Debian Bug report logs - #476419
libpcre3: stack overflow via certain regular expressions

version graph

Package: libpcre3; Maintainer for libpcre3 is Mark Baker <mark@mnb.org.uk>; Source for libpcre3 is src:pcre3.

Reported by: Kai Szymanski <k.szymanski@mediaclipping.de>

Date: Wed, 16 Apr 2008 16:00:01 UTC

Severity: important

Tags: security

Found in versions pcre3/7.4-1, pcre3/6.7+7.4-3

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, k.szymanski@mediaclipping.de, k.szymanski@mediaclipping.de, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#476419; Package php5-cli. Full text and rfc822 format available.

Acknowledgement sent to Kai Szymanski <k.szymanski@mediaclipping.de>:
New Bug report received and forwarded. Copy sent to k.szymanski@mediaclipping.de, k.szymanski@mediaclipping.de, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Kai Szymanski <k.szymanski@mediaclipping.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: When i use the intern php-function preg_replace with a regex on a special text, i get a segmentation fault
Date: Wed, 16 Apr 2008 17:56:36 +0200
Package: php5-cli
Version: 5.2.0-8+etch10
Severity: critical

Hi!

If write a simple script:

<?
$file = implode("",file($argv[1]));
echo "== Original: $file\n";
echo "== Replaced: ".preg_replace($argv[2],$argv[3],$file)."\n";
?>

and run it with

	php pregReplacetest.php "/\'{1,}(([^'])+)\'{1,}/ie" "TEST" testfile.txt

on a textfile i get a segmentation fault. I can send the File testfile.txt
to you if needed!

Best regards,
  Kai.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-amd64
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages php5-cli depends on:
ii  lib 1.0.3-6                              high-quality block-sorting file co
ii  lib 2.3.6.ds1-13etch5                    GNU C Library: Shared libraries
ii  lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii  lib 4.4.20-8                             Berkeley v4.4 Database Libraries [
ii  lib 1.4.4-7etch5                         MIT Kerberos runtime libraries
ii  lib 4.17-5etch3                          File type determination library us
ii  lib 5.5-5                                Shared libraries for terminal hand
ii  lib 6.7+7.4-3                            Perl 5 Compatible Regular Expressi
ii  lib 0.9.8c-4etch1                        SSL shared libraries
ii  lib 2.6.27.dfsg-2                        GNOME XML library
ii  mim 3.39-1                               MIME files 'mime.types' & 'mailcap
ii  php 5.2.0-8+etch10                       Common files for packages built fr
ii  ucf 2.0020                               Update Configuration File: preserv
ii  zli 1:1.2.3-13                           compression library - runtime

php5-cli recommends no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#476419; Package php5-cli. Full text and rfc822 format available.

Acknowledgement sent to "Raphael Geissert" <atomo64@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 476419@bugs.debian.org (full text, mbox):

From: "Raphael Geissert" <atomo64@gmail.com>
To: 476419-submitter@bugs.debian.org
Cc: 476419@bugs.debian.org, control@bugs.debian.org
Subject: Re: [php-maint] Bug#476419: When i use the intern php-function preg_replace with a regex on a special text, i get a segmentation fault
Date: Thu, 17 Apr 2008 19:35:33 -0500
tag 476419 moreinfo unreproducible
thanks

On 16/04/2008, Kai Szymanski <k.szymanski@mediaclipping.de> wrote:
> Package: php5-cli
>  Version: 5.2.0-8+etch10
>  Severity: critical
>
>  Hi!
>
>  If write a simple script:
>
>  <?
>  $file = implode("",file($argv[1]));
>  echo "== Original: $file\n";
>  echo "== Replaced: ".preg_replace($argv[2],$argv[3],$file)."\n";
>  ?>
>
>  and run it with
>
>         php pregReplacetest.php "/\'{1,}(([^'])+)\'{1,}/ie" "TEST" testfile.txt
>
>  on a textfile i get a segmentation fault. I can send the File testfile.txt
>  to you if needed!

IMO it should not segfault at all, but have you noticed that the
'file' you are actually trying to read is "/\'{1,}(([^'])+)\'{1,}/ie"
and not testfile.txt?

By the way:

$ php --version
PHP 5.2.0-8+etch10 (cli) (built: Jan 18 2008 18:52:58)
Copyright (c) 1997-2006 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2006 Zend Technologies

$ php t "/\'{1,}(([^'])+)\'{1,}/ie" "TEST" testfile.txt

Warning: file(/\'{1,}(([^'])+)\'{1,}/ie): failed to open stream: No
such file or directory in /root/t on line 3

Warning: implode(): Bad arguments. in /root/t on line 3
== Original:

Warning: preg_replace(): Delimiter must not be alphanumeric or
backslash in /root/t on line 5
== Replaced:


Same result when trying on 5.2.5-3.

>
>  Best regards,
>   Kai.
>
>  -- System Information:
>  Debian Release: 4.0
>   APT prefers stable
>   APT policy: (500, 'stable')
>  Architecture: amd64 (x86_64)
>  Shell:  /bin/sh linked to /bin/bash
>  Kernel: Linux 2.6.18-6-amd64
>  Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
>
>  Versions of packages php5-cli depends on:
>  ii  lib 1.0.3-6                              high-quality block-sorting file co
>  ii  lib 2.3.6.ds1-13etch5                    GNU C Library: Shared libraries
>  ii  lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
>  ii  lib 4.4.20-8                             Berkeley v4.4 Database Libraries [
>  ii  lib 1.4.4-7etch5                         MIT Kerberos runtime libraries
>  ii  lib 4.17-5etch3                          File type determination library us
>  ii  lib 5.5-5                                Shared libraries for terminal hand
>  ii  lib 6.7+7.4-3                            Perl 5 Compatible Regular Expressi
>  ii  lib 0.9.8c-4etch1                        SSL shared libraries
>  ii  lib 2.6.27.dfsg-2                        GNOME XML library
>  ii  mim 3.39-1                               MIME files 'mime.types' & 'mailcap
>  ii  php 5.2.0-8+etch10                       Common files for packages built fr
>  ii  ucf 2.0020                               Update Configuration File: preserv
>  ii  zli 1:1.2.3-13                           compression library - runtime
>
>  php5-cli recommends no packages.
>
>  -- no debconf information
>
>
>
>  _______________________________________________
>  pkg-php-maint mailing list
>  pkg-php-maint@lists.alioth.debian.org
>  http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint
>

Cheers,
-- 
Atomo64 - Raphael

Please avoid sending me Word, PowerPoint or Excel attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html




Tags added: moreinfo, unreproducible Request was from "Raphael Geissert" <atomo64@gmail.com> to control@bugs.debian.org. (Fri, 18 Apr 2008 00:45:04 GMT) Full text and rfc822 format available.

Message sent on to Kai Szymanski <k.szymanski@mediaclipping.de>:
Bug#476419. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#476419; Package php5-cli. Full text and rfc822 format available.

Acknowledgement sent to "Raphael Geissert" <atomo64@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #20 received at 476419@bugs.debian.org (full text, mbox):

From: "Raphael Geissert" <atomo64@gmail.com>
To: 476419-submitter@bugs.debian.org, 476419@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: [php-maint] Bug#476419: More informations about the problem
Date: Thu, 17 Apr 2008 20:06:07 -0500
reassign 476419 libpcre3
found 476419 7.4-1
found 476419 6.7+7.4-3
tag 476419 - unreproducible moreinfo
tag 476419 + security
severity 476419 important
thanks

