search

PCRE2Project / pcre2

PCRE2 development is now based here.
Other
883 stars 185 forks source link

AddressSanitizer: heap-buffer-overflow #275

Closed tokatoka closed 1 year ago

tokatoka commented 1 year ago

Hi, I encountered a heap overflow on latest pcre2

==3240442==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a00000b600 at pc 0x55555558efa2 bp 0x7fffffffdd30 sp 0x7fffffffd4f0
WRITE of size 1056 at 0x62a00000b600 thread T0
[Attaching after Thread 0x7ffff7c6e040 (LWP 3240442) fork to child process 3240443]

To reproduce,

  1. Set env var 
    export CC=clang
export CXX=clang++
export CFLAGS='-fsanitize=address'
export CXXFLAGS='-fsanitize=address'
  2. Build pcre2 
    ./configure
make -j$(nproc)
  3. Build fuzz support 
    clang -DSTAND_ALONE=1 -fsanitize=address -o ./fuzz ./src/pcre2_fuzzsupport.c ./.libs/libpcre2-8.a
  4. Prepare the crashing input 
    echo "(*LIMIT_HEAP=21)()((?))()()()()()()()()()()()()()()()()()()()()()()()(())()()()()()()()()()()()()()()()()()()()()()(())()()()()()()()()()()()()()" > ./crash2
  5. Run it 
    
toka@tokavm:~/pcre2$ ./fuzz ./crash2
------ ./crash2 ------
Length = 145
Compile options 807de3b2 never_backslash_c,alt_bsux,alt_circumflex,alt_verbnames,anchored,dollar_endonly,dotall,extended,firstline,match_unset_backref,no_auto_capture,no_auto_possess,no_dotstar_anchor,no_start_optimize,ungreedy,utf
Match options 80002032,anchored,no_jit,noteol,partial_hard,partial_soft
Match returned 1
Match options 00000000
Match returned 1
DFA match options 80000032,anchored,noteol,partial_hard,partial_soft
Match failed: error -43: workspace size exceeded in DFA matching
DFA match options 00000000
Match failed: error -43: workspace size exceeded in DFA matching
Compile options 00100000 never_backslash_c
Match options 80002032,anchored,no_jit,noteol,partial_hard,partial_soft
=================================================================
==3240454==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a00000b600 at pc 0x5574f8fa6fa2 bp 0x7ffea71e1c50 sp 0x7ffea71e1410
WRITE of size 1056 at 0x62a00000b600 thread T0
#0 0x5574f8fa6fa1 in __interceptor_memcpy (/home/toka/pcre2/fuzz+0x3afa1) (BuildId: 091cbef0f0e6259ef7989ad9ae2a43da47c36751)
#1 0x5574f90795dc in pcre2_match_8 (/home/toka/pcre2/fuzz+0x10d5dc) (BuildId: 091cbef0f0e6259ef7989ad9ae2a43da47c36751)
#2 0x5574f9060732 in LLVMFuzzerTestOneInput (/home/toka/pcre2/fuzz+0xf4732) (BuildId: 091cbef0f0e6259ef7989ad9ae2a43da47c36751)
#3 0x5574f9061563 in main (/home/toka/pcre2/fuzz+0xf5563) (BuildId: 091cbef0f0e6259ef7989ad9ae2a43da47c36751)
#4 0x7f73d8442d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#5 0x7f73d8442e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#6 0x5574f8f8b364 in _start (/home/toka/pcre2/fuzz+0x1f364) (BuildId: 091cbef0f0e6259ef7989ad9ae2a43da47c36751)

0x62a00000b600 is located 0 bytes after 21504-byte region [0x62a000006200,0x62a00000b600) allocated by thread T0 here:

0 0x5574f902518e in __interceptor_malloc (/home/toka/pcre2/fuzz+0xb918e) (BuildId: 091cbef0f0e6259ef7989ad9ae2a43da47c36751)

#1 0x5574f907c9a2 in pcre2_match_8 (/home/toka/pcre2/fuzz+0x1109a2) (BuildId: 091cbef0f0e6259ef7989ad9ae2a43da47c36751)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/toka/pcre2/fuzz+0x3afa1) (BuildId: 091cbef0f0e6259ef7989ad9ae2a43da47c36751) in __interceptor_memcpy Shadow bytes around the buggy address: 0x62a00000b380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x62a00000b400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x62a00000b480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x62a00000b500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x62a00000b580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x62a00000b600:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x62a00000b680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x62a00000b700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x62a00000b780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x62a00000b800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x62a00000b880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3240454==ABORTING


it's also reproducible with pcre2grep

toka@tokavm:~/pcre2$ echo a > input toka@tokavm:~/pcre2$ ./pcre2grep "(*LIMIT_HEAP=21)()((?))()()()()()()()()()()()()()()()()()()()()()()()(())()()()()()()()()()()()()()()()()()()()()()(())()()()()()()()()()()()()()" ./input pcre2grep: pcre2_match() gave error -63 while matching this text:

a

double free or corruption (out) Aborted (core dumped) toka@tokavm:~/pcre2$

PhilipHazel commented 1 year ago

This is fixed in 803a64f, Thanks for the report.