From owner-svn-src-stable-11@freebsd.org Sat Nov 4 14:44:08 2017 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 74984E4C1EB; Sat, 4 Nov 2017 14:44:08 +0000 (UTC) (envelope-from pfg@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4192270B56; Sat, 4 Nov 2017 14:44:08 +0000 (UTC) (envelope-from pfg@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vA4Ei7o2001338; Sat, 4 Nov 2017 14:44:07 GMT (envelope-from pfg@FreeBSD.org) Received: (from pfg@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vA4Ei7Iu001337; Sat, 4 Nov 2017 14:44:07 GMT (envelope-from pfg@FreeBSD.org) Message-Id: <201711041444.vA4Ei7Iu001337@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: pfg set sender to pfg@FreeBSD.org using -f From: "Pedro F. Giffuni" Date: Sat, 4 Nov 2017 14:44:07 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r325393 - stable/11/lib/libc/regex X-SVN-Group: stable-11 X-SVN-Commit-Author: pfg X-SVN-Commit-Paths: stable/11/lib/libc/regex X-SVN-Commit-Revision: 325393 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Nov 2017 14:44:08 -0000 Author: pfg Date: Sat Nov 4 14:44:07 2017 New Revision: 325393 URL: https://svnweb.freebsd.org/changeset/base/325393 Log: MFC r325066: Fix out-of-bounds read in libc/regex. The bug is an out-of-bounds read detected with address sanitizer that happens when 'sp' in p_b_coll_elems() includes NUL byte[s], e.g. if it's equal to "GS\x00". In that case len will be equal to 4, and the strncmp(cp->name, sp, len) call will succeed when cp->name is "GS" but the cp->name[len] == '\0' comparison will cause the read to go out-of-bounds. Checking the length using strlen() instead eliminates the issue. The bug was found in LLVM with oss-fuzz: https://reviews.llvm.org/D39380 Obtained from: Vlad Tsyrklevich through posting on openbsd-tech Modified: stable/11/lib/libc/regex/regcomp.c Directory Properties: stable/11/ (props changed) Modified: stable/11/lib/libc/regex/regcomp.c ============================================================================== --- stable/11/lib/libc/regex/regcomp.c Sat Nov 4 14:38:00 2017 (r325392) +++ stable/11/lib/libc/regex/regcomp.c Sat Nov 4 14:44:07 2017 (r325393) @@ -921,7 +921,7 @@ p_b_coll_elem(struct parse *p, } len = p->next - sp; for (cp = cnames; cp->name != NULL; cp++) - if (strncmp(cp->name, sp, len) == 0 && cp->name[len] == '\0') + if (strncmp(cp->name, sp, len) == 0 && strlen(cp->name) == len) return(cp->code); /* known name */ memset(&mbs, 0, sizeof(mbs)); if ((clen = mbrtowc(&wc, sp, len, &mbs)) == len)