From owner-freebsd-bugs Sat Nov 21 18:29:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA18394 for freebsd-bugs-outgoing; Sat, 21 Nov 1998 18:29:56 -0800 (PST) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA18383 for ; Sat, 21 Nov 1998 18:29:55 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.8/8.8.5) id SAA26025; Sat, 21 Nov 1998 18:30:00 -0800 (PST) Received: from math.psu.edu (leibniz.math.psu.edu [146.186.130.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA18350 for ; Sat, 21 Nov 1998 18:28:45 -0800 (PST) (envelope-from viro@math.psu.edu) Received: from weyl.math.psu.edu (weyl.math.psu.edu [146.186.130.226]) by math.psu.edu (8.8.5/8.7.3) with ESMTP id VAA28743 for ; Sat, 21 Nov 1998 21:28:08 -0500 (EST) Received: (viro@localhost) by weyl.math.psu.edu (8.8.8/8.6.9) id VAA04320 for FreeBSD-gnats-submit@freebsd.org; Sat, 21 Nov 1998 21:28:07 -0500 (EST) Message-Id: <199811220228.VAA04320@weyl.math.psu.edu> Date: Sat, 21 Nov 1998 21:28:07 -0500 (EST) From: viro@math.psu.edu Reply-To: viro@math.psu.edu To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: bin/8790: [PATCH] Buffer overrun in nvi-1.79. Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 8790 >Category: bin >Synopsis: [PATCH] Buffer overrun in nvi-1.79 (exploitable) >Confidential: yes >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Nov 21 18:30:00 PST 1998 >Last-Modified: >Originator: Al Viro >Organization: -ENOENT >Release: FreeBSD 2.2.7 i586 >Environment: Any compiler having char==signed char. E.g. gcc ;-/ >Description: [It's a copy of bug report sent to Keith Bostic and to Debian project. I've set Priority: high 'cause the same vulnerability may occur in other packages using Spencer's regex. No, I don't know which ones do ;-<] Regex used in nvi is vulnerable to the following exploit: if we are trying to compile an expression contining characters with the 8th bit set we'll force p_bre() to stomp on the core. Details: p_simp_re() incorrectly handles high half of ASCII. a) suppose we got the following: '\\',x where (x&0x80)==0x80. We'll get c==256|(unsigned char)x. I.e. something in range 0x180--0x1ff. We'll go to default: and there ordinary(c&~256) will happen. That is, argument of ordinary() will be in range 0x80--0xff. Now, ordinary() will do correct EMIT() and will try to set p->g->categories[c&~256]. Since ->categories points into the middle of g->catspace we'll hit the area g->catspace+256 -- g->catspace+383, i.e. point outside of malloc()ed block. b) suppose we got x where (x&0x80)==0x80 (and no backslashes around). Since char is signed we'll have c == (unsigned char)x - 256. Now, when we'll get to default: ordinary() will get (c &~ 256), i.e. (unsigned char)x - 512. That is, something in range -384 -- -257. As the result we'll hit the area g->catspace-256 -- g->catspace-127. Again, we've stomped the core. Moreover, look at the ordinary() shows that we can easily control what and where we'll write. Details of full-scale exploit depend on OS, library and compiler, but crufting a pattern that resets 'secure' on Debian (gcc-2.7.2.3 / glibc-2.0.7u) took 10 minutes ;-/ I'm sending this report to you and to Debian and FreeBSD projects. I'm not sure that security issues in nvi are that serious, but I don't know what other packages may contain that version of regex ;-< >How-To-Repeat: See above and below. >Fix: Patch follows: *** regex/regcomp.c Sat Mar 19 11:21:28 1994 --- regex/regcomp.c Sat Nov 21 13:18:11 1998 *************** *** 609,615 **** REQUIRE(starordinary, REG_BADRPT); /* FALLTHROUGH */ default: ! ordinary(p, c &~ BACKSL); break; } --- 609,615 ---- REQUIRE(starordinary, REG_BADRPT); /* FALLTHROUGH */ default: ! ordinary(p, (char)c); break; } Down, not across! Al >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message