[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Glibc - CVE-2015-8985 help



Hi,

On 2020-05-05 12:14, Raluca-Petronela Florea wrote:
> Hello,
> 
> I'm working on fixing some GLIBC vulnerabilities and I have an issue
> regarding
> CVE-2015-8985 - Assertion failure in pop_fail_stack when executing a
> malformed regexp
> 
> Although it seems to be fixed in glibc 2.28, I've encountered the following
> issue testing on a Ubuntu 19.10 virtual machine with glibc 2.30-0ubuntu.2.1
> the following program:
> 
> pop_fail_stack.c
> 
> #include <assert.h>
> #include <regex.h>
> #include <stdio.h>
> 
> int main(int argc, char **argv)
> {
>     int rc;
>     regex_t preg;
>     regmatch_t pmatch[2];
> 
>     rc = regcomp(&preg, "()*)|\\1)*", REG_EXTENDED);
>     assert(rc == 0);
>     regexec(&preg, "", 2, pmatch, 0);
>     regfree(&preg);
>     return 0;
> }
> 
> *pop_fail_stack: pop_fail_stack.c:12: main: Assertion `rc == 0' failed.*
> *Aborted (core dumped)*

It means you glibc has the fix. The regex is clearly invalid so it
regcomp correctly fails to compile it.

> As describes the Debian bug
> (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392), the test
> program compiles an invalid regexp and then tries to match a string
> against it, triggers an assertion:
> 
> *pop_fail_stack: regexec.c:1401: pop_fail_stack: Assertion `num >= 0' failed.
> Aborted*

That error message means the glibc is not fixed, i.e. regcomp is wronglu
able to compile it and regexec later triggers an assertion inside glibc
code.

> So, in my scenario, the test program does not even successfully
> compile the invalid regexp.

This is normal as the regexp is invalid, so it can't be compiled.

Regards,
Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net


Reply to: