New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow S_regmatch (regexec.c:6057) #15537
Comments
From @geeknikI'm attaching 2 test cases to this bug report because the orig556 test case This was found with AFL, ASAN and libdislocator.so affects v5.25.4 ==14086==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000a4aa is located 2 bytes to the right of 1064-byte region SUMMARY: AddressSanitizer: heap-buffer-overflow /root/perl/regexec.c:6057 |
From @geeknik |
From @tonycozOn Sat Aug 20 16:24:41 2016, brian.carpenter@gmail.com wrote:
Also detected by valgrind: tony@mars:.../git/perl$ valgrind -q ./perl ../129024ab.pl I've reduced the original test case significantly (129024ab.pl). 00000000 24 5f 3d 0a 20 71 71 0a 2e 47 ff ff 80 00 0a 47 |$_=. qq..G.....G| Further minimization prevented errors from valgrind, and changed the assertion thrown: tony@mars:.../git/perl$ valgrind -q ./perl ../129024ac.pl 00000000 24 5f 3d 0a 20 71 71 0a 2e 47 ff ff 80 00 0a 47 |$_=. qq..G.....G| which is a similar assetion to (but not the same as) the one your min556 Tony |
From @tonycoz |
The RT System itself - Status changed from 'new' to 'open' |
From @geeknikkhw asked me on irc if i can check my test cases against blead. neither On Tue, Aug 23, 2016 at 11:30 PM, Tony Cook via RT <
|
From @khwilliamsonOn 08/29/2016 11:28 PM, Brian 'geeknik' Carpenter wrote:
As I expected, 109ac34 fixed this problem, which means this bug is from I think that everybody is more naive about security issues than they To be problematic, the match must be done under 'use locale' or with the That leads to the pointer to the target string being incremented by In this test case it is doing a s///g. I have never looked at how the So, is this exploitable?
|
From @khwilliamsonOn 08/30/2016 10:06 AM, Karl Williamson wrote:
Come to think of it, the UV doesn't have to be a quad, probably.
|
From @tonycozOn Tue Aug 30 09:06:55 2016, public@khwilliamson.com wrote:
It depends on what we consider an exploit. a) it can crash perl, with well defined strings and regexps, which might be b) even without the crash, could it be used make code that tries to Tony |
From @iabynOn Tue, Sep 06, 2016 at 06:56:36PM -0700, Tony Cook via RT wrote:
Chiefly on a non-debugging perl, its likely to do a "panic: memwrap"
The main code paths I can see cause: a character class like \w can consume multiple characters panic: memwrap pos() can be set too high /g can call match for a second time with start pos beyond end, I don't think s/// can do anything particularly nasty beyond what m// can Overall my feeling is that this particular combination is unlikely to I'm not saying this *isn't* exploitable; just that that it's towards the Also, the fix has been public for 3+ months now. All in all, I think we should just quietly close the ticket, after -- |
From @xsawyerxOn Tue, Dec 6, 2016 at 5:47 PM, Dave Mitchell <davem@iabyn.com> wrote:
5.24 and 5.22, please. Thank you, Dave. |
From @tonycozOn Tue, 06 Dec 2016 08:48:30 -0800, davem wrote:
Made the ticket public. On Mon, 26 Dec 2016 11:09:15 -0800, xsawyerx@gmail.com wrote:
The cherry-pick to 5.22 was non-trivial, but I've backported it to tonyc/maint-5.22-129038-locale-match (a review from khw might be useful.) I've added this to both the 5.22 and 5.24 votes files and voted for them. Tony |
From @khwilliamsonOn 01/18/2017 10:17 PM, Tony Cook via RT wrote:
The 5.22 patch looks good to me.
|
From @iabynOn Thu, Jan 19, 2017 at 09:49:37PM -0700, Karl Williamson wrote:
I've added my vote too. Along with Karl's endorsement, and with 5.22.3 and -- |
From @steve-m-hayOn Thu, 02 Feb 2017 07:05:35 -0800, davem wrote:
Anyone can do this once it's got the required votes. The only thing to be careful about right now is that 5.22.4 and 5.24.2 are awaiting the last piece in the @INC puzzle so the plan was to hold off from backporting general bug fixes etc just yet. However, it was agreed that other *security* fixes would still be appropriate for these releases, which probably includes this despite some questions about its likely exploitability. |
From @xsawyerxOn 02/09/2017 07:21 PM, Steve Hay via RT wrote:
I agree. |
From @steve-m-hayOn Sun, 12 Feb 2017 04:26:22 -0800, xsawyerx@gmail.com wrote:
Shall I go ahead and cherry-pick this into the maint branches then? Do we have any other security fixes that we also want to see in 5.22.4/5.24.2? The voting files both list ba0a415 as a security fix, and it has three votes. Any more? |
From @xsawyerxOn 02/21/2017 02:47 PM, Steve Hay via RT wrote:
Aristotle's base.pm change. |
From @steve-m-hayOn Tue, 21 Feb 2017 09:01:34 -0800, xsawyerx@gmail.com wrote:
Yes, of course! :-) I meant any other security fixes that we want in these releases so that there's more in them than *just* the base.pm change. |
From @steve-m-hayOn Tue, 21 Feb 2017 05:47:01 -0800, shay wrote:
Both this and ba0a415 are now in 5.22 and 5.24. |
@iabyn - Status changed from 'open' to 'pending release' |
From @khwilliamsonThank you for filing this report. You have helped make Perl better. With the release today of Perl 5.26.0, this and 210 other issues have been Perl 5.26.0 may be downloaded via: If you find that the problem persists, feel free to reopen this ticket. |
@khwilliamson - Status changed from 'pending release' to 'resolved' |
Migrated from rt.perl.org#129024 (status was 'resolved')
Searchable as RT129024$
The text was updated successfully, but these errors were encountered: