Bug#713836: regcomp(3) writes past end of regex_t

To: sacrificial-spam-address@horizon.com, 713836@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Bug#713836: regcomp(3) writes past end of regex_t
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Thu, 27 Jun 2013 02:24:56 +0200
Message-id: <[🔎] 20130627002456.GF13072@hall.aurel32.net>
Reply-to: Aurelien Jarno <aurelien@aurel32.net>, 713836@bugs.debian.org
In-reply-to: <[🔎] 20130623065920.28375.qmail@science.horizon.com>
References: <[🔎] 20130623065920.28375.qmail@science.horizon.com>

tag 713836 + unreproducible
tag 713836 + moreinfo
thanks

On Sun, Jun 23, 2013 at 02:59:20AM -0400, sacrificial-spam-address@horizon.com wrote:
> Package: libc6
> Version: 2.17-6
> Architecture: i386
> Severity: important
> 
> This problem cropped up while compiling the kernel; it breaks
> arch/x86/tools/relocs.c.  I've tracked it down and reduced
> it to a small test case.
> 
> With the given arguments, regcomp() corrupts the byte past the end of
> its supplied regex_t buffer.  This obviously can cause any manner of
> undesired program behavior.
> 
> Note that this is 32-bit i386, not 64-bit.
> 
> Here's a simple test program:
> 
> #include <regex.h>
> #include <stdio.h>
> #include <stdbool.h>
> 
> regex_t array[2];
> 
> static bool
> is_zero(void const *p, size_t len)
> {
> 	size_t i;
> 	unsigned char const *pp = p;
> 	bool rv = true;
> 
> 	for (i = 0; i < len; i++) {
> 		if (pp[i]) {
> 			printf("J'accuse!  buf[%zu] = %#x\n",
> 				i, pp[i]);
> 			rv = false;
> 		}
> 	}
> 	return rv;
> }
> 
> int
> main(void)
> {
> 	if (is_zero(array+1, sizeof array[1]))
> 		printf("array[1] confirmed all-zero\n");
> 	regcomp(array+0, "^pa_", REG_EXTENDED|REG_NOSUB);
> 	if (is_zero(array+1, sizeof array[1]))
> 		printf("array[1] confirmed all-zero\n");
> 	else
> 		printf("Bug!  array[1] has been overwritten!\n");
> 	return 0;
> }
> 
> And here's what running it produces:
> $ ./a.out
> array[1] confirmed all-zero
> J'accuse!  buf[0] = 0x18
> Bug!  array[1] has been overwritten!
> $ ldd ./a.out
>         linux-gate.so.1 (0xf7784000)
>         libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf75ea000)
>         /lib/ld-linux.so.2 (0xf7785000)
> 
> (The fact that the libc6-i686 libraries, which I have installed, are
> not being used is due libc6-i686 postinst not handling multiarch; I'll
> report that separately.)

I am personally not able to to reproduce the issue with your test
program on an up to date i386 sid system. Could you please provide us
the command you are using to compile the test code and the locale you
are using?

-- 
Aurelien Jarno	                        GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net

Reply to:

Follow-Ups:
- Processed: Re: Bug#713836: regcomp(3) writes past end of regex_t
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#713836: regcomp(3) writes past end of regex_t
  - From: sacrificial-spam-address@horizon.com
- Bug#713836: regcomp(3) writes past end of regex_t
  - From: sacrificial-spam-address@horizon.com

References:
- Bug#713836: regcomp(3) writes past end of regex_t
  - From: sacrificial-spam-address@horizon.com

Prev by Date: Re: Bug#714219: Acknowledgement (libc6: crypt(3) returns NULL with EINVAL instead of falling back to DES, breaking GNU software)
Next by Date: Bug#713837: libc6-i686 postinst fails to parse dpkg-query output
Previous by thread: Bug#713836: regcomp(3) writes past end of regex_t
Next by thread: Processed: Re: Bug#713836: regcomp(3) writes past end of regex_t
Index(es):
- Date
- Thread