heap-buffer-overflow (READ of size 2) in Perl_fbm_instr #16294

p5pRT · 2017-12-08T19:37:54Z

Migrated from rt.perl.org#132552 (status was 'open')

Searchable as RT132552$

p5pRT · 2017-12-08T19:37:54Z

From @geeknik

Triggered with v5.27.6-156-g5d4548b73b, compiled with clang 6.0.0-trunk and
-fsanitize=address. This bug looks similar to 129012 and 132187.

./perl -e '$_="0000000\x{600000}";/^000.\000000?\00000/'

==29563==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000ebe at pc 0x000000451a60 bp 0x7ffe25406c50 sp 0x7ffe254063f8
READ of size 2 at 0x602000000ebe thread T0
#0 0x451a5f in __interceptor_memchr
/b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:823:3
#1 0x7bd1a6 in Perl_fbm_instr /root/perl/util.c:985:42
#2 0xaabce3 in Perl_re_intuit_start /root/perl/regexec.c:935:13
#3 0xaa07af in Perl_regexec_flags /root/perl/regexec.c:3015:6
#4 0x8777c7 in Perl_pp_match /root/perl/pp_hot.c:3050:10
#5 0x7b4868 in Perl_runops_debug /root/perl/dump.c:2495:23
#6 0x5a68b1 in S_run_body /root/perl/perl.c
#7 0x5a5efb in perl_run /root/perl/perl.c:2517:2
#8 0x5035b7 in main /root/perl/perlmain.c:123:9
#9 0x7effdabb23f0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x203f0)
#10 0x436109 in _start (/root/perl/perl+0x436109)

0x602000000ebe is located 0 bytes to the right of 14-byte region
[0x602000000eb0,0x602000000ebe)
allocated by thread T0 here:
#0 0x4d6e43 in malloc
/b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x7b9538 in Perl_safesysmalloc /root/perl/util.c:153:21
#2 0x8a184b in Perl_sv_grow /root/perl/sv.c:1603:17
#3 0x8b71d9 in Perl_sv_setpvn /root/perl/sv.c:5004:12
#4 0x8b6d45 in Perl_sv_copypv_flags /root/perl/sv.c:3249:5
#5 0x84fdb4 in Perl_pp_stringify /root/perl/pp_hot.c:89:5
#6 0x7b4868 in Perl_runops_debug /root/perl/dump.c:2495:23
#7 0x529657 in S_fold_constants /root/perl/op.c:5571:2
#8 0x6aad26 in Perl_yyparse /root/perl/perly.y
#9 0x5a3c21 in S_parse_body /root/perl/perl.c:2447:9
#10 0x59ea23 in perl_parse /root/perl/perl.c:1750:2
#11 0x503485 in main /root/perl/perlmain.c:121:18
#12 0x7effdabb23f0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x203f0)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:823:3
in __interceptor_memchr

p5pRT · 2017-12-13T16:12:00Z

From @iabyn

On Fri, Dec 08, 2017 at 11:37:54AM -0800, Brian Carpenter wrote:

Triggered with v5.27.6-156-g5d4548b73b, compiled with clang 6.0.0-trunk and
-fsanitize=address. This bug looks similar to 129012 and 132187.

./perl -e '$_="0000000\x{600000}";/^000.\000000?\00000/'

==29563==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000ebe at pc 0x000000451a60 bp 0x7ffe25406c50 sp 0x7ffe254063f8
READ of size 2 at 0x602000000ebe thread T0
#0 0x451a5f in __interceptor_memchr
/b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:823:3
#1 0x7bd1a6 in Perl_fbm_instr /root/perl/util.c:985:42
#2 0xaabce3 in Perl_re_intuit_start /root/perl/regexec.c:935:13

Fixed with v5.27.6-216-g37e6bbd.

Not exploitable; I'll move to the public queue in a few days time.

--
All wight. I will give you one more chance. This time, I want to hear
no Wubens. No Weginalds. No Wudolf the wed-nosed weindeers.
-- Life of Brian

p5pRT · 2017-12-13T16:12:00Z

The RT System itself - Status changed from 'new' to 'open'

p5pRT · 2018-01-23T22:44:54Z

From @tonycoz

On Wed, 13 Dec 2017 08:12:00 -0800, davem wrote:

On Fri, Dec 08, 2017 at 11:37:54AM -0800, Brian Carpenter wrote:

Triggered with v5.27.6-156-g5d4548b73b, compiled with clang 6.0.0-
trunk and
-fsanitize=address. This bug looks similar to 129012 and 132187.

./perl -e '$_="0000000\x{600000}";/^000.\000000?\00000/'

==29563==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000ebe at pc 0x000000451a60 bp 0x7ffe25406c50 sp
0x7ffe254063f8
READ of size 2 at 0x602000000ebe thread T0
#0 0x451a5f in __interceptor_memchr
/b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-
rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:823:3
#1 0x7bd1a6 in Perl_fbm_instr /root/perl/util.c:985:42
#2 0xaabce3 in Perl_re_intuit_start /root/perl/regexec.c:935:13

Fixed with v5.27.6-216-g37e6bbd.

Not exploitable; I'll move to the public queue in a few days time.

Done.

Tony

khwilliamson · 2022-04-19T12:04:31Z

Is this closable? It says it got fixed

hvds · 2022-04-19T14:14:50Z

Is this closable? It says it got fixed

Yes, it was fixed with test in 37e6bbd, closing.

khwilliamson added the Closable? We might be able to close this ticket, but we need to check with the reporter label Apr 19, 2022

hvds closed this as completed Apr 19, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

heap-buffer-overflow (READ of size 2) in Perl_fbm_instr #16294

heap-buffer-overflow (READ of size 2) in Perl_fbm_instr #16294

p5pRT commented Dec 8, 2017

p5pRT commented Dec 8, 2017

p5pRT commented Dec 13, 2017

./perl -e '$_="0000000\x{600000}";/^000.\000000?\00000/'

p5pRT commented Dec 13, 2017

p5pRT commented Jan 23, 2018

./perl -e '$_="0000000\x{600000}";/^000.\000000?\00000/'

khwilliamson commented Apr 19, 2022

hvds commented Apr 19, 2022

heap-buffer-overflow (READ of size 2) in Perl_fbm_instr #16294

heap-buffer-overflow (READ of size 2) in Perl_fbm_instr #16294

Comments

p5pRT commented Dec 8, 2017

p5pRT commented Dec 8, 2017

From @geeknik

./perl -e '$_="0000000\x{600000}";/^000.\000000?\00000/'

p5pRT commented Dec 13, 2017

From @iabyn

./perl -e '$_="0000000\x{600000}";/^000.\000000?\00000/'

p5pRT commented Dec 13, 2017

p5pRT commented Jan 23, 2018

From @tonycoz

./perl -e '$_="0000000\x{600000}";/^000.\000000?\00000/'

khwilliamson commented Apr 19, 2022

hvds commented Apr 19, 2022