Home / exploits Libpcre3 segfaults on certain regex when jit is used
Posted on 30 November -0001
<HTML><HEAD><TITLE>libpcre3 segfaults on certain regex when jit is used</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Dear Maintainer, When investigating a segmentation fault in suricata it was showing the crash is caused by libpcre3 when pcre_exec of a certain regex is called. Further investigations have shown that also prcegrep using the regex resulted is a segfault. pcregrep '/(?:(?:s(?:ystem/(?:logs|engine)/[^x2f]+?|e(?:rv(?:au|er)|ct)|gau/.*?|alam|ucks|can|ke)|p(?:lugins/content/vote/.ssl/[a-z0-9]|(?:rogcicic|atr)ic|osts?/[a-z0-9]+)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setupd+.exe$)[a-z0-9]{5,10}|a(?:d(?:min/images/w+|obe)|(?:sala|kee)m|live)|(?:i(?:mage/flags|nvoice)|xml/load)/[^x2f]+|d(?:o(?:c(?:/[a-z0-9]+)?|ne)|bust)|m(?:edia/files/w+|arch)|~.+?/.[^x2f]+/.+?|c(?:onfig|hris|alc)|u(?:swinzw+|pdate)|Ozonecrytedserver|w(?:or[dk]|insys)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|(?:tes|ve)t|ArfBtxz|office|yhaooo|[a-z]|etna|link|d+).exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}+|PasswordRecovery|RemoveWAT|Dejdisc|Hostd+|Msword).exe)' file Segmentation fault If the jit is disabled the crash does not happen pcregrep --no-jit '/(?:(?:s(?:ystem/(?:logs|engine)/[^x2f]+?|e(?:rv(?:au|er)|ct)|gau/.*?|alam|ucks|can|ke)|p(?:lugins/content/vote/.ssl/[a-z0-9]|(?:rogcicic|atr)ic|osts?/[a-z0-9]+)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setupd+.exe$)[a-z0-9]{5,10}|a(?:d(?:min/images/w+|obe)|(?:sala|kee)m|live)|(?:i(?:mage/flags|nvoice)|xml/load)/[^x2f]+|d(?:o(?:c(?:/[a-z0-9]+)?|ne)|bust)|m(?:edia/files/w+|arch)|~.+?/.[^x2f]+/.+?|c(?:onfig|hris|alc)|u(?:swinzw+|pdate)|Ozonecrytedserver|w(?:or[dk]|insys)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|(?:tes|ve)t|ArfBtxz|office|yhaooo|[a-z]|etna|link|d+).exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}+|PasswordRecovery|RemoveWAT|Dejdisc|Hostd+|Msword).exe)' file This can be used to remotely crash Suricata when used with the open emergingthreats rules which contain the above regex. The crash does no longer happen in stretch/sid which has a newer pcre version. -- System Information: Debian Release: 8.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) </BODY></HTML>