Bug 922028

Summary: VUL-1: CVE-2015-2305: xen: stubdom / newlib built-in regular expression (regex) library contains a heap overflow vulnerability
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jbeulich, jsegitz, xen-bugs
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 921950    

Description Andreas Stieger 2015-03-12 14:54:32 UTC 
+++ This bug was initially created as a clone of Bug #921950 +++

Guido Vranken reported that regular expressions (regex) originally written by Henry Spencer contains a heap overflow vulnerability.

CWE-122: Heap-based Buffer Overflow

https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
http://www.kb.cert.org/vuls/id/695940

The variable len that holds the length of a regular expression string is "enlarged to such an extent that, in the process of enlarging (multiplication and addition), causes the 32 bit register/variable to overflow." It may be possible for an attacker to use this overflow to change data in memory.

Vulnerable function:
> int /* 0 success, otherwise REG_something */
> regcomp(preg, pattern, cflags)
> regex_t *preg;
> const char *pattern;
> int cflags;
> {

Vulnerable code:
> len = strlen((char *)pattern);
> [...]
> p->ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */
> p->strip = (sop *)malloc(p->ssize * sizeof(sop));

32-bit systems are affected. It is highly unlikely that 64-bit operating systems would allow such an overflow. (Read: not impossible.)

The library is known to be contained in many different upstream source projects. The code may not be active or used on our platform, e.g. only be used as fallback code.


xen seems to package affected code. Found in:

./xen/stubdom.tar.bz2.contents/stubdom/newlib-1.16.0.tar.gz.contents/newlib-1.16.0/newlib/libc/sys/linux/stdlib/regcomp.c

int				/* 0 success, otherwise REG_something */
regcomp(preg, pattern, cflags)
regex_t *preg;
const char *pattern;
int cflags;
{
[...]
	p->ssize = len/(size_t)2*(size_t)3 + (size_t)1;	/* ugh */
	p->strip = (sop *)malloc(p->ssize * sizeof(sop));

Can you please check if the code lib is used?
Comment 1 Swamp Workflow Management 2015-03-12 23:00:43 UTC 
bugbot adjusting priority
Comment 2 Andreas Stieger 2015-03-16 13:40:27 UTC 
The attack scenario is as follows:
Excessively long (>700 MB) regular expression pattern by user parsed using regcomp.c

Please see attachment 627001 [details] to parent bug 921950 for an upstream patch taken from https://github.com/garyhouston/regex/commit/70bc2965604b6b8aaf260049e64c708dddf85334
Comment 3 Marcus Meissner 2015-03-16 13:51:54 UTC 
in what scenarios does xen use regcomp? probably not attacker driven code.
Comment 4 Andreas Stieger 2015-03-20 17:25:44 UTC 
Looking at the buildlog, the bundled newlib is both patched and used during the build. regcomp.c is not logged to be built. Charles can you please check?
Comment 5 Charles Arnold 2015-03-20 18:44:10 UTC 
(In reply to Andreas Stieger from comment #4)
> Looking at the buildlog, the bundled newlib is both patched and used during
> the build. regcomp.c is not logged to be built. Charles can you please check?

Right. The way stubdomains/newlib are configured it doesn't build regcomp.c.

This bug can probably be closed as invalid for SUSE distros.
Comment 6 Andreas Stieger 2015-03-26 09:25:25 UTC 
(In reply to Charles Arnold from comment #5)
> (In reply to Andreas Stieger from comment #4)
> > Looking at the buildlog, the bundled newlib is both patched and used during
> > the build. regcomp.c is not logged to be built. Charles can you please check?
> 
> Right. The way stubdomains/newlib are configured it doesn't build regcomp.c.
> 
> This bug can probably be closed as invalid for SUSE distros.

Thanks for verifying. Closing as not affecting us in our configuration.