Re: CVE Request - TRE & musl libc regex integer overflows in buffer size computations

[Rich Felker <dalias () libc org>]

On Wed, Oct 19, 2016 at 05:34:12PM -0400, cve-assign () mitre org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> > Due to incorrect use of integer types and missing overflow checks in
> > the tre_tnfa_run_parallel function's buffer overflow logic, the TRE
> > regex implementation (both original version and the one used in musl
> > libc) are subject to integer overflows in buffer size computation.
>
> > at least the num_states*num_tags multiplication can clearly
> > overflow in practice. for safety, check them all, and use the proper
> > type, size_t, rather than int.
>
> Use CVE-2016-8859 for this entire report. We do not see a sensible way
> in which the issue of an incorrect data type could be separated from
> the issue of unchecked multiplication.

Agreed.

> > -    buf = xmalloc((unsigned)total_bytes);
> > +    buf = calloc(total_bytes, 1);
>
> If this is a security fix, it would need a separate CVE ID.

It's not, just something I did at the same time as fixing the bogus
cast (which would be unsafe after the type fix) in this line. In
musl's version of the code, xmalloc is just malloc, and malloc+memset
was a sloppy way of writing calloc that I cleaned up.

Rich