Heap-Buffer-Overflow in pcre2(src/pcre2test.c:5831:5 in process_pattern )

[longuu9]

We found a heap-buffer-overflow in pcre2-10.43-DEV(src/pcre2test.c:5831:5 in process_pattern ),which can also be reproduced on pcre2-10.42.

Command Input

pcre2test -d poc_file /dev/null

poc_file are attached.

Sanitizer Dump

==765324==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f8ddf890540 at pc 0x000000496a1a bp 0x7ffdf73d57d0 sp 0x7ffdf73d4f98
WRITE of size 262153 at 0x7f8ddf890540 thread T0
    #0 0x496a19 in __asan_memcpy /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
    #1 0x4f61e2 in process_pattern /root/target/Invariants/pcre2/src/pcre2test.c:5831:5
    #2 0x4cf4a7 in main /root/target/Invariants/pcre2/src/pcre2test.c:9488:10
    #3 0x7f8de26b7082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #4 0x41c35d in _start (/root/target/Invariants/pcre2/pcre2test+0x41c35d)

0x7f8ddf890540 is located 0 bytes to the right of 200000-byte region [0x7f8ddf85f800,0x7f8ddf890540)
allocated by thread T0 here:
    #0 0x4975bd in malloc /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x4fbaac in expand_input_buffers /root/target/Invariants/pcre2/src/pcre2test.c:3424:36
    #2 0x4f372c in process_pattern /root/target/Invariants/pcre2/src/pcre2test.c:5469:7
    #3 0x4cf4a7 in main /root/target/Invariants/pcre2/src/pcre2test.c:9488:10
    #4 0x7f8de26b7082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
Shadow bytes around the buggy address:
  0x0ff23bf0a050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff23bf0a060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff23bf0a070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff23bf0a080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff23bf0a090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff23bf0a0a0: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0ff23bf0a0b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff23bf0a0c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff23bf0a0d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff23bf0a0e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff23bf0a0f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==765324==ABORTING

Environment

• OS: Ubuntu 20.04.1
• clang:12.0.0
• pcre2:pcre2-10.43-DEV

we built pcre2 with AddressSanitizer (ASAN) .

./configure CC=clang CXX=clang++ CFLAGS='-g -O0 -fsanitize=address' CXXFLAGS='-g -O0 -fsanitize=address' --disable-shared

pcre2-10.43-DEV configuration summary:

    Install prefix ..................... : /usr/local
    C preprocessor ..................... : clang -E
    C compiler ......................... : clang
    Linker ............................. : /usr/bin/ld -m elf_x86_64
    C preprocessor flags ............... : 
    C compiler flags ................... : -g -O0 -fsanitize=address -fvisibility=hidden
    Linker flags ....................... : 
    Extra libraries .................... : 

poc_file.zip

[zherczeg]

Please don't spam the project. It takes a lot of effort to investigate even one report, especially if the poc is vague. If nothing more, create a minimal test case.

Btw issues in the pcre2test program and invalid utf when valid utf is expected are ignored. Most of the reports we receive are belong to these categories.

[longuu9]

min_poc_file.zip

[zherczeg]

Thanks. This is another issue in pcre2test. The expanding writes too much data.

#pattern convert=
/\[()]{65535}/expand

It can be fixed, but we do not fix bugs in the test system in general, since it takes time and provides zero advantage, since the test system is not used for production.

[PhilipHazel]

Thanks; I was already looking at 236 yesterday and had come to the same conclusion (then I ran out of time). I may fix it if it is easy, but I entirely agree that bugs in pcre2test are of low priority.

[PhilipHazel]

I have fixed this issue by giving an error and abandoning the test if a pattern conversion results in a string that is too long.