From patchwork Sun Sep  9 15:12:06 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Paul Eggert <eggert@cs.ucla.edu>
X-Patchwork-Id: 29276
Received: (qmail 97769 invoked by alias); 9 Sep 2018 15:12:20 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 97760 invoked by uid 89); 9 Sep 2018 15:12:19 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-24.6 required=5.0 tests=AWL, BAYES_00,
	GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3,
	SPF_PASS autolearn=ham version=3.3.2 spammy=Problem
X-HELO: zimbra.cs.ucla.edu
From: Paul Eggert <eggert@cs.ucla.edu>
To: libc-alpha@sourceware.org
Cc: Assaf Gordon <assafgordon@gmail.com>
Subject: [PATCH 1/2] regex: fix heap-use-after-free error
Date: Sun,  9 Sep 2018 08:12:06 -0700
Message-Id: <20180909151207.2903-1-eggert@cs.ucla.edu>
In-Reply-To: <48cb516b-dc86-f174-9abb-4df06f05f845@cs.ucla.edu>
References: <48cb516b-dc86-f174-9abb-4df06f05f845@cs.ucla.edu>

From: Assaf Gordon <assafgordon@gmail.com>

[BZ #23609][BZ #18040]
Problem reported by Saito Takaaki <tails.saito@gmail.com> in
https://debbugs.gnu.org/32592
Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may
call extend_buffers which reallocates the re_string_t internal buffer.
Local variable 'buf' was not updated in such case, resulting in
use-after-free.
* posix/regexec.c (get_subexp): Update 'buf' after call to
get_subexp_sub.
---
 ChangeLog       | 13 +++++++++++++
 posix/regexec.c |  1 +
 2 files changed, 14 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 611caf9bd8..cf69a33d73 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2018-09-09  Assaf Gordon  <assafgordon@gmail.com>
+
+	regex: fix heap-use-after-free error
+	[BZ #23609][BZ #18040]
+	Problem reported by Saito Takaaki <tails.saito@gmail.com> in
+	https://debbugs.gnu.org/32592
+	Call stack get_subexp->get_subexp_sub->clean_state_log_if_needed may
+	call extend_buffers which reallocates the re_string_t internal buffer.
+	Local variable 'buf' was not updated in such case, resulting in
+	use-after-free.
+	* posix/regexec.c (get_subexp): Update 'buf' after call to
+	get_subexp_sub.
+
 2018-09-06  Stefan Liebler  <stli@linux.ibm.com>
 
 	* sysdeps/s390/fpu/libm-test-ulps: Regenerated.
diff --git a/posix/regexec.c b/posix/regexec.c
index 73644c2341..61a4ea26d1 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -2777,6 +2777,7 @@ get_subexp (re_match_context_t *mctx, Idx bkref_node, Idx bkref_str_idx)
 	    return REG_ESPACE;
 	  err = get_subexp_sub (mctx, sub_top, sub_last, bkref_node,
 				bkref_str_idx);
+	  buf = (const char *) re_string_get_buffer (&mctx->input);
 	  if (err == REG_NOMATCH)
 	    continue;
 	}