Re: Regex or Progress? Whos fault?

From: 3APA3A (3APA3A@SECURITY.NNOV.RU)
Date: 03/25/02 

Date: Mon, 25 Mar 2002 13:43:00 +0300
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
To: KF <dotslash@snosoft.com>

Dear KF,

free() failed because it was heap overflow before free() was called and
memory chunk was overwritten by your data ("AAA..."). So the bug is
definitely NOT in regexp, but in progress itself, because overflow was
before destructor was ever called. This kind of overflows may be
exploitable.

--Thursday, April 4, 2002, 3:10:22 PM, you wrote to vuln-dev@security-focus.com:

K> I am just poking a some more progress binaries this weekend and I ran
K> across this issue. Based on the gdb dumps I thought that something may
K> be wrong with regex. Not sure though. libg++-2.7.2.8-9.src.rpm Said it
K> was from redhat 5.2 on rpmfind.net but it is installed on my 7.2 box for
K> some reason.

K> [root@ghetto dotslash]# cat /etc/redhat-release
K> Red Hat Linux release 7.2 (Enigma)
K> [root@ghetto dotslash]# rpm -qa | grep libg
K> libg++-2.7.2.8-9

K> [root@ghetto bin]# gdb -q ./showcfg
K> (gdb) r `perl -e 'print "A" x 9000'`
K> Starting program: /home/dlc/bin/./showcfg `perl -e 'print "A" x 9000'`

K> Error: Cannot open the configuration file

K> Program received signal SIGSEGV, Segmentation fault.
K> __libc_free (mem=0x41414141) at malloc.c:3136
K> 3136 malloc.c: No such file or directory.
K> in malloc.c
K> (gdb) bt
K> #0 __libc_free (mem=0x41414141) at malloc.c:3136
K> #1 0x400584ee in Regex::~Regex (this=0x40078b98, __in_chrg=2) at
K> Regex.cc:42
K> #2 0x400587d1 in global destructors keyed to Regex::Regex () at
K> Regex.cc:149
K> #3 0x40057950 in __do_global_dtors_aux () from /usr/lib/libg++.so.2.7.2
K> #4 0x400770a5 in _fini () from /usr/lib/libg++.so.2.7.2
K> #5 0x4000de72 in _dl_fini () at eval.c:41
K> #6 0x400ed42b in exit (status=65535) at exit.c:54
K> #7 0x08073b78 in main () at eval.c:41
K> #8 0x400d8507 in __libc_start_main (main=0x80739f0 <main>, argc=2,
K> ubp_av=0xbfffd844, init=0x804beb0 <_init>,
K> fini=0x808f2ec <_fini>, rtld_fini=0x4000dc14 <_dl_fini>,
K> stack_end=0xbfffd83c) at ../sysdeps/generic/libc-start.c:129

K> heres the snippet from Regex.cc
K> Regex::~Regex()
K> {
K> if (buf->buffer) free(buf->buffer);
K> if (buf->fastmap) free(buf->fastmap);
K> if (buf->translate) free (buf->translate);

K> if (reg->start)
K> free (reg->start);
K> if (reg->end)
K> free (reg->end);

K> delete(buf);
K> delete(reg);
K> }

K> -KF 

-- 
~/ZARAZA
Клянусь лысиной пророка Моисея - я тебя сейчас съем. (Твен)