Bug 1185440
| Summary: | CVE-2015-1345 grep: -F heap buffer overrun | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED DUPLICATE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | carnil, jskarvad, lkundrak |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-01-23 20:14:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1185168 | ||
*** This bug has been marked as a duplicate of bug 1183651 *** |
Yuliy Pisetsky reports: rep -F: fix a heap buffer (read) overrun grep's read buffer is often filled to its full size, except when reading the final buffer of a file. In that case, the number of bytes read may be far less than the size of the buffer. However, for certain unusual pattern/text combinations, grep -F would mistakenly examine bytes in that uninitialized region of memory when searching for a match. With carefully chosen inputs, one can cause grep -F to read beyond the end of that buffer altogether. This problem arose via commit v2.18-90-g73893ff with the introduction of a more efficient heuristic using what is now the memchr_kwset function. The use of that function in bmexec_trans could leave TP much larger than EP, and the subsequent call to bm_delta2_search would mistakenly access beyond end of the main input read buffer. * src/kwset.c (bmexec_trans): When TP reaches or exceeds EP, do not call bm_delta2_search. * tests/kwset-abuse: New file. * tests/Makefile.am (TESTS): Add it. * THANKS.in: Update. * NEWS (Bug fixes): Mention it. Prior to this patch, this command would trigger a UMR: printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0) Use of uninitialised value of size 8 at 0x4142BE: bmexec_trans (kwset.c:657) by 0x4143CA: bmexec (kwset.c:678) by 0x414973: kwsexec (kwset.c:848) by 0x414DC4: Fexecute (kwsearch.c:128) by 0x404E2E: grepbuf (grep.c:1238) by 0x4054BF: grep (grep.c:1417) by 0x405CEB: grepdesc (grep.c:1645) by 0x405EC1: grep_command_line_arg (grep.c:1692) by 0x4077D4: main (grep.c:2570) External references: http://git.savannah.gnu.org/cgit/grep.git/commit/?id=83a95bd8c8561875b948cadd417c653dbe7ef2e2