Date: Sat, 21 Nov 1998 21:28:07 -0500 (EST) From: viro@math.psu.edu To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: bin/8790: [PATCH] Buffer overrun in nvi-1.79. Message-ID: <199811220228.VAA04320@weyl.math.psu.edu>
next in thread | raw e-mail | index | archive | help
>Number: 8790 >Category: bin >Synopsis: [PATCH] Buffer overrun in nvi-1.79 (exploitable) >Confidential: yes >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Nov 21 18:30:00 PST 1998 >Last-Modified: >Originator: Al Viro >Organization: -ENOENT >Release: FreeBSD 2.2.7 i586 >Environment: Any compiler having char==signed char. E.g. gcc ;-/ >Description: [It's a copy of bug report sent to Keith Bostic and to Debian project. I've set Priority: high 'cause the same vulnerability may occur in other packages using Spencer's regex. No, I don't know which ones do ;-<] Regex used in nvi is vulnerable to the following exploit: if we are trying to compile an expression contining characters with the 8th bit set we'll force p_bre() to stomp on the core. Details: p_simp_re() incorrectly handles high half of ASCII. a) suppose we got the following: '\\',x where (x&0x80)==0x80. We'll get c==256|(unsigned char)x. I.e. something in range 0x180--0x1ff. We'll go to default: and there ordinary(c&~256) will happen. That is, argument of ordinary() will be in range 0x80--0xff. Now, ordinary() will do correct EMIT() and will try to set p->g->categories[c&~256]. Since ->categories points into the middle of g->catspace we'll hit the area g->catspace+256 -- g->catspace+383, i.e. point outside of malloc()ed block. b) suppose we got x where (x&0x80)==0x80 (and no backslashes around). Since char is signed we'll have c == (unsigned char)x - 256. Now, when we'll get to default: ordinary() will get (c &~ 256), i.e. (unsigned char)x - 512. That is, something in range -384 -- -257. As the result we'll hit the area g->catspace-256 -- g->catspace-127. Again, we've stomped the core. Moreover, look at the ordinary() shows that we can easily control what and where we'll write. Details of full-scale exploit depend on OS, library and compiler, but crufting a pattern that resets 'secure' on Debian (gcc-2.7.2.3 / glibc-2.0.7u) took 10 minutes ;-/ I'm sending this report to you and to Debian and FreeBSD projects. I'm not sure that security issues in nvi are that serious, but I don't know what other packages may contain that version of regex ;-< >How-To-Repeat: See above and below. >Fix: Patch follows: *** regex/regcomp.c Sat Mar 19 11:21:28 1994 --- regex/regcomp.c Sat Nov 21 13:18:11 1998 *************** *** 609,615 **** REQUIRE(starordinary, REG_BADRPT); /* FALLTHROUGH */ default: ! ordinary(p, c &~ BACKSL); break; } --- 609,615 ---- REQUIRE(starordinary, REG_BADRPT); /* FALLTHROUGH */ default: ! ordinary(p, (char)c); break; } Down, not across! Al >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199811220228.VAA04320>