regcomp.c:452:3
    #3 0x5757ad in compile_string_node /mnt/ram/oniguruma/src/regcomp.c:541:10
    #4 0x54b3ca in compile_tree /mnt/ram/oniguruma/src/regcomp.c:1628:11
    #5 0x53f779 in onig_compile /mnt/ram/oniguruma/src/regcomp.c:5369:7
    #6 0x54e9c2 in onig_new /mnt/ram/oniguruma/src/regcomp.c:5518:7
    #7 0x4f21b9 in main (/mnt/ram/oniguruma/a.out+0x4f21b9)
    #8 0x7f346c7d378f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289
    #9 0x419708 in _start (/mnt/ram/oniguruma/a.out+0x419708)

0x60600000eff8 is located 0 bytes to the right of 56-byte region [0x60600000efc0,0x60600000eff8)
allocated by thread T0 here:
    #0 0x4c1628 in __interceptor_malloc (/mnt/ram/oniguruma/a.out+0x4c1628)
    #1 0x4f6afa in node_new /mnt/ram/oniguruma/src/regparse.c:1088:18
    #2 0x4f82ee in node_new_str /mnt/ram/oniguruma/src/regparse.c:1416:16
    #3 0x511e42 in parse_exp /mnt/ram/oniguruma/src/regparse.c:4927:13
    #4 0x5106fb in parse_branch /mnt/ram/oniguruma/src/regparse.c:5221:7
    #5 0x5072bd in parse_subexp /mnt/ram/oniguruma/src/regparse.c:5258:7
    #6 0x4faebf in parse_regexp /mnt/ram/oniguruma/src/regparse.c:5303:7
    #7 0x4fa704 in onig_parse_make_tree /mnt/ram/oniguruma/src/regparse.c:5339:7
    #8 0x53e4ef in onig_compile /mnt/ram/oniguruma/src/regcomp.c:5279:7
    #9 0x54e9c2 in onig_new /mnt/ram/oniguruma/src/regcomp.c:5518:7
    #10 0x4f21b9 in main (/mnt/ram/oniguruma/a.out+0x4f21b9)
    #11 0x7f346c7d378f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/ram/oniguruma/a.out+0x4ab6d4) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fff9df0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00[fa]
  0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18957==ABORTING

@kkos kkos added the bug label Aug 25, 2016

@kkos

This comment has been minimized.

Copy link
Owner

kkos commented Aug 25, 2016

Thank you for the report.
I have fixed it in develop branch.

@kkos kkos closed this Aug 26, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.