GNU bug report logs - #66835
Heap buffer overread in expr in regexec.c in the check_arrival_add_next_nodes function.

Previous Next

To reply to this bug, email your comments to 66835 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Some Dickhead <wheneveriseefeetibeatmymeat <at> gmail.com>
To: bug-coreutils <at> gnu.org
Subject: Heap buffer overread in expr in regexec.c in the
 check_arrival_add_next_nodes function.
Date: Sun, 29 Oct 2023 20:14:54 +0200

[Message part 1 (text/plain, inline)]

Hi! I was fuzzing expr in coreutils and found a bug. I compiled expr with
asan and ubsan. I cloned the repository from
https://github.com/coreutils/coreutils and I am using
commit f7e25d5bb53e35bcdea8512dd6db07dd7e6cf452 . After compiling expr,
just run './expr $(printf "\x30\x98\xc8\x9d") : $(printf
"\x5c\x28\x5c\x29\x2e\x2a\x5c\x53\x98\xc8\x30\x2a\x5c\x31")' and observe
the crash. I have attached the ASAN report which I got from my run to this
email.

[Message part 2 (text/html, inline)]

[asanreport.txt (text/plain, attachment)]

Message #8 received at 66835 <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Some Dickhead <wheneveriseefeetibeatmymeat <at> gmail.com>,
 66835 <at> debbugs.gnu.org
Subject: Re: bug#66835: Heap buffer overread in expr in regexec.c in the
 check_arrival_add_next_nodes function.
Date: Tue, 7 Nov 2023 16:37:34 -0800

Thanks. This is a bug in the glibc regular expression matcher. It's part 
of a well known series of bugs. See, for example:

https://sourceware.org/bugzilla/show_bug.cgi?id=12896
https://sourceware.org/bugzilla/show_bug.cgi?id=17356

It's not of much practical concern since the attacker should not have 
control of B in invocations like 'expr "$A" : "$B"'.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.