Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use after free for regexp ()(?!(?'a')\1) #29

Closed
hannob opened this issue Oct 15, 2016 · 1 comment

Comments

Projects
None yet
2 participants
@hannob
Copy link

commented Oct 15, 2016

Example code:

#include <oniguruma.h>
int main() {
    regex_t *reg;
    const OnigUChar* inp = (const OnigUChar*)"()(?!(?'a')\\1)";
    if (onig_new
        (&reg, inp, inp+14, ONIG_OPTION_DEFAULT, ONIG_ENCODING_UTF8,
         ONIG_SYNTAX_DEFAULT, 0) == 0)
        onig_free(reg);
    return 0;
}

Compiling with asan will show a use after free error, see below. Latest develop branch, found with libfuzzer.

asan error:

==11794==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000efc4 at pc 0x00000052f459 bp 0x7ffd5bb5a110 sp 0x7ffd5bb5a108
READ of size 4 at 0x60600000efc4 thread T0
    #0 0x52f458 in setup_tree /mnt/ram/oniguruma-develop-afl/src/regcomp.c:3731:9
    #1 0x52ade9 in setup_tree /mnt/ram/oniguruma-develop-afl/src/regcomp.c:3682:13
    #2 0x52e0e1 in setup_tree /mnt/ram/oniguruma-develop-afl/src/regcomp.c:3863:13
    #3 0x52ade9 in setup_tree /mnt/ram/oniguruma-develop-afl/src/regcomp.c:3682:13
    #4 0x5224ad in onig_compile /mnt/ram/oniguruma-develop-afl/src/regcomp.c:5318:7
    #5 0x547d38 in onig_new /mnt/ram/oniguruma-develop-afl/src/regcomp.c:5522:7
    #6 0x4f55a0 in main /mnt/ram/oniguruma-develop-afl/uaf.c:5:9
    #7 0x7f21b6f336ff in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289
    #8 0x419df8 in _start (/mnt/ram/oniguruma-develop-afl/a.out+0x419df8)

0x60600000efc4 is located 4 bytes inside of 56-byte region [0x60600000efc0,0x60600000eff8)
freed by thread T0 here:
    #0 0x4c1a10 in __interceptor_free (/mnt/ram/oniguruma-develop-afl/a.out+0x4c1a10)
    #1 0x4f7992 in onig_node_free /mnt/ram/oniguruma-develop-afl/src/regparse.c:1071:3
    #2 0x522165 in onig_compile /mnt/ram/oniguruma-develop-afl/src/regcomp.c:5292:11
    #3 0x547d38 in onig_new /mnt/ram/oniguruma-develop-afl/src/regcomp.c:5522:7
    #4 0x0  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x4c1d18 in __interceptor_malloc (/mnt/ram/oniguruma-develop-afl/a.out+0x4c1d18)
    #1 0x507101 in node_new /mnt/ram/oniguruma-develop-afl/src/regparse.c:1079:18
    #2 0x507101 in node_new_enclose /mnt/ram/oniguruma-develop-afl/src/regparse.c:1288
    #3 0x507101 in node_new_enclose_memory /mnt/ram/oniguruma-develop-afl/src/regparse.c:1311
    #4 0x507101 in parse_enclose /mnt/ram/oniguruma-develop-afl/src/regparse.c:4652
    #5 0x507101 in parse_exp /mnt/ram/oniguruma-develop-afl/src/regparse.c:4915
    #6 0x50625f in parse_branch /mnt/ram/oniguruma-develop-afl/src/regparse.c:5241:7
    #7 0x5034a2 in parse_subexp /mnt/ram/oniguruma-develop-afl/src/regparse.c:5284:7
    #8 0x4fa1f8 in parse_regexp /mnt/ram/oniguruma-develop-afl/src/regparse.c:5331:7
    #9 0x4fa1f8 in onig_parse_make_tree /mnt/ram/oniguruma-develop-afl/src/regparse.c:5362
    #10 0x521fd2 in onig_compile /mnt/ram/oniguruma-develop-afl/src/regcomp.c:5283:7
    #11 0x547d38 in onig_new /mnt/ram/oniguruma-develop-afl/src/regcomp.c:5522:7
    #12 0x0  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free /mnt/ram/oniguruma-develop-afl/src/regcomp.c:3731:9 in setup_tree
Shadow bytes around the buggy address:
  0x0c0c7fff9da0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff9db0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff9dc0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c7fff9dd0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff9de0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
=>0x0c0c7fff9df0: 00 00 00 fa fa fa fa fa[fd]fd fd fd fd fd fd fa
  0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11794==ABORTING

@kkos kkos added the bug label Oct 16, 2016

@kkos

This comment has been minimized.

Copy link
Owner

commented Oct 16, 2016

Thank you.
I have fixed it in develop branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.