On 16/04/2008, Kai Szymanski <k.szymanski@mediaclipping.de> wrote:
> Hi!
>
>  When i use valgrind, i get
>
>  ======
>  ==29062== Stack overflow in thread 1: can't grow stack to 0x7FE801FF8
>  ==29062==
>  ==29062== Process terminating with default action of signal 11 (SIGSEGV)
>  ==29062==  Access not within mapped region at address 0x7FE801FF8
>  ==29062==    at 0x511D2EF: (within /usr/lib/libpcre.so.3.12.0)
>  ==29062== Stack overflow in thread 1: can't grow stack to 0x7FE801FF0
>  ==29062==
>  ==29062== Process terminating with default action of signal 11 (SIGSEGV)
>  ==29062==  Access not within mapped region at address 0x7FE801FF0
>  ==29062==    at 0x4918310: _vgnU_freeres (vg_preloaded.c:56)
>  ==29062==
>  ==29062== ERROR SUMMARY: 38 errors from 18 contexts (suppressed: 10 from 1)
>  ==29062== malloc/free: in use at exit: 2,787,041 bytes in 16,616 blocks.
>  ==29062== malloc/free: 21,143 allocs, 4,527 frees, 8,736,476 bytes
> allocated.
>  ==29062== For counts of detected errors, rerun with: -v
>  ==29062== searching for pointers to 16,616 not-freed blocks.
>  ==29062== checked 4,541,800 bytes.
>  ==29062==
>  ==29062== LEAK SUMMARY:
>  ==29062==    definitely lost: 0 bytes in 0 blocks.
>  ==29062==      possibly lost: 0 bytes in 0 blocks.
>  ==29062==    still reachable: 2,787,041 bytes in 16,616 blocks.
>  ==29062==         suppressed: 0 bytes in 0 blocks.
>  ==29062== Reachable blocks (those to which a pointer was found) are not
> shown.
>  ==29062== To see them, rerun with: --show-reachable=yes
>
>  The textfile i use is attached. If youjneed firther informations: Just ask
> ;)

This is somewhat different, after changing the order of the args and
running it with the corresponding file I can reproduce the
segmentation fault.

I'm reassigning the report to libpcre3 as the problem seems to have
its origin there.

>
>  CU,
>   Kai.
>
>
>  --
>  Kai Szymanski
>

Cheers,
-- 
Atomo64 - Raphael

Please avoid sending me Word, PowerPoint or Excel attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html




Bug reassigned from package `php5-cli' to `libpcre3'. Request was from "Raphael Geissert" <atomo64@gmail.com> to control@bugs.debian.org. (Fri, 18 Apr 2008 01:09:03 GMT) Full text and rfc822 format available.

Bug marked as found in version 7.4-1. Request was from "Raphael Geissert" <atomo64@gmail.com> to control@bugs.debian.org. (Fri, 18 Apr 2008 01:09:04 GMT) Full text and rfc822 format available.

Bug marked as found in version 6.7+7.4-3. Request was from "Raphael Geissert" <atomo64@gmail.com> to control@bugs.debian.org. (Fri, 18 Apr 2008 01:09:05 GMT) Full text and rfc822 format available.

Tags removed: unreproducible, moreinfo Request was from "Raphael Geissert" <atomo64@gmail.com> to control@bugs.debian.org. (Fri, 18 Apr 2008 01:09:06 GMT) Full text and rfc822 format available.

Tags added: security Request was from "Raphael Geissert" <atomo64@gmail.com> to control@bugs.debian.org. (Fri, 18 Apr 2008 01:09:07 GMT) Full text and rfc822 format available.

Severity set to `important' from `critical' Request was from "Raphael Geissert" <atomo64@gmail.com> to control@bugs.debian.org. (Fri, 18 Apr 2008 01:09:07 GMT) Full text and rfc822 format available.

Message sent on to Kai Szymanski <k.szymanski@mediaclipping.de>:
Bug#476419. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#476419; Package libpcre3. Full text and rfc822 format available.

Acknowledgement sent to Tomas Hoger <thoger@redhat.com>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #40 received at 476419@bugs.debian.org (full text, mbox):

From: Tomas Hoger <thoger@redhat.com>
To: 476419@bugs.debian.org
Cc: control@bugs.debian.org
Subject: libpcre3: stack overflow via certain regular expressions
Date: Mon, 21 Apr 2008 15:09:22 +0200
[Message part 1 (text/plain, inline)]
retitle 476419 libpcre3: stack overflow via certain regular expressions
thanks

Hi!

This really seems to be what valgrind says it is -- Stack overflow.
Kai's regular expression triggers deep recursion in match(), finally
leading to a stack overflow after ~8000 nested calls (on Debian).

Attached is a simple pcre-only reproducer.  Should SEGV with arguments
~4100.

Default recursion limit assumed by pcre seems to be set way too high.
Rebuilding pcre with --with-match-limit-recursion set to lower value
avoids SEGVs.

-- 
Tomas Hoger
[deb476419.sh (application/x-shellscript, attachment)]

Changed Bug title to `libpcre3: stack overflow via certain regular expressions' from `When i use the intern php-function preg_replace with a regex on a special text, i get a segmentation fault'. Request was from Tomas Hoger <thoger@redhat.com> to control@bugs.debian.org. (Mon, 21 Apr 2008 13:12:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#476419; Package libpcre3. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #47 received at 476419@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Tomas Hoger <thoger@redhat.com>
Cc: 476419@bugs.debian.org
Subject: Re: Bug#476419: libpcre3: stack overflow via certain regular expressions
Date: Tue, 22 Apr 2008 22:45:40 +0200
* Tomas Hoger:

> Default recursion limit assumed by pcre seems to be set way too high.
> Rebuilding pcre with --with-match-limit-recursion set to lower value
> avoids SEGVs.

Ah, I wasn't ware of that option, thanks.  Hopefully it's not necessary
to specify --disable-stack-for-recursion.

There's also a konqueror/KDE Javascript bug report related to this, I
think.

We should test this flag in unstable for a while, and if it works, apply
it to a stable update.




Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#476419; Package libpcre3. Full text and rfc822 format available.

Acknowledgement sent to Tomas Hoger <thoger@redhat.com>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #52 received at 476419@bugs.debian.org (full text, mbox):

From: Tomas Hoger <thoger@redhat.com>
To: Florian Weimer <fw@deneb.enyo.de>, 476419@bugs.debian.org
Cc: 476419@bugs.debian.org
Subject: Re: Bug#476419: libpcre3: stack overflow via certain regular expressions
Date: Wed, 23 Apr 2008 10:40:24 +0200
Hi Florian!

On Tue, 22 Apr 2008 22:45:40 +0200 Florian Weimer <fw@deneb.enyo.de>
wrote:

> > Default recursion limit assumed by pcre seems to be set way too
> > high. Rebuilding pcre with --with-match-limit-recursion set to
> > lower value avoids SEGVs.
> 
> Ah, I wasn't ware of that option, thanks.  Hopefully it's not
> necessary to specify --disable-stack-for-recursion.

That actually may not be a very good advice after all, as was pointed to
my by Fedora pcre maintainer.  Setting some low fixed recursion limit
may cause problems to users that faced this problem and addressed it by
increasing process stack size (either via ulimit or setrlimit).

Also note that pcrestack(3) already documents this problem quite well.
Besides that ~500 byte suggestion, which seems too small for the systems
I tested on.  Sorry, I've missed that man page before.

> There's also a konqueror/KDE Javascript bug report related to this, I
> think.

Yes, that's very likely, as KDE uses pcre to for JavaScript regular
expressions.

> We should test this flag in unstable for a while, and if it works,
> apply it to a stable update.

As mentioned above, can cause regression for some users.  Probably
trying to provide match_limit_recursion during pcre_exec call may be a
better start, with some ( ( 'ulimit -s' - stack_used_by_konqueror ) /
500) - some_constant ) guesswork.

-- 
Tomas Hoger




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 11:50:38 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.