Stack buffer overflow was reported in PCRE library. Original report: """ Latest version of PCRE is prone to a Stack Overflow vulnerability which could caused by the following regular expression. /^(?:(?(1)\\.|([^\\\\W_])?)+)+$/ To reproduce the problem, we could use pcretest provide by PCRE library or applications which is wrapped with PCRE such as PHP. For pcretest, simply type the regular expression after the re> For PHP, latest version of PHP 5.6.9 (wrapped with PCRE 8.37) could be triggered by following code snippet. <?php preg_match("/^(?:(?(1)\\\\.|([^\\\\\\\\W_])?)+)+$/","abcd",$arr); ?> Other versions and applications may also be affected. Following test is conveyed under Kali Linux (based on Debian x64) with php 5.6.9: ============================================================== (gdb) r poc.php Program received signal SIGSEGV, Segmentation fault. 0x000000000047294f in match (eptr=0x7ffff7eb7d91 "DLAB", ecode=0x10070ad "\035\\\fw", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=4, md=0x7fffffffa9a0, eptrb=0x0, rdepth=11130) at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1439 1439 RMATCH(eptr, ecode, offset_top, md, eptrb, RM49); (gdb) bt #0 0x000000000047294f in match (eptr=0x7ffff7eb7d91 "DLAB", ecode=0x10070ad "\035\\\fw", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=4, md=0x7fffffffa9a0, eptrb=0x0, rdepth=11130) at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1439 #1 0x000000000047e2ee in match (eptr=0x7ffff7eb7d91 "DLAB", ecode=0x10070dd "y", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=4, md=<optimized out>, eptrb=0x0, rdepth=11129) at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:2061 #2 0x0000000000472f45 in match (eptr=0x7ffff7eb7d90 "ADLAB", ecode=0x10070b4 "\205", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2, md=0x7fffffffa9a0, eptrb=0x7fffff7ffa00, rdepth=11128) at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:983 #3 0x0000000000472e2d in match (eptr=0x7ffff7eb7d90 "ADLAB", ecode=0x10070b3 "\222\205", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2, md=0x7fffffffa9a0, eptrb=0x7fffff7ffa00, rdepth=11127) at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1878 #4 0x0000000000472957 in match (eptr=0x7ffff7eb7d90 "ADLAB", ecode=0x10070b3 "\222\205", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2, md=0x7fffffffa9a0, eptrb=0x0, rdepth=11126) at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1439 #5 0x000000000047e2ee in match (eptr=0x7ffff7eb7d90 "ADLAB", ecode=0x10070e0 "y", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2, md=<optimized out>, eptrb=0x0, rdepth=11125) """ Upstream bug: https://bugs.exim.org/show_bug.cgi?id=1638 Upstream commits: http://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?r1=1560&r2=1562&pathrev=1562 http://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?r1=1559&r2=1560&pathrev=1562 (I'm not sure which one fixes the issue exactly though) Steps to reproduce could be found in the flaw description above.
(In reply to Vasyl Kaigorodov from comment #0) > Upstream commits: > http://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?r1=1560&r2=1562&pathrev=1562 > http://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?r1=1559&r2=1560&pathrev=1562 > (I'm not sure which one fixes the issue exactly though) Neither of the above, the upstream fix is: http://vcs.pcre.org/pcre?view=revision&revision=1566 Confirmed the issue in Red Hat Enterprise Linux 7 (pcre 8.32) and Red Hat Enterprise Linux 6 (pcre 7.8), not reproducible in Red Hat Enterprise Linux 5 (pcre 6.6). Reproducer, as noted in the upstream bug: /^(?:(?(1)x|)+)+$()/ Not easily reproducible with glib2 embedded pcre, as pcre in glib2 is built with MATCH_LIMIT_RECURSION=8192 with limits the number of recursive match() calls. Issue can be reproduced when using smaller stack (ulimit -s).
Please note that successful reproducer requires non-empty data to match on. E.g.: $ printf '%s\n%s\n' '/^(?:(?(1)x|)+)+$()/' 'abcd' | libtool --mode=execute valgrind ./pcretest
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:1025 https://rhn.redhat.com/errata/RHSA-2016-1025.html
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Via RHSA-2016:1132 https://access.redhat.com/errata/RHSA-2016:1132
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2016:2750 https://rhn.redhat.com/errata/RHSA-2016-2750.html