Bug 88118

Summary: buffer overrun in transit_state()/regexec.c
Product: [Retired] Red Hat Linux Reporter: John Reiser <jreiser>
Component: glibcAssignee: Jakub Jelinek <jakub>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: fweimer
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-04-09 19:21:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Reiser 2003-04-06 04:39:00 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529

Description of problem:
Testcase posix/bug-regex4 accesses beyond a malloc()ed block in routine
transit_state().  The overrun happens in the second call to re_search_2:
-----
      match[1] = re_search_2 (&regex, NULL, 0, "abc", 3, 0, 3, NULL, 3);
-----

A concise description of the problem is:
-----
[regexec.c:2077] (Thread 0) **READ_OVERFLOW**
>>           ch = re_string_fetch_byte (mctx->input);

  Reading overflows memory.

          bbbbbbbbbbbbbbbbb
          |       5       | 1 |
                          rrrrr

   Reading    (r) : 0x0804c215 thru 0x0804c215 (1 byte)
   From block (b) : 0x0804c210 thru 0x0804c214 (5 bytes)
                   block allocated at regexec.c, 335
                re_search_2_stub()  regexec.c, 335
                   __re_search_2()  regexec.c, 308
                            main()  bug-regex4.c, 48

  Stack trace where the error occurred:
                   transit_state()  regexec.c, 2077
                  check_matching()  regexec.c, 1009
              re_search_internal()  regexec.c, 744
                  re_search_stub()  regexec.c, 411
                re_search_2_stub()  regexec.c, 349
                   __re_search_2()  regexec.c, 308
                            main()  bug-regex4.c, 48
-----

The gdb traceback at the point of error is
-----
#1  0x40280808 in transit_state (err=0xbfffea60, preg=0xbfffe8d0, 
    mctx=0xbfffe8d0, state=0x804bbd8, fl_search=1075641654) at regexec.c:2077
#2  0x4027e4fa in check_matching (preg=0xbfffea60, mctx=0xbfffe8d0, 
    fl_search=0, fl_longest_match=1) at regexec.c:1009
#3  0x4027dd70 in re_search_internal (preg=0xbfffea60, 
    string=0x804c210 "xyabd", length=5, start=2, range=3, stop=3, nmatch=1, 
    pmatch=0x804c280, eflags=0) at regexec.c:744
#4  0x4027d67b in re_search_stub (bufp=0xbfffea60, 
    string=0x3 <Address 0x3 out of bounds>, length=5, start=2, range=0, 
    stop=3, regs=0x0, ret_len=0) at regexec.c:411
#5  0x4027d51a in re_search_2_stub (bufp=0x3, string1=0x80486a1 "xya", 
    length1=134529664, string2=0x804869e "bd", length2=2, start=3, range=3, 
    regs=0x3, stop=8, ret_len=3) at regexec.c:349
#6  0x4027d421 in __re_search_2 (bufp=0x3, 
    string1=0x3 <Address 0x3 out of bounds>, length1=3, 
    string2=0x3 <Address 0x3 out of bounds>, length2=3, start=3, range=3, 
    regs=0x3, stop=3) at regexec.c:308
#7  0x08048580 in main () at bug-regex4.c:48
#8  0x401d4574 in __libc_start_main (main=0x8048410 <main>, argc=1, 
    ubp_av=0xbfffead4, init=0x80485d0 <__libc_csu_init>, fini=0x804c280, 
    rtld_fini=0x40064020, stack_end=0x804c212)
    at ../sysdeps/generic/libc-start.c:152
-----

The code at the point of error is:
-----
0x402807f5 <transit_state+101>:	testb  $0x8,0x1c(%esi)
0x402807f9 <transit_state+105>:	jne    0x40280b20 <transit_state+912>
0x402807ff <transit_state+111>:	mov    0xc(%edi),%ecx
0x40280802 <transit_state+114>:	mov    0x24(%ecx),%eax
0x40280805 <transit_state+117>:	mov    0x4(%ecx),%edx
0x40280808 <transit_state+120>:	movzbl (%eax,%edx,1),%edx     ##### bad access
0x4028080c <transit_state+124>:	inc    %eax
0x4028080d <transit_state+125>:	mov    %eax,0x24(%ecx)
0x40280810 <transit_state+128>:	mov    0x18(%ebp),%eax
0x40280813 <transit_state+131>:	test   %eax,%eax
0x40280815 <transit_state+133>:	mov    %dl,0xffffffd3(%ebp)
0x40280818 <transit_state+136>:	je     0x40280b15 <transit_state+901>

(gdb) p/x $edx
$2 = 0x804c212
(gdb) p/x $eax
$3 = 0x3

-----
[glibc-2.3.2-20030313/build-i686-linuxnptl/libc.so was loaded at a .text base of
0x401d4380 for this run.]


Version-Release number of selected component (if applicable):
glibc-2.3.2-11.9

How reproducible:
Always

Steps to Reproduce:
1.Run testcase posix/bug-regex4.
2.Observe the second call to re_search_2() on line 47 of posix/bug-regex4.c.
3.
    

Actual Results:  Buffer overrun as in Description.

Expected Results:  No buffer overrun.

Additional info:
Comment 1 Jakub Jelinek 2003-04-09 19:21:41 UTC 
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2003-136.html