Date: Sat, 4 Nov 2017 14:45:36 +0000 (UTC) From: "Pedro F. Giffuni" <pfg@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r325394 - stable/10/lib/libc/regex Message-ID: <201711041445.vA4Eja3h001453@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: pfg Date: Sat Nov 4 14:45:36 2017 New Revision: 325394 URL: https://svnweb.freebsd.org/changeset/base/325394 Log: MFC r325066: Fix out-of-bounds read in libc/regex. The bug is an out-of-bounds read detected with address sanitizer that happens when 'sp' in p_b_coll_elems() includes NUL byte[s], e.g. if it's equal to "GS\x00". In that case len will be equal to 4, and the strncmp(cp->name, sp, len) call will succeed when cp->name is "GS" but the cp->name[len] == '\0' comparison will cause the read to go out-of-bounds. Checking the length using strlen() instead eliminates the issue. The bug was found in LLVM with oss-fuzz: https://reviews.llvm.org/D39380 Obtained from: Vlad Tsyrklevich through posting on openbsd-tech Modified: stable/10/lib/libc/regex/regcomp.c Directory Properties: stable/10/ (props changed) Modified: stable/10/lib/libc/regex/regcomp.c ============================================================================== --- stable/10/lib/libc/regex/regcomp.c Sat Nov 4 14:44:07 2017 (r325393) +++ stable/10/lib/libc/regex/regcomp.c Sat Nov 4 14:45:36 2017 (r325394) @@ -922,7 +922,7 @@ p_b_coll_elem(struct parse *p, } len = p->next - sp; for (cp = cnames; cp->name != NULL; cp++) - if (strncmp(cp->name, sp, len) == 0 && cp->name[len] == '\0') + if (strncmp(cp->name, sp, len) == 0 && strlen(cp->name) == len) return(cp->code); /* known name */ memset(&mbs, 0, sizeof(mbs)); if ((clen = mbrtowc(&wc, sp, len, &mbs)) == len)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201711041445.vA4Eja3h001453>