Bug 1228283 (CVE-2015-3217) - CVE-2015-3217 pcre: stack overflow caused by mishandled group empty match (8.38/11)
Summary: CVE-2015-3217 pcre: stack overflow caused by mishandled group empty match (8....
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-3217
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1330455 1330456 1330508 1330509
Blocks: 1226929 1287727
TreeView+ depends on / blocked
 
Reported: 2015-06-04 14:31 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:33 UTC (History)
13 users (show)

Fixed In Version: pcre 8.38
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 02:41:34 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1025 normal SHIPPED_LIVE Important: pcre security update 2016-05-11 17:07:01 UTC
Red Hat Product Errata RHSA-2016:1132 normal SHIPPED_LIVE Important: rh-mariadb100-mariadb security update 2016-05-26 12:35:06 UTC
Red Hat Product Errata RHSA-2016:2750 normal SHIPPED_LIVE Moderate: rh-php56 security, bug fix, and enhancement update 2016-11-15 16:40:02 UTC

Description Vasyl Kaigorodov 2015-06-04 14:31:28 UTC
Stack buffer overflow was reported in PCRE library.
Original report:
"""
Latest version of PCRE is prone to a Stack Overflow vulnerability which could caused by the following regular expression.

/^(?:(?(1)\\.|([^\\\\W_])?)+)+$/

To reproduce the problem, we could use pcretest provide by PCRE library or applications which is wrapped with PCRE such as PHP.
For pcretest, simply type the regular expression after the re>
For PHP, latest version of PHP 5.6.9 (wrapped with PCRE 8.37) could be triggered by following code snippet.

<?php
preg_match("/^(?:(?(1)\\\\.|([^\\\\\\\\W_])?)+)+$/","abcd",$arr);
?>

Other versions and applications may also be affected.

Following test is conveyed under Kali Linux (based on Debian x64) with php 5.6.9:
==============================================================
(gdb) r poc.php
Program received signal SIGSEGV, Segmentation fault.
0x000000000047294f in match (eptr=0x7ffff7eb7d91 "DLAB",
    ecode=0x10070ad "\035\\\fw", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=4,
    md=0x7fffffffa9a0, eptrb=0x0, rdepth=11130)
    at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1439
1439          RMATCH(eptr, ecode, offset_top, md, eptrb, RM49);
(gdb) bt
#0  0x000000000047294f in match (eptr=0x7ffff7eb7d91 "DLAB",
    ecode=0x10070ad "\035\\\fw", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=4,
    md=0x7fffffffa9a0, eptrb=0x0, rdepth=11130)
    at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1439
#1  0x000000000047e2ee in match (eptr=0x7ffff7eb7d91 "DLAB",
    ecode=0x10070dd "y", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=4,
    md=<optimized out>, eptrb=0x0, rdepth=11129)
    at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:2061
#2  0x0000000000472f45 in match (eptr=0x7ffff7eb7d90 "ADLAB",
    ecode=0x10070b4 "\205", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2,
    md=0x7fffffffa9a0, eptrb=0x7fffff7ffa00, rdepth=11128)
    at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:983
#3  0x0000000000472e2d in match (eptr=0x7ffff7eb7d90 "ADLAB",
    ecode=0x10070b3 "\222\205", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2,
    md=0x7fffffffa9a0, eptrb=0x7fffff7ffa00, rdepth=11127)
    at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1878
#4  0x0000000000472957 in match (eptr=0x7ffff7eb7d90 "ADLAB",
    ecode=0x10070b3 "\222\205", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2,
    md=0x7fffffffa9a0, eptrb=0x0, rdepth=11126)
    at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1439
#5  0x000000000047e2ee in match (eptr=0x7ffff7eb7d90 "ADLAB",
    ecode=0x10070e0 "y", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2,
    md=<optimized out>, eptrb=0x0, rdepth=11125)
"""

Upstream bug: https://bugs.exim.org/show_bug.cgi?id=1638
Upstream commits:

    http://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?r1=1560&r2=1562&pathrev=1562
    http://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?r1=1559&r2=1560&pathrev=1562
(I'm not sure which one fixes the issue exactly though)

Steps to reproduce could be found in the flaw description above.

Comment 2 Tomas Hoger 2016-02-23 12:06:24 UTC
(In reply to Vasyl Kaigorodov from comment #0)
> Upstream commits:
> http://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?r1=1560&r2=1562&pathrev=1562
> http://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?r1=1559&r2=1560&pathrev=1562
> (I'm not sure which one fixes the issue exactly though)

Neither of the above, the upstream fix is:

http://vcs.pcre.org/pcre?view=revision&revision=1566

Confirmed the issue in Red Hat Enterprise Linux 7 (pcre 8.32) and Red Hat Enterprise Linux 6 (pcre 7.8), not reproducible in Red Hat Enterprise Linux 5 (pcre 6.6).

Reproducer, as noted in the upstream bug:

/^(?:(?(1)x|)+)+$()/

Not easily reproducible with glib2 embedded pcre, as pcre in glib2 is built with MATCH_LIMIT_RECURSION=8192 with limits the number of recursive match() calls.  Issue can be reproduced when using smaller stack (ulimit -s).

Comment 7 Petr Pisar 2016-04-28 13:09:36 UTC
Please note that successful reproducer requires non-empty data to match on. E.g.:

$ printf '%s\n%s\n' '/^(?:(?(1)x|)+)+$()/' 'abcd' | libtool --mode=execute valgrind ./pcretest

Comment 8 errata-xmlrpc 2016-05-11 13:07:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1025 https://rhn.redhat.com/errata/RHSA-2016-1025.html

Comment 9 errata-xmlrpc 2016-05-26 08:38:24 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS

Via RHSA-2016:1132 https://access.redhat.com/errata/RHSA-2016:1132

Comment 10 errata-xmlrpc 2016-11-15 11:46:41 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2016:2750 https://rhn.redhat.com/errata/RHSA-2016-2750.html


Note You need to log in before you can comment on or make changes to this bug.