New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
regcomp.c:6881: REGEXP *Perl_re_op_compile(SV **const, int, OP *, const regexp_engine *, REGEXP *, _Bool *, U32, U32): Assertion `expr' failed #15841
Comments
From @dur-randirCreated by @dur-randirWhile fuzzing perl v5.25.9-35-g32207c637b built with afl and run qr!@{return%0}0[(?{! to cause an assertion failure on debugging builds and crash on regular 9f14173 is the first bad commit Move bulk of pp_regcomp() into re_op_compile() When called, pp_regcomp() is presented with a list of SVs on the stack. Since we want to avoid premature concatenation (so that we can handle This makes re_op_compile() a bit cumbersome, with a large arg list, Note that a side-effect of this is that qr-overloading now works for all GDB info about the crash location: (gdb) bt Perl Info
|
From @iabynOn Thu, Jan 26, 2017 at 07:13:37AM -0800, Sergey Aleynikov wrote:
A bit of an edge case this. runtime qr//s which include code blocks $r = qr/a$b(?{...})/ is roughly equivalent to @args = sub { (except that the inner sub isn't actually a separate anon sub - its just a The 'return' inside the @{...} expression is causing a return from the The most immediate fix would be to make Perl_re_op_compile() robust in the I need to think some more. -- |
The RT System itself - Status changed from 'new' to 'open' |
From @dur-randirCreated by @dur-randirWhile fuzzing perl v5.25.9-35-g32207c637b built with afl and run qr!0(?{})${return''}! to use an initialized memory slot as a pointer to data. This is a b30fcab is the first bad commit preserve code blocks in interpolated qr//s This now works: { my $x = 1; $r = qr/(??{$x})/ } When a qr// is interpolated into another pattern, the pattern is still GDB info about the program state is: #0 0x00007f755ebcefb8 in S_SvREFCNT_dec (sv=0xcccccccccccccccc) at inline.h:185 Pattern 0xcccccccccccccccc is an afl's pattern to poison malloc'ed Perl Info
|
From @iabynOn Thu, Feb 02, 2017 at 07:58:44AM -0800, Sergey Aleynikov wrote:
This is a variant on the issue discussed in RT #130651 -- |
The RT System itself - Status changed from 'new' to 'open' |
From @tonycozOn Fri, 03 Feb 2017 01:27:17 -0800, davem wrote:
If I understand #130651, then this isn't a seecurity issue, since it would require either the attacker to be able to feed code directly to the interpreter, or for C<use re 'eval';> to be enabled. Am I wrong? Tony |
From @tonycozOn Fri, 27 Jan 2017 07:05:43 -0800, davem wrote:
If I understand correctly, this is bug in interpolation - and isn't a security issue. Is that correct? Tony |
From @tonycozOn Tue, 22 Aug 2017 22:46:34 -0700, tonyc wrote:
Nevermind, wrong ticket. Tony |
From @tonycozOn Fri, 03 Feb 2017 01:27:17 -0800, davem wrote:
Now public, and I'll merge it into 130651. Tony |
Migrated from rt.perl.org#130651 (status was 'open')
Searchable as RT130651$
The text was updated successfully, but these errors were encountered: