Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Regex or Progress? Whos fault?

From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Mon, 25 Mar 2002 13:43:00 +0300
Dear KF,

free()  failed because it was heap overflow before free() was called and
memory  chunk  was  overwritten  by  your data ("AAA..."). So the bug is
definitely  NOT  in regexp, but in progress itself, because overflow was
before  destructor  was  ever  called.  This  kind  of  overflows may be
exploitable.

--Thursday, April 4, 2002, 3:10:22 PM, you wrote to vuln-dev () security-focus com:

K> I am just poking a some more progress binaries this weekend and I ran 
K> across this issue. Based on the gdb dumps I thought that something may 
K> be wrong with regex. Not sure though.  libg++-2.7.2.8-9.src.rpm Said it 
K> was from redhat 5.2 on rpmfind.net but it is installed on my 7.2 box for 
K> some reason.

K> [root@ghetto dotslash]# cat /etc/redhat-release
K> Red Hat Linux release 7.2 (Enigma)
K> [root@ghetto dotslash]# rpm -qa | grep libg
K> libg++-2.7.2.8-9

K> [root@ghetto bin]# gdb -q ./showcfg
K> (gdb) r `perl -e 'print "A" x 9000'`
K> Starting program: /home/dlc/bin/./showcfg `perl -e 'print "A" x 9000'`

K>  Error: Cannot open the configuration file

K> Program received signal SIGSEGV, Segmentation fault.
K> __libc_free (mem=0x41414141) at malloc.c:3136
K> 3136    malloc.c: No such file or directory.
K>         in malloc.c
K> (gdb) bt
K> #0  __libc_free (mem=0x41414141) at malloc.c:3136
K> #1  0x400584ee in Regex::~Regex (this=0x40078b98, __in_chrg=2) at 
K> Regex.cc:42
K> #2  0x400587d1 in global destructors keyed to Regex::Regex () at 
K> Regex.cc:149
K> #3  0x40057950 in __do_global_dtors_aux () from /usr/lib/libg++.so.2.7.2
K> #4  0x400770a5 in _fini () from /usr/lib/libg++.so.2.7.2
K> #5  0x4000de72 in _dl_fini () at eval.c:41
K> #6  0x400ed42b in exit (status=65535) at exit.c:54
K> #7  0x08073b78 in main () at eval.c:41
K> #8  0x400d8507 in __libc_start_main (main=0x80739f0 <main>, argc=2, 
K> ubp_av=0xbfffd844, init=0x804beb0 <_init>,
K>     fini=0x808f2ec <_fini>, rtld_fini=0x4000dc14 <_dl_fini>, 
K> stack_end=0xbfffd83c) at ../sysdeps/generic/libc-start.c:129


K> heres the snippet from Regex.cc
K> Regex::~Regex()
K> {
K>   if (buf->buffer) free(buf->buffer);
K>   if (buf->fastmap) free(buf->fastmap);
K>   if (buf->translate) free (buf->translate);

K>   if (reg->start)
K>     free (reg->start);
K>   if (reg->end)
K>     free (reg->end);

K>   delete(buf);
K>   delete(reg);
K> }

K> -KF




-- 
~/ZARAZA
Клянусь лысиной пророка Моисея - я тебя сейчас съем. (Твен)
Previous By Date Next
Previous By Thread Next

Current thread: