GNU bug report logs - #66835
Heap buffer overread in expr in regexec.c in the check_arrival_add_next_nodes function.

Previous Next

Package: coreutils;

Reported by: Some Dickhead <wheneveriseefeetibeatmymeat <at> gmail.com>

Date: Mon, 30 Oct 2023 16:36:01 UTC

Severity: normal

To reply to this bug, email your comments to 66835 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-coreutils <at> gnu.org:
bug#66835; Package coreutils. (Mon, 30 Oct 2023 16:36:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Some Dickhead <wheneveriseefeetibeatmymeat <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-coreutils <at> gnu.org. (Mon, 30 Oct 2023 16:36:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Some Dickhead <wheneveriseefeetibeatmymeat <at> gmail.com>
To: bug-coreutils <at> gnu.org
Subject: Heap buffer overread in expr in regexec.c in the
 check_arrival_add_next_nodes function.
Date: Sun, 29 Oct 2023 20:14:54 +0200
[Message part 1 (text/plain, inline)]
Hi! I was fuzzing expr in coreutils and found a bug. I compiled expr with
asan and ubsan. I cloned the repository from
https://github.com/coreutils/coreutils and I am using
commit f7e25d5bb53e35bcdea8512dd6db07dd7e6cf452 . After compiling expr,
just run './expr $(printf "\x30\x98\xc8\x9d") : $(printf
"\x5c\x28\x5c\x29\x2e\x2a\x5c\x53\x98\xc8\x30\x2a\x5c\x31")' and observe
the crash. I have attached the ASAN report which I got from my run to this
email.
[Message part 2 (text/html, inline)]
[asanreport.txt (text/plain, attachment)]

Information forwarded to bug-coreutils <at> gnu.org:
bug#66835; Package coreutils. (Wed, 08 Nov 2023 00:39:02 GMT) Full text and rfc822 format available.

Message #8 received at 66835 <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Some Dickhead <wheneveriseefeetibeatmymeat <at> gmail.com>,
 66835 <at> debbugs.gnu.org
Subject: Re: bug#66835: Heap buffer overread in expr in regexec.c in the
 check_arrival_add_next_nodes function.
Date: Tue, 7 Nov 2023 16:37:34 -0800
Thanks. This is a bug in the glibc regular expression matcher. It's part 
of a well known series of bugs. See, for example:

https://sourceware.org/bugzilla/show_bug.cgi?id=12896
https://sourceware.org/bugzilla/show_bug.cgi?id=17356

It's not of much practical concern since the attacker should not have 
control of B in invocations like 'expr "$A" : "$B"'.




This bug report was last modified 1 year and 16 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.