Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 88118 - buffer overrun in transit_state()/regexec.c
Summary: buffer overrun in transit_state()/regexec.c
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: glibc
Version: 9
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-04-06 04:39 UTC by John Reiser
Modified: 2016-11-24 14:50 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-04-09 19:21:41 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2003:136 high SHIPPED_LIVE glibc bugfix errata 2003-04-09 04:00:00 UTC

Description John Reiser 2003-04-06 04:39:00 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529

Description of problem:
Testcase posix/bug-regex4 accesses beyond a malloc()ed block in routine
transit_state().  The overrun happens in the second call to re_search_2:
-----
      match[1] = re_search_2 (&regex, NULL, 0, "abc", 3, 0, 3, NULL, 3);
-----

A concise description of the problem is:
-----
[regexec.c:2077] (Thread 0) **READ_OVERFLOW**
>>           ch = re_string_fetch_byte (mctx->input);

  Reading overflows memory.

          bbbbbbbbbbbbbbbbb
          |       5       | 1 |
                          rrrrr

   Reading    (r) : 0x0804c215 thru 0x0804c215 (1 byte)
   From block (b) : 0x0804c210 thru 0x0804c214 (5 bytes)
                   block allocated at regexec.c, 335
                re_search_2_stub()  regexec.c, 335
                   __re_search_2()  regexec.c, 308
                            main()  bug-regex4.c, 48

  Stack trace where the error occurred:
                   transit_state()  regexec.c, 2077
                  check_matching()  regexec.c, 1009
              re_search_internal()  regexec.c, 744
                  re_search_stub()  regexec.c, 411
                re_search_2_stub()  regexec.c, 349
                   __re_search_2()  regexec.c, 308
                            main()  bug-regex4.c, 48
-----

The gdb traceback at the point of error is
-----
#1  0x40280808 in transit_state (err=0xbfffea60, preg=0xbfffe8d0, 
    mctx=0xbfffe8d0, state=0x804bbd8, fl_search=1075641654) at regexec.c:2077
#2  0x4027e4fa in check_matching (preg=0xbfffea60, mctx=0xbfffe8d0, 
    fl_search=0, fl_longest_match=1) at regexec.c:1009
#3  0x4027dd70 in re_search_internal (preg=0xbfffea60, 
    string=0x804c210 "xyabd", length=5, start=2, range=3, stop=3, nmatch=1, 
    pmatch=0x804c280, eflags=0) at regexec.c:744
#4  0x4027d67b in re_search_stub (bufp=0xbfffea60, 
    string=0x3 <Address 0x3 out of bounds>, length=5, start=2, range=0, 
    stop=3, regs=0x0, ret_len=0) at regexec.c:411
#5  0x4027d51a in re_search_2_stub (bufp=0x3, string1=0x80486a1 "xya", 
    length1=134529664, string2=0x804869e "bd", length2=2, start=3, range=3, 
    regs=0x3, stop=8, ret_len=3) at regexec.c:349
#6  0x4027d421 in __re_search_2 (bufp=0x3, 
    string1=0x3 <Address 0x3 out of bounds>, length1=3, 
    string2=0x3 <Address 0x3 out of bounds>, length2=3, start=3, range=3, 
    regs=0x3, stop=3) at regexec.c:308
#7  0x08048580 in main () at bug-regex4.c:48
#8  0x401d4574 in __libc_start_main (main=0x8048410 <main>, argc=1, 
    ubp_av=0xbfffead4, init=0x80485d0 <__libc_csu_init>, fini=0x804c280, 
    rtld_fini=0x40064020, stack_end=0x804c212)
    at ../sysdeps/generic/libc-start.c:152
-----

The code at the point of error is:
-----
0x402807f5 <transit_state+101>:	testb  $0x8,0x1c(%esi)
0x402807f9 <transit_state+105>:	jne    0x40280b20 <transit_state+912>
0x402807ff <transit_state+111>:	mov    0xc(%edi),%ecx
0x40280802 <transit_state+114>:	mov    0x24(%ecx),%eax
0x40280805 <transit_state+117>:	mov    0x4(%ecx),%edx
0x40280808 <transit_state+120>:	movzbl (%eax,%edx,1),%edx     ##### bad access
0x4028080c <transit_state+124>:	inc    %eax
0x4028080d <transit_state+125>:	mov    %eax,0x24(%ecx)
0x40280810 <transit_state+128>:	mov    0x18(%ebp),%eax
0x40280813 <transit_state+131>:	test   %eax,%eax
0x40280815 <transit_state+133>:	mov    %dl,0xffffffd3(%ebp)
0x40280818 <transit_state+136>:	je     0x40280b15 <transit_state+901>

(gdb) p/x $edx
$2 = 0x804c212
(gdb) p/x $eax
$3 = 0x3

-----
[glibc-2.3.2-20030313/build-i686-linuxnptl/libc.so was loaded at a .text base of
0x401d4380 for this run.]


Version-Release number of selected component (if applicable):
glibc-2.3.2-11.9

How reproducible:
Always

Steps to Reproduce:
1.Run testcase posix/bug-regex4.
2.Observe the second call to re_search_2() on line 47 of posix/bug-regex4.c.
3.
    

Actual Results:  Buffer overrun as in Description.

Expected Results:  No buffer overrun.

Additional info:

Comment 1 Jakub Jelinek 2003-04-09 19:21:41 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2003-136.html



Note You need to log in before you can comment on or make changes to this bug.