OS_Regex / Analysisd segmentation fault hazard #14249
Labels
feed/rules
Rules related issues
module/analysis
Issues related to the Analysis daemon
regex
Issue related to regular expressions
team/core
type/bug/crash
type/bug
Something isn't working
While working on Issue #13933, a segmentation fault hazard was found in the OS Regex code. Under specific conditions, a pointer may be decreased beyond its memory starting point, this drives the code to read outside of the pointer's memory segment.
Conditions to reproduce
This behavior occurs when an expression with the
*
modifier is used (i.e.\w*
) and the expression does not match the log.For example:
Test Configuration
\d*
abcdefg
OSRegex_Execute_ex()
return value:abcdefg
(Pointer to the first character of the string)Xabcdefg
(Pointer to a byte before the first character of the string)(where X can be any character)
Description
When inspecting the OSRegex_Execute_ex() function's return value, which should be either a pointer pointing to the last matched character in the log (in case the regex fully matched the log) or
null
in case the regex didn't match. In the testing case, the return value points to one position before the log starts , as can be seen in the following screenshot:Log start at
0x602000001e50
, meanwhile match return 1 byte before:0x602000001e4f
This test has the particularity that the regex is a single token with an optional quantifier (cero or more occurrences), which produces the regex to match but there is no specific character matched. As it can be seen, when inspecting the
match_retval
variable it is pointing to one character before the actual log starts.This hazard is produced in the following code lines, where no verification is made before decreasing the
st
pointer:wazuh/src/os_regex/os_regex_execute.c
Lines 381 to 393 in 2a2b88b
The text was updated successfully, but these errors were encountered: