From @dur-randir

Created by @dur-randir

While fuzzing perl v5.25.9-35-g32207c637b built with afl and run
under libdislocator, I found the following 30-bytes program

00000000 42 45 47 49 4e 7b 24 5e 48 3d 30 78 32 30 30 30 |BEGIN{$^H=0x2000|
00000010 30 30 7d 0a 73 00 5b 28 3f 7b 00 00 78 78 |00}.s.[(?{..xx|
0000001e

to perform an access outside of an allocated memory slot. ASAN
diagnostics is following​:

=================================================================
==10551==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x60200000dd9a at pc 0x00000073f692 bp 0x7ffed9ff3850 sp
0x7ffed9ff3848
WRITE of size 1 at 0x60200000dd9a thread T0
  #0 0x73f691 in S_compile_runtime_code /home/afl/afl-asan/regcomp.c​:6569​:7
  #1 0x73f691 in Perl_re_op_compile /home/afl/afl-asan/regcomp.c​:7034
  #2 0x54915f in Perl_pmruntime /home/afl/afl-asan/op.c​:5877​:6
  #3 0x6fd3e0 in Perl_yyparse /home/afl/afl-asan/perly.y​:1204​:23
  #4 0x5ec5a5 in S_parse_body /home/afl/afl-asan/perl.c​:2376​:9
  #5 0x5e2baf in perl_parse /home/afl/afl-asan/perl.c​:1691​:2
  #6 0x5224a6 in main /home/afl/afl-asan/perlmain.c​:121​:18
  #7 0x7fc29957d2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
  #8 0x43adb9 in _start (/home/afl/afl-asan/perl+0x43adb9)

0x60200000dd9a is located 0 bytes to the right of 10-byte region
[0x60200000dd90,0x60200000dd9a)
allocated by thread T0 here​:
  #0 0x4ea6c8 in malloc (/home/afl/afl-asan/perl+0x4ea6c8)
  #1 0x851ece in Perl_safesysmalloc /home/afl/afl-asan/util.c​:153​:21
  #2 0x728d96 in S_compile_runtime_code /home/afl/afl-asan/regcomp.c​:6539​:2
  #3 0x728d96 in Perl_re_op_compile /home/afl/afl-asan/regcomp.c​:7034
  #4 0x54915f in Perl_pmruntime /home/afl/afl-asan/op.c​:5877​:6
  #5 0x6fd3e0 in Perl_yyparse /home/afl/afl-asan/perly.y​:1204​:23
  #6 0x5ec5a5 in S_parse_body /home/afl/afl-asan/perl.c​:2376​:9
  #7 0x5e2baf in perl_parse /home/afl/afl-asan/perl.c​:1691​:2
  #8 0x5224a6 in main /home/afl/afl-asan/perlmain.c​:121​:18
  #9 0x7fc29957d2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

This is a regression in blead​:

77c8f26 is the first bad commit
commit 77c8f26
Author​: Karl Williamson <khw@​cpan.org>
Date​: Thu Jan 12 11​:07​:47 2017 -0700

  Add /xx regex pattern modifier

  This was first proposed in the thread starting at
  http​://www.nntp.perl.org/group/perl.perl5.porters/2014/09/msg219394.html

GDB info about the program state is​:

#0 0x00007fab6c58def6 in S_compile_runtime_code (plen=<optimized
out>, pat=<optimized out>, pRExC_state=0x7ffec455ad30) at
regcomp.c​:6569
6569 *p++ = '\0';
(gdb) bt
#0 0x00007fab6c58def6 in S_compile_runtime_code (plen=<optimized
out>, pat=<optimized out>, pRExC_state=0x7ffec455ad30) at
regcomp.c​:6569
#1 Perl_re_op_compile (patternp=<optimized out>, pat_count=<optimized
out>, expr=<optimized out>, eng=0x7fab6cfbf560 <PL_core_reg_engine>,
old_re=0x0,
  is_bare_re=<optimized out>, orig_rx_flags=24, pm_flags=24) at regcomp.c​:7034
#2 0x00007fab6c2c2546 in Perl_pmruntime (o=<optimized out>,
expr=0x7fab6a965fc8, repl=<optimized out>, flags=flags@​entry=1,
floor=<optimized out>)
  at op.c​:5877
#3 0x00007fab6c45754d in Perl_yyparse (gramtype=gramtype@​entry=258)
at perly.y​:1204
#4 0x00007fab6c312081 in S_parse_body (env=env@​entry=0x0,
xsinit=xsinit@​entry=0x7fab6c2116c0 <xs_init>) at perl.c​:2376
#5 0x00007fab6c318d3b in perl_parse (my_perl=<optimized out>,
xsinit=0x7fab6c2116c0 <xs_init>, argc=<optimized out>, argv=<optimized
out>, env=0x0)
  at perl.c​:1691
#6 0x00007fab6c21129e in main (argc=<optimized out>, argv=<optimized
out>, env=<optimized out>) at perlmain.c​:121

Flags:
    category=core
    severity=medium

Site configuration information for perl 5.25.9:

Configured by root at Sat Jan 14 02:25:05 MSK 2017.

Summary of my perl5 (revision 5 version 25 subversion 9) configuration:
  Commit id: cbe2fc5001aa59cdc73e04cc35e097a2ecfbeec0
  Platform:
    osname=linux
    osvers=3.16.0-4-amd64
    archname=x86_64-linux
    uname='linux dorothy 3.16.0-4-amd64 #1 smp debian 3.16.36-1+deb8u2
(2016-10-19) x86_64 gnulinux '
    config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast
-Doptimize=-O0 -g -ggdb3'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    bincompat5005=undef
  Compiler:
    cc='afl-clang-fast'
    ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-O0 -g -ggdb3'
    cppflags='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='afl-clang-fast'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu
/lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.24.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.24'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -O0 -g -ggdb3 -L/usr/local/lib -fstack-protector-strong'



@INC for perl 5.25.9:
    lib
    /usr/local/lib/perl5/site_perl/5.25.9/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.25.9
    /usr/local/lib/perl5/5.25.9/x86_64-linux
    /usr/local/lib/perl5/5.25.9


Environment for perl 5.25.9:
    HOME=/home/afl
    LANG=en_US.UTF-8
    LANGUAGE=en_US:en
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
    PERLBREW_BASHRC_VERSION=0.78
    PERLBREW_HOME=/home/afl/.perlbrew
    PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.22.1/man
    PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin
    PERLBREW_PERL=perl-5.22.1
    PERLBREW_ROOT=/home/afl/perlbrew
    PERLBREW_VERSION=0.78
    PERL_BADLANG (unset)
    SHELL=/usr/bin/zsh

From @dur-randir

0054

From @tonycoz

On Tue, 31 Jan 2017 16​:09​:07 -0800, randir wrote​:

While fuzzing perl v5.25.9-35-g32207c637b built with afl and run
under libdislocator, I found the following 30-bytes program

00000000 42 45 47 49 4e 7b 24 5e 48 3d 30 78 32 30 30 30
|BEGIN{$^H=0x2000|
00000010 30 30 7d 0a 73 00 5b 28 3f 7b 00 00 78 78
|00}.s.[(?{..xx|
0000001e

This doesn't need the NUL separators​:

BEGIN{$^H=0x200000}
s/[(?{//xx

fails in the same way. The BEGIN block is equivalent to​:

use re 'eval';

and replacing the BEGIN block fails in the same way. It doesn't fail with perl -e '...'.

to perform an access outside of an allocated memory slot. ASAN
diagnostics is following​:

=================================================================
= =10551==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x60200000dd9a at pc 0x00000073f692 bp 0x7ffed9ff3850 sp
0x7ffed9ff3848
WRITE of size 1 at 0x60200000dd9a thread T0
#0 0x73f691 in S_compile_runtime_code /home/afl/afl-
asan/regcomp.c​:6569​:7
#1 0x73f691 in Perl_re_op_compile /home/afl/afl-
asan/regcomp.c​:7034
...
Author​: Karl Williamson <khw@​cpan.org>
Date​: Thu Jan 12 11​:07​:47 2017 -0700

Add /xx regex pattern modifier

This was first proposed in the thread starting at
http​://www.nntp.perl.org/group/perl.perl5.porters/2014/09/msg219394.html

Unfortunately this patch adds the extra x to the qr''s generated by S_compile_runtime_code() but didn't allocate the extra byte required.

Fixed by dc0dad9.

Since this was broken in blead and fixed before a stable release it isn't considered a security issue, so I moved it to the public queue.

Tony

The RT System itself - Status changed from 'new' to 'open'

@tonycoz - Status changed from 'open' to 'pending release'

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.26.0, this and 210 other issues have been
resolved.

Perl 5.26.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.26.0

If you find that the problem persists, feel free to reopen this ticket.

@khwilliamson - Status changed from 'pending release' to 'resolved'