Bug 24114 (CVE-2019-9169) - regexec buffer read overrun in "grep -i '\(\(\)*.\)*\(\)\(\)\1'"
Summary: regexec buffer read overrun in "grep -i '\(\(\)*.\)*\(\)\(\)\1'"
Status: RESOLVED FIXED
Alias: CVE-2019-9169
Product: glibc
Classification: Unclassified
Component: regex (show other bugs)
Version: 2.29
: P2 normal
Target Milestone: 2.30
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-01-21 19:17 UTC by eggert
Modified: 2019-03-17 08:44 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
[PATCH] regex: fix read overrun (758 bytes, patch)
2019-01-21 19:17 UTC, eggert
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description eggert 2019-01-21 19:17:37 UTC
Created attachment 11557 [details]
[PATCH] regex: fix read overrun

I am reporting this bug against glibc 2.30 since I assume it's too late to add this fix to 2.29. A user of 'grep' reported a heap buffer overflow when grep is run under AddressSanitizer. The attached patch fixes this.
Comment 1 cvs-commit@gcc.gnu.org 2019-01-31 21:19:32 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  583dd860d5b833037175247230a328f0050dbfe9 (commit)
      from  2bac7daa58da1a313bd452369b0508b31e146637 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=583dd860d5b833037175247230a328f0050dbfe9

commit 583dd860d5b833037175247230a328f0050dbfe9
Author: Paul Eggert <eggert@cs.ucla.edu>
Date:   Mon Jan 21 11:08:13 2019 -0800

    regex: fix read overrun [BZ #24114]
    
    Problem found by AddressSanitizer, reported by Hongxu Chen in:
    https://debbugs.gnu.org/34140
    * posix/regexec.c (proceed_next_node):
    Do not read past end of input buffer.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog       |   10 +++++++++-
 posix/regexec.c |    6 ++++--
 2 files changed, 13 insertions(+), 3 deletions(-)
Comment 2 eggert 2019-01-31 21:21:03 UTC
I installed the patch and am marking this bug as fixed in 2.30.
Comment 3 cvs-commit@gcc.gnu.org 2019-03-16 22:25:20 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  b626c5aa5d0673a9caa48fb79fba8bda237e6fa8 (commit)
      from  066ae81ec9b1a5bb8f8b93f4defb089f7b315833 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b626c5aa5d0673a9caa48fb79fba8bda237e6fa8

commit b626c5aa5d0673a9caa48fb79fba8bda237e6fa8
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sat Mar 16 22:59:56 2019 +0100

    Record CVE-2019-9169 in NEWS and ChangeLog [BZ #24114]

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog |    1 +
 NEWS      |    4 ++++
 2 files changed, 5 insertions(+), 0 deletions(-)
Comment 4 cvs-commit@gcc.gnu.org 2019-03-16 22:32:43 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.29/master has been updated
       via  10dd17da710fd32aaf1f2187544d80064b8c4ee0 (commit)
       via  4d0b1b0f61bfba034e9e76a1d76acc59c975238f (commit)
      from  bc6f839fb4066be83272c735e662850af2595777 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=10dd17da710fd32aaf1f2187544d80064b8c4ee0

commit 10dd17da710fd32aaf1f2187544d80064b8c4ee0
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sat Mar 16 22:59:56 2019 +0100

    Record CVE-2019-9169 in NEWS and ChangeLog [BZ #24114]
    
    (cherry picked from commit b626c5aa5d0673a9caa48fb79fba8bda237e6fa8)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4d0b1b0f61bfba034e9e76a1d76acc59c975238f

commit 4d0b1b0f61bfba034e9e76a1d76acc59c975238f
Author: Paul Eggert <eggert@cs.ucla.edu>
Date:   Mon Jan 21 11:08:13 2019 -0800

    regex: fix read overrun [BZ #24114]
    
    Problem found by AddressSanitizer, reported by Hongxu Chen in:
    https://debbugs.gnu.org/34140
    * posix/regexec.c (proceed_next_node):
    Do not read past end of input buffer.
    
    (cherry picked from commit 583dd860d5b833037175247230a328f0050dbfe9)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog       |    9 +++++++++
 NEWS            |    4 ++++
 posix/regexec.c |    6 ++++--
 3 files changed, 17 insertions(+), 2 deletions(-)
Comment 5 cvs-commit@gcc.gnu.org 2019-03-17 08:44:50 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.28/master has been updated
       via  54e725e39d0190227b9bf975a7c3f80e8a81365a (commit)
       via  2aee101ff6075dd97a99982a1ba29e21ec25c52f (commit)
      from  4bf5ab3196bd27e48d87d4a1cd91efd39772e026 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=54e725e39d0190227b9bf975a7c3f80e8a81365a

commit 54e725e39d0190227b9bf975a7c3f80e8a81365a
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sat Mar 16 22:59:56 2019 +0100

    Record CVE-2019-9169 in NEWS and ChangeLog [BZ #24114]
    
    (cherry picked from commit b626c5aa5d0673a9caa48fb79fba8bda237e6fa8)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2aee101ff6075dd97a99982a1ba29e21ec25c52f

commit 2aee101ff6075dd97a99982a1ba29e21ec25c52f
Author: Paul Eggert <eggert@cs.ucla.edu>
Date:   Mon Jan 21 11:08:13 2019 -0800

    regex: fix read overrun [BZ #24114]
    
    Problem found by AddressSanitizer, reported by Hongxu Chen in:
    https://debbugs.gnu.org/34140
    * posix/regexec.c (proceed_next_node):
    Do not read past end of input buffer.
    
    (cherry picked from commit 583dd860d5b833037175247230a328f0050dbfe9)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog       |    9 +++++++++
 NEWS            |    4 ++++
 posix/regexec.c |    6 ++++--
 3 files changed, 17 insertions(+), 2 deletions(-)