Bug 15078 (CVE-2013-0242)

Summary: regex crash on myanmar script (CVE-2013-0242)
Product: glibc Reporter: Paolo Bonzini <bonzini>
Component: regexAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED FIXED    
Severity: normal CC: carlos, drepper.fsp, fweimer
Priority: P2 Flags: fweimer: security+
Version: unspecified   
Target Milestone: 2.18   
Host: Target:
Build: Last reconfirmed:

Description Paolo Bonzini 2013-01-29 11:44:06 UTC 
Reported to upstream sed via bug-gnu-utils@gnu.org.

$ echo ကျွန်ုပ် | sed 's/[^x]x//'
*** glibc detected *** sed: free(): invalid next size (fast): 0x0000000000c4d400 ***

Same result for

$ echo ကျွန်ုပ်x | grep '[^x]x'
Comment 1 Paolo Bonzini 2013-01-30 10:17:41 UTC 
valgrind complains:

==10965== Invalid write of size 8
==10965==    at 0x35F8689563: __GI_memset (in /usr/lib64/libc-2.16.so)
==10965==    by 0x35F86CA636: clean_state_log_if_needed (in /usr/lib64/libc-2.16.so)
==10965==    by 0x35F86D60C6: re_search_internal (in /usr/lib64/libc-2.16.so)
==10965==    by 0x35F86D67E4: re_search_stub (in /usr/lib64/libc-2.16.so)
==10965==    by 0x35F86D7087: re_search (in /usr/lib64/libc-2.16.so)
==10965==    by 0x407B3A: match_regex (regexp.c:252)
==10965==    by 0x406AFB: execute_program (execute.c:1189)
==10965==    by 0x4077BF: process_files (execute.c:1857)
==10965==    by 0x402496: main (sed.c:366)
==10965==  Address 0x4c47fb8 is 0 bytes after a block of size 104 alloc'd
==10965==    at 0x4A08A2E: realloc (vg_replace_malloc.c:662)
==10965==    by 0x35F86CA4B2: extend_buffers (in /usr/lib64/libc-2.16.so)
==10965==    by 0x35F86CA5D2: clean_state_log_if_needed (in /usr/lib64/libc-2.16.so)
==10965==    by 0x35F86D60C6: re_search_internal (in /usr/lib64/libc-2.16.so)
==10965==    by 0x35F86D67E4: re_search_stub (in /usr/lib64/libc-2.16.so)
==10965==    by 0x35F86D7087: re_search (in /usr/lib64/libc-2.16.so)
==10965==    by 0x407B3A: match_regex (regexp.c:252)
==10965==    by 0x406AFB: execute_program (execute.c:1189)
==10965==    by 0x4077BF: process_files (execute.c:1857)
==10965==    by 0x402496: main (sed.c:366)
==10965==
Comment 2 Carlos O'Donell 2013-01-30 16:19:46 UTC 
Confirmed fails on master as of 2013-01-30.
Comment 3 Carlos O'Donell 2013-01-30 18:29:03 UTC 
I'm reviewing Andreas' patch:
http://sourceware.org/ml/libc-alpha/2013-01/msg00967.html
Comment 4 Andreas Schwab 2013-02-12 08:32:30 UTC 
Fixed in 2.18.
Comment 5 Jackie Rosen 2014-02-16 19:34:58 UTC 
*** Bug 260998 has been marked as a duplicate of this bug. ***
Seen from the domain http://volichat.com
Page where seen: http://volichat.com/adult-chat-rooms
Marked for reference. Resolved as fixed @bugzilla.