heap overflow vulnerability in regcomp.c

Sec Bug #69248	heap overflow vulnerability in regcomp.c
Submitted:	2015-03-17 12:42 UTC	Modified:	2015-03-18 12:08 UTC
From:	astieger at suse dot com	Assigned:	stas (profile)
Status:	Closed	Package:	Regexps related
PHP Version:	5.6.6	OS:	SLES/ openSUSE
Private report:	No	CVE-ID:	2015-2305

[2015-03-17 12:42 UTC] astieger at suse dot com

Description:
------------
Guido Vranken reported that regular expressions (regex) originally written by Henry Spencer contains a heap overflow vulnerability.

CWE-122: Heap-based Buffer Overflow

https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
http://www.kb.cert.org/vuls/id/695940

The variable len that holds the length of a regular expression string is "enlarged to such an extent that, in the process of enlarging (multiplication and addition), causes the 32 bit register/variable to overflow." It may be possible for an attacker to use this overflow to change data in memory.

Vulnerable function:
> int /* 0 success, otherwise REG_something */
> regcomp(preg, pattern, cflags)
> regex_t *preg;
> const char *pattern;
> int cflags;
> {

Vulnerable code:
> len = strlen((char *)pattern);
> [...]
> p->ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */
> p->strip = (sop *)malloc(p->ssize * sizeof(sop));

32-bit systems are affected. It is highly unlikely that 64-bit operating systems would allow such an overflow. (Read: not impossible.)

The library is known to be contained in many different upstream source projects. The code may not be active or used on our platform, e.g. only be used as fallback code.

PHP seems to be affected:
[   88s] checking which regex library to use... php

ext/ereg/regex/regcomp.c:
	p->ssize = len/(size_t)2*(size_t)3 + (size_t)1;	/* ugh */
	p->strip = (sop *)malloc(p->ssize * sizeof(sop));


also...



case $PHP_REGEX in
  system)
    if test "$PHP_SAPI" = "apache" || test "$PHP_SAPI" = "apache2filter" || test "$PHP_SAPI" = "apache2handler"; then
      REGEX_TYPE=php
    else

So even if 'system' is chosen, for apache module you will get 'php' anyway for whatever -- I believe good -- reason.



The code seems to be removed in git master.

patch is at
https://github.com/garyhouston/regex/commit/70bc2965604b6b8aaf260049e64c708dddf85334

Test script:
---------------
$ cat test.php
<?php
$date = "2015-03-17";
if (ereg (str_repeat("a", 715827882), $date, $regs)) {
    echo "$regs[3].$regs[2].$regs[1]";
} else {
    echo "Invalid date format: $date";
}
?>
$ php test.php
Segmentation fault
$


or


$ php -r 'ereg (str_repeat("a", 715827882), "b", $regs);'
Segmentation fault

Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-03-18 00:12 UTC] stas@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: stas

[2015-03-18 00:12 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.