Boost C++ Libraries: Ticket #12818: regex: badly needs fuzzing

attachment set

anonymous — Tue, 07 Feb 2017 18:59:57 GMT

attachment → regexp.crashes.zip

summary changed

anonymous — Tue, 07 Feb 2017 19:39:51 GMT

summary regexp: badly needs fuzzing → regex: badly needs fuzzing

anonymous — Thu, 09 Feb 2017 01:46:45 GMT

I strongly suggest running static analysis over regex before trying to find bugs by fuzzing. Coverity is free for open source and IME works well to identify the source of vulnerabilities, rather than providing N crashers that exercise some M<N bugs which need to be reverse-engineered with gdb.

choller@… — Thu, 09 Feb 2017 12:14:26 GMT

Replying to anonymous:

I strongly suggest running static analysis over regex before trying to find bugs by fuzzing. Coverity is free for open source and IME works well to identify the source of vulnerabilities, rather than providing N crashers that exercise some M<N bugs which need to be reverse-engineered with gdb.

Working as a Security Engineer I strongly disagree. Fuzzing is far more valuable than static analysis (if testcases are provided by the fuzzer) because static analysis often causes lots of false positives and its results are often hardly actionable for developers (we have tried both with Firefox). The OP already attached a set of testcases, the only thing that is better than that is patches for fixes. You should setup some fuzzing CI as it was suggested already and oss-fuzz even offers the resources for free.

status, milestone changed; resolution set

John Maddock — Fri, 24 Feb 2017 13:16:43 GMT

status new → closed
resolution → fixed
milestone To Be Determined → Boost 1.64.0

Confirmed and fixed in develop: most of the issues you identified were duplicates of a couple of core issues, but further fuzzing with a dictionary revealed many more. Thanks for the heads up on this!

John Maddock — Sat, 13 May 2017 15:56:07 GMT

Since someone asked, and for future reference, most of the issues fixed here relate to parsing invalid regular expressions. The only runtime issues relate to recursive regular expressions: one infinite loop for some inputs, one memory leak, and one compiler/platform portability issue. The actual fixes are all labelled "de-fuzz" here: https://github.com/boostorg/regex/commits/develop

kcc — Fri, 22 Sep 2017 04:06:29 GMT

I've just added boost regex to oss-fuzz (using the fuzz target from this report). https://github.com/google/oss-fuzz/pull/851/files

If someone from boost wants to extend fuzzing to more parts of boost (or improve how regex is fuzzed) -- you are welcome!

kcc — Sun, 24 Sep 2017 02:07:49 GMT

There are at least 5 more bugs/crashes in the current trunk. Is someone interested in being automatically CC-ed to these and future bugs?

 ☆	3460	boost: Integer-overflow in boost::re_detail_NUMBER::basic_regex_parser<char, boost::regex_traits<char, boos
 ☆	3464	boost: Integer-overflow in boost::re_detail_NUMBER::perl_matcher<std::__1::__wrap_iter<char const*>, std::_
 ☆	3469	boost: ASSERT: jmp->type == syntax_element_jump
 ☆	3471	boost: Stack-overflow in boost::re_detail_NUMBER::basic_regex_parser<char, boost::regex_traits<char, boos
 ☆	3472	boost: Stack-overflow in boost::re_detail_NUMBER::perl_matcher<std::__1::__wrap_iter<char const*>, std::_

kcc — Sun, 24 Sep 2017 23:30:12 GMT

two more:

3478      boost: Stack-buffer-overflow in boost::re_detail_NUMBER::perl_matcher...
3479      boost: Null-dereference READ in boost::re_detail_NUMBER::basic_regex...