tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

grep vs. CVE-2012-5667 (integer type too small)


alerted by the oss-security mailing list, I've looked at
CVE-2012-5667, which was triggered by a bug report of an
Ubuntu user.

In short: lines > 2^31 bytes make grep core-dump; the original
reporter claims he also has a proof-of-concept to execute code
inserted by the crafted input file:


This affects GNU grep < 2.11. The short test is:

perl -e 'print "x"x(2**31)' | grep x > /dev/null

pkgsrc grep was  upgraded from 2.5.3 to 2.13 after 2012Q1 (I think) 
and later to 2.14. I've added a line for <2.11 to pkg-vulnerabilities.

However, our in-tree GNU grep is 2.5.3-derived, and at least crashable
by the above test.

The discussion on oss-security 
mentions the upstream patch that fixed it:


and two others that also relate to integer overflow fixes from 2.11:

(don't call pcre_exec with lines of > 2^31 bytes)



As our in-tree compiles with pcre stuff disabled (actually not
there), I only back-ported a) and c).

My diff is in
Somebody should proofread it. A few notes below.

Now, how to proceed? I think, as we shipped with gnu grep enabled
in -6, we should probably fix this and pull it up, before thinking 
about usr.bin/grep.


Notes on the backport:

I'm not using - for a) - this patch:

- char buf[sizeof (uintmax_t) * CHAR_BIT + 4];
+ char buf[INT_BUFSIZE_BOUND (intmax_t) + 4];

not only would we need to inport yet another GPLv3 file, I also
think INT_BUFSIZD_BOUND from newer GNU grep lib/intprops.h
give an answer too small by one for signed 64bit types. This might
be compensated by the +4 which actually should be +3 and by not reading
in negative digit strings anyway? (See code below that in grep.c)

Anyway, a still safe size would be ((sizeof(intmax_t)*8+2)/3) - a bit
of slack from rounded up multiplication by 0.30103, if we don't want
to waste roughly 2/3rd of the buffer.

And yes, that code is a horrible hack. Try jot 100 | grep -1 -2 15

seal your e-mail:

Attachment: pgpHwvYOd8gNw.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index