Skip Menu |
Report information
Id: 131577
Status: open
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: brian.carpenter [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: unknown
Perl Version: (no value)
Fixed In: (no value)



To: perlbug [...] perl.org
Subject: heap-use-after-free (READ of size 1) in S_reghop4()
Date: Wed, 14 Jun 2017 19:49:41 -0500
From: Brian Carpenter <brian.carpenter [...] gmail.com>
Triggered with Perl v5.27.0-97-gd555ed0, compiled with afl-clang-fast on Debian 8 x64.

Unescaped left brace in regex is deprecated here (and will be fatal in Perl 5.30), passed through in regex; marked by <-- HERE in m/[k@▒l]s{ <-- HERE * / at test581 line 1, <DATA> line 5.
Unescaped left brace in regex is deprecated here (and will be fatal in Perl 5.30), passed through in regex; marked by <-- HERE in m/[k@▒l]s{ <-- HERE * / at test581 line 1, <DATA> line 5.
Unescaped left brace in regex is deprecated here (and will be fatal in Perl 5.30), passed through in regex; marked by <-- HERE in m/[k@▒l]s{ <-- HERE * / at test581 line 1, <DATA> line 5.
Malformed UTF-8 character (unexpected end of string) in substitution (s///) at test581 line 1, <DATA> line 5.
=================================================================
==22553==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000ea47 at pc 0xf21e80 bp 0x7fff9a7bca70 sp 0x7fff9a7bca68
READ of size 1 at 0x60300000ea47 thread T0
    #0 0xf21e7f in S_reghop4 /root/perl/regexec.c:9494
    #1 0xfc84f0 in Perl_re_intuit_start /root/perl/regexec.c:1054
    #2 0xfcae37 in Perl_regexec_flags /root/perl/regexec.c:3001
    #3 0xac86d2 in Perl_pp_subst /root/perl/pp_hot.c:3229
    #4 0x926e76 in Perl_runops_debug /root/perl/dump.c:2451
    #5 0x59f02a in S_run_body /root/perl/perl.c:2543
    #6 0x59f02a in perl_run /root/perl/perl.c:2471
    #7 0x43506d in main /root/perl/perlmain.c:123
    #8 0x7f3350585b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #9 0x436015 (/root/perl/perl+0x436015)

0x60300000ea47 is located 7 bytes inside of 24-byte region [0x60300000ea40,0x60300000ea58)
freed by thread T0 here:
    #0 0x7f33516d79f6 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6)
    #1 0x96d481 in Perl_safesysrealloc /root/perl/util.c:274

previously allocated by thread T0 here:
    #0 0x7f33516d79f6 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6)
    #1 0x96d481 in Perl_safesysrealloc /root/perl/util.c:274

SUMMARY: AddressSanitizer: heap-use-after-free /root/perl/regexec.c:9494 S_reghop4
Download test581.gz
application/x-gzip 227b

Message body not shown because it is not plain text.

RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 2.9k
On Wed, 14 Jun 2017 17:50:42 -0700, brian.carpenter@gmail.com wrote: Show quoted text
> Triggered with Perl v5.27.0-97-gd555ed0, compiled with afl-clang-fast on > Debian 8 x64. > > Unescaped left brace in regex is deprecated here (and will be fatal in Perl > 5.30), passed through in regex; marked by <-- HERE in m/[k@▒l]s{ <-- HERE * > / at test581 line 1, <DATA> line 5. > Unescaped left brace in regex is deprecated here (and will be fatal in Perl > 5.30), passed through in regex; marked by <-- HERE in m/[k@▒l]s{ <-- HERE * > / at test581 line 1, <DATA> line 5. > Unescaped left brace in regex is deprecated here (and will be fatal in Perl > 5.30), passed through in regex; marked by <-- HERE in m/[k@▒l]s{ <-- HERE * > / at test581 line 1, <DATA> line 5. > Malformed UTF-8 character (unexpected end of string) in substitution (s///) > at test581 line 1, <DATA> line 5. > ================================================================= > ==22553==ERROR: AddressSanitizer: heap-use-after-free on address > 0x60300000ea47 at pc 0xf21e80 bp 0x7fff9a7bca70 sp 0x7fff9a7bca68 > READ of size 1 at 0x60300000ea47 thread T0 > #0 0xf21e7f in S_reghop4 /root/perl/regexec.c:9494 > #1 0xfc84f0 in Perl_re_intuit_start /root/perl/regexec.c:1054 > #2 0xfcae37 in Perl_regexec_flags /root/perl/regexec.c:3001 > #3 0xac86d2 in Perl_pp_subst /root/perl/pp_hot.c:3229 > #4 0x926e76 in Perl_runops_debug /root/perl/dump.c:2451 > #5 0x59f02a in S_run_body /root/perl/perl.c:2543 > #6 0x59f02a in perl_run /root/perl/perl.c:2471 > #7 0x43506d in main /root/perl/perlmain.c:123 > #8 0x7f3350585b44 in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) > #9 0x436015 (/root/perl/perl+0x436015) > > 0x60300000ea47 is located 7 bytes inside of 24-byte region > [0x60300000ea40,0x60300000ea58) > freed by thread T0 here: > #0 0x7f33516d79f6 in __interceptor_realloc > (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6) > #1 0x96d481 in Perl_safesysrealloc /root/perl/util.c:274 > > previously allocated by thread T0 here: > #0 0x7f33516d79f6 in __interceptor_realloc > (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6) > #1 0x96d481 in Perl_safesysrealloc /root/perl/util.c:274 > > SUMMARY: AddressSanitizer: heap-use-after-free /root/perl/regexec.c:9494 > S_reghop4
Attached is a partial minimization. This patch: diff --git a/regexec.c b/regexec.c index 05675ad..29ec5c7 100644 --- a/regexec.c +++ b/regexec.c @@ -9524,6 +9524,9 @@ S_reghopmaybe3(U8* s, SSize_t off, const U8* const lim) } if (off >= 0) return NULL; + if (s > lim) { + Perl_croak_nocontext("Malformed UTF-8 character (fatal)"); + } } else { while (off++ && s > lim) { prevents the crash[1], but I suspect the problem is the code is doing a substitution on $_ while a substitution on $_ is in progress. Tony [1] and is a little broken, since s might be beyond the end of the allocated string
Subject: 131577b.pl
Download 131577b.pl
text/x-perl 104b
map{ s[[k@]s{@_Udo{ s( )(@_Udo{ s/\n/\x{776}/ }) }* ] er990 ))e, }<DATA>,__END__ ÿ€!ad{@_Uÿÿÿÿ(


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org