Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 28 Oct 2017 20:09:35 +0000 (UTC)
From:      "Pedro F. Giffuni" <pfg@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r325066 - head/lib/libc/regex
Message-ID:  <201710282009.v9SK9Zvx038494@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: pfg
Date: Sat Oct 28 20:09:34 2017
New Revision: 325066
URL: https://svnweb.freebsd.org/changeset/base/325066

Log:
  Fix out-of-bounds read in libc/regex.
  
  The bug is an out-of-bounds read detected with address sanitizer that
  happens when 'sp' in p_b_coll_elems() includes NUL byte[s], e.g. if it's
  equal to "GS\x00". In that case len will be equal to 4, and the
  strncmp(cp->name, sp, len) call will succeed when cp->name is "GS" but the
  cp->name[len] == '\0' comparison will cause the read to go out-of-bounds.
  
  Checking the length using strlen() instead eliminates the issue.
  
  The bug was found in LLVM with oss-fuzz:
  	https://reviews.llvm.org/D39380
  
  MFC after:	1 week
  Obtained from:	Vlad Tsyrklevich through posting on openbsd-tech

Modified:
  head/lib/libc/regex/regcomp.c

Modified: head/lib/libc/regex/regcomp.c
==============================================================================
--- head/lib/libc/regex/regcomp.c	Sat Oct 28 20:03:29 2017	(r325065)
+++ head/lib/libc/regex/regcomp.c	Sat Oct 28 20:09:34 2017	(r325066)
@@ -1059,7 +1059,7 @@ p_b_coll_elem(struct parse *p,
 	}
 	len = p->next - sp;
 	for (cp = cnames; cp->name != NULL; cp++)
-		if (strncmp(cp->name, sp, len) == 0 && cp->name[len] == '\0')
+		if (strncmp(cp->name, sp, len) == 0 && strlen(cp->name) == len)
 			return(cp->code);	/* known name */
 	memset(&mbs, 0, sizeof(mbs));
 	if ((clen = mbrtowc(&wc, sp, len, &mbs)) == len)



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201710282009.v9SK9Zvx038494>