Bug 1228283 (CVE-2015-3217)

Summary: CVE-2015-3217 pcre: stack overflow caused by mishandled group empty match (8.38/11)
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adam.stokes, andrew, carnil, c.david86, erik-fedora, jorton, jrusnack, lkundrak, mmaslano, ppisar, rcollet, sardella, webstack-team
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pcre 8.38 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:41:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1330455, 1330456, 1330508, 1330509    
Bug Blocks: 1226929, 1287727    

Description Vasyl Kaigorodov 2015-06-04 14:31:28 UTC 
Stack buffer overflow was reported in PCRE library.
Original report:
"""
Latest version of PCRE is prone to a Stack Overflow vulnerability which could caused by the following regular expression.

/^(?:(?(1)\\.|([^\\\\W_])?)+)+$/

To reproduce the problem, we could use pcretest provide by PCRE library or applications which is wrapped with PCRE such as PHP.
For pcretest, simply type the regular expression after the re>
For PHP, latest version of PHP 5.6.9 (wrapped with PCRE 8.37) could be triggered by following code snippet.

<?php
preg_match("/^(?:(?(1)\\\\.|([^\\\\\\\\W_])?)+)+$/","abcd",$arr);
?>

Other versions and applications may also be affected.

Following test is conveyed under Kali Linux (based on Debian x64) with php 5.6.9:
==============================================================
(gdb) r poc.php
Program received signal SIGSEGV, Segmentation fault.
0x000000000047294f in match (eptr=0x7ffff7eb7d91 "DLAB",
    ecode=0x10070ad "\035\\\fw", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=4,
    md=0x7fffffffa9a0, eptrb=0x0, rdepth=11130)
    at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1439
1439          RMATCH(eptr, ecode, offset_top, md, eptrb, RM49);
(gdb) bt
#0  0x000000000047294f in match (eptr=0x7ffff7eb7d91 "DLAB",
    ecode=0x10070ad "\035\\\fw", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=4,
    md=0x7fffffffa9a0, eptrb=0x0, rdepth=11130)
    at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1439
#1  0x000000000047e2ee in match (eptr=0x7ffff7eb7d91 "DLAB",
    ecode=0x10070dd "y", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=4,
    md=<optimized out>, eptrb=0x0, rdepth=11129)
    at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:2061
#2  0x0000000000472f45 in match (eptr=0x7ffff7eb7d90 "ADLAB",
    ecode=0x10070b4 "\205", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2,
    md=0x7fffffffa9a0, eptrb=0x7fffff7ffa00, rdepth=11128)
    at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:983
#3  0x0000000000472e2d in match (eptr=0x7ffff7eb7d90 "ADLAB",
    ecode=0x10070b3 "\222\205", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2,
    md=0x7fffffffa9a0, eptrb=0x7fffff7ffa00, rdepth=11127)
    at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1878
#4  0x0000000000472957 in match (eptr=0x7ffff7eb7d90 "ADLAB",
    ecode=0x10070b3 "\222\205", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2,
    md=0x7fffffffa9a0, eptrb=0x0, rdepth=11126)
    at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1439
#5  0x000000000047e2ee in match (eptr=0x7ffff7eb7d90 "ADLAB",
    ecode=0x10070e0 "y", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2,
    md=<optimized out>, eptrb=0x0, rdepth=11125)
"""

Upstream bug: https://bugs.exim.org/show_bug.cgi?id=1638
Upstream commits:

    http://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?r1=1560&r2=1562&pathrev=1562
    http://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?r1=1559&r2=1560&pathrev=1562
(I'm not sure which one fixes the issue exactly though)

Steps to reproduce could be found in the flaw description above.
Comment 2 Tomas Hoger 2016-02-23 12:06:24 UTC 
(In reply to Vasyl Kaigorodov from comment #0)
> Upstream commits:
> http://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?r1=1560&r2=1562&pathrev=1562
> http://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?r1=1559&r2=1560&pathrev=1562
> (I'm not sure which one fixes the issue exactly though)

Neither of the above, the upstream fix is:

http://vcs.pcre.org/pcre?view=revision&revision=1566

Confirmed the issue in Red Hat Enterprise Linux 7 (pcre 8.32) and Red Hat Enterprise Linux 6 (pcre 7.8), not reproducible in Red Hat Enterprise Linux 5 (pcre 6.6).

Reproducer, as noted in the upstream bug:

/^(?:(?(1)x|)+)+$()/

Not easily reproducible with glib2 embedded pcre, as pcre in glib2 is built with MATCH_LIMIT_RECURSION=8192 with limits the number of recursive match() calls.  Issue can be reproduced when using smaller stack (ulimit -s).
Comment 7 Petr Pisar 2016-04-28 13:09:36 UTC 
Please note that successful reproducer requires non-empty data to match on. E.g.:

$ printf '%s\n%s\n' '/^(?:(?(1)x|)+)+$()/' 'abcd' | libtool --mode=execute valgrind ./pcretest
Comment 8 errata-xmlrpc 2016-05-11 13:07:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1025 https://rhn.redhat.com/errata/RHSA-2016-1025.html
Comment 9 errata-xmlrpc 2016-05-26 08:38:24 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS

Via RHSA-2016:1132 https://access.redhat.com/errata/RHSA-2016:1132
Comment 10 errata-xmlrpc 2016-11-15 11:46:41 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2016:2750 https://rhn.redhat.com/errata/RHSA-2016-2750.html