Bug 757888

Summary: memory corruption from regex in some locales
Product: Red Hat Enterprise Linux 6 Reporter: Paolo Bonzini <pbonzini>
Component: glibcAssignee: Jeff Law <law>
Status: CLOSED ERRATA QA Contact: qe-baseos-tools-bugs
Severity: medium Docs Contact:
Priority: medium    
Version: 6.4CC: fweimer, jakub, law, mfranc, mnewsome, pbonzini, pbrezina, pmuller, vvitek
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
No Documentation Needed
 Story Points: ---
Clone Of: 730952 Environment:
Last Closed: 2012-06-20 12:08:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 730952    
Bug Blocks:    

Description Paolo Bonzini 2011-11-28 21:37:46 UTC 
+++ This bug was initially created as a clone of Bug #730952 +++

The bug happens when a collating symbol exists in the current locale that is composed of the same character multiple times (e.g. aa in nb_NO locales).  Attachment 537445 [details] is a zip file with reproducers from Terje Braten.

In this case, you have something like this:

   %fourier-alt-itaalic -s -0.168exnansi
   0         1
   012345678901234^

with cur_idx pointing to the "a" at &mctx->input.mbs[15], which is also the last character (valid_len = 16).  Bytes after the first "a" are leftovers from previous matching attempts.

"aa" is a multicharacter collation element in the bokmal locale, so re_string_elem_size_at returns 2 and check_node_accept_bytes matches 2 bytes even though there is only one byte in the string.  clean_state_log_if_needed then accesses one item past the allocated memory.

I haven't tested the reproducer on RHEL5/6, but the out-of-bounds access is clear and the code has been mostly unchanged for years; attachment 537575 [details] should apply more or less to all even not-so-recent glibc versions.
Comment 5 Jeff Law 2011-12-16 16:44:06 UTC 
No automated test went in upstream that I'm aware of.  In general, it looks like Andreas was very very lax in submitting regression tests upstream.
Comment 7 Jeff Law 2012-04-12 16:17:12 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No Documentation Needed
Comment 9 errata-xmlrpc 2012-06-20 12:08:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0763.html