Skip Menu |
Report information
Id: 132552
Status: open
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: brian.carpenter [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: (no value)
Type: (no value)
Perl Version: (no value)
Fixed In: (no value)



Date: Fri, 8 Dec 2017 13:37:02 -0600
To: perl5-security-report [...] perl.org
Subject: heap-buffer-overflow (READ of size 2) in Perl_fbm_instr
From: Brian Carpenter <brian.carpenter [...] gmail.com>
Download (untitled) / with headers
text/plain 2.3k
Triggered with v5.27.6-156-g5d4548b73b, compiled with clang 6.0.0-trunk and -fsanitize=address. This bug looks similar to 129012 and 132187.


./perl -e '$_="0000000\x{600000}";/^000.\000000?\00000/'
=================================================================
==29563==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000ebe at pc 0x000000451a60 bp 0x7ffe25406c50 sp 0x7ffe254063f8
READ of size 2 at 0x602000000ebe thread T0
    #0 0x451a5f in __interceptor_memchr /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:823:3
    #1 0x7bd1a6 in Perl_fbm_instr /root/perl/util.c:985:42
    #2 0xaabce3 in Perl_re_intuit_start /root/perl/regexec.c:935:13
    #3 0xaa07af in Perl_regexec_flags /root/perl/regexec.c:3015:6
    #4 0x8777c7 in Perl_pp_match /root/perl/pp_hot.c:3050:10
    #5 0x7b4868 in Perl_runops_debug /root/perl/dump.c:2495:23
    #6 0x5a68b1 in S_run_body /root/perl/perl.c
    #7 0x5a5efb in perl_run /root/perl/perl.c:2517:2
    #8 0x5035b7 in main /root/perl/perlmain.c:123:9
    #9 0x7effdabb23f0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)
    #10 0x436109 in _start (/root/perl/perl+0x436109)

0x602000000ebe is located 0 bytes to the right of 14-byte region [0x602000000eb0,0x602000000ebe)
allocated by thread T0 here:
    #0 0x4d6e43 in malloc /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x7b9538 in Perl_safesysmalloc /root/perl/util.c:153:21
    #2 0x8a184b in Perl_sv_grow /root/perl/sv.c:1603:17
    #3 0x8b71d9 in Perl_sv_setpvn /root/perl/sv.c:5004:12
    #4 0x8b6d45 in Perl_sv_copypv_flags /root/perl/sv.c:3249:5
    #5 0x84fdb4 in Perl_pp_stringify /root/perl/pp_hot.c:89:5
    #6 0x7b4868 in Perl_runops_debug /root/perl/dump.c:2495:23
    #7 0x529657 in S_fold_constants /root/perl/op.c:5571:2
    #8 0x6aad26 in Perl_yyparse /root/perl/perly.y
    #9 0x5a3c21 in S_parse_body /root/perl/perl.c:2447:9
    #10 0x59ea23 in perl_parse /root/perl/perl.c:1750:2
    #11 0x503485 in main /root/perl/perlmain.c:121:18
    #12 0x7effdabb23f0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)

SUMMARY: AddressSanitizer: heap-buffer-overflow /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:823:3 in __interceptor_memchr
Date: Wed, 13 Dec 2017 16:11:44 +0000
To: perl5-security-report [...] perl.org
From: Dave Mitchell <davem [...] iabyn.com>
Subject: Re: [perl #132552] heap-buffer-overflow (READ of size 2) in Perl_fbm_instr
On Fri, Dec 08, 2017 at 11:37:54AM -0800, Brian Carpenter wrote: Show quoted text
> Triggered with v5.27.6-156-g5d4548b73b, compiled with clang 6.0.0-trunk and > -fsanitize=address. This bug looks similar to 129012 and 132187. > > > ./perl -e '$_="0000000\x{600000}";/^000.\000000?\00000/' > ================================================================= > ==29563==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x602000000ebe at pc 0x000000451a60 bp 0x7ffe25406c50 sp 0x7ffe254063f8 > READ of size 2 at 0x602000000ebe thread T0 > #0 0x451a5f in __interceptor_memchr > /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:823:3 > #1 0x7bd1a6 in Perl_fbm_instr /root/perl/util.c:985:42 > #2 0xaabce3 in Perl_re_intuit_start /root/perl/regexec.c:935:13
Fixed with v5.27.6-216-g37e6bbd. Not exploitable; I'll move to the public queue in a few days time. -- All wight. I will give you one more chance. This time, I want to hear no Wubens. No Weginalds. No Wudolf the wed-nosed weindeers. -- Life of Brian
RT-Send-CC: perl5-porters [...] perl.org
On Wed, 13 Dec 2017 08:12:00 -0800, davem wrote: Show quoted text
> On Fri, Dec 08, 2017 at 11:37:54AM -0800, Brian Carpenter wrote:
> > Triggered with v5.27.6-156-g5d4548b73b, compiled with clang 6.0.0- > > trunk and > > -fsanitize=address. This bug looks similar to 129012 and 132187. > > > > > > ./perl -e '$_="0000000\x{600000}";/^000.\000000?\00000/' > > ================================================================= > > ==29563==ERROR: AddressSanitizer: heap-buffer-overflow on address > > 0x602000000ebe at pc 0x000000451a60 bp 0x7ffe25406c50 sp > > 0x7ffe254063f8 > > READ of size 2 at 0x602000000ebe thread T0 > > #0 0x451a5f in __interceptor_memchr > > /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler- > > rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:823:3 > > #1 0x7bd1a6 in Perl_fbm_instr /root/perl/util.c:985:42 > > #2 0xaabce3 in Perl_re_intuit_start /root/perl/regexec.c:935:13
> > Fixed with v5.27.6-216-g37e6bbd. > > Not exploitable; I'll move to the public queue in a few days time.
Done. Tony


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org