Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow write in Perl_parse_uniprop_string #16549

Closed
p5pRT opened this issue May 6, 2018 · 12 comments
Closed

heap-buffer-overflow write in Perl_parse_uniprop_string #16549

p5pRT opened this issue May 6, 2018 · 12 comments

Comments

@p5pRT
Copy link

p5pRT commented May 6, 2018

Migrated from rt.perl.org#133179 (status was 'resolved')

Searchable as RT133179$
@p5pRT
Copy link
Author

p5pRT commented May 6, 2018

From @Etsukata

Hello all,

I'm Eiichi Tsukata. Here is a security vulnerability report about a regexp
unicode properties bug I've found.
Please feel free to contact me if you have any questions.

# Brief

There is a potential heap-buffer-overflow write
in Perl_parse_uniprop_string() when compiling
specific regular expressions with 'numericvalue' or 'nv' unicode properties.

- Version​: 38c84d6(perl-5.28.0)
  -
https://perl5.git.perl.org/perl.git/commit/2cdbf8d9c7a9b6f7640617efa7e5d24c9bedb9f2
or later

# PoC

- with AddressSanitizer

```

[eiichi@​x1 perl]$ ./miniperl -le 'my $a = "\\p{numericvalue=/}"; qr/$a/'

=================================================================
==23627==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x6020000014be at pc 0x000001302300 bp 0x7fff061da630 sp 0x7fff061da628
WRITE of size 1 at 0x6020000014be thread T0
  #0 0x13022ff in Perl_parse_uniprop_string
/home/eiichi/git/etfuzz/ext/perl/utf8.c​:6151​:30
  #1 0xae8828 in S_regclass
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:16783​:35
  #2 0xaafaa1 in S_regatom
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:13250​:19
  #3 0xa8f680 in S_regpiece
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:12002​:11
  #4 0xa5b595 in S_regbranch
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:11930​:18
  #5 0x96afa6 in S_reg /home/eiichi/git/etfuzz/ext/perl/regcomp.c​:11661​:10
  #6 0x940319 in Perl_re_op_compile
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:7432​:9
  #7 0x1023b4a in Perl_pp_regcomp
/home/eiichi/git/etfuzz/ext/perl/pp_ctl.c​:108​:14
  #8 0xd576df in Perl_runops_standard
/home/eiichi/git/etfuzz/ext/perl/run.c​:41​:26
  #9 0x68f523 in S_run_body /home/eiichi/git/etfuzz/ext/perl/perl.c
  #10 0x68f523 in perl_run /home/eiichi/git/etfuzz/ext/perl/perl.c​:2617
  #11 0x1415217 in main
/home/eiichi/git/etfuzz/ext/perl/miniperlmain.c​:128​:9
  #12 0x7fe94e5e2f29 in __libc_start_main (/lib64/libc.so.6+0x20f29)
  #13 0x41c3d9 in _start
(/home/eiichi/git/etfuzz/ext/perl/miniperl+0x41c3d9)

0x6020000014be is located 0 bytes to the right of 14-byte region
[0x6020000014b0,0x6020000014be)
allocated by thread T0 here​:
  #0 0x4d8980 in malloc
(/home/eiichi/git/etfuzz/ext/perl/miniperl+0x4d8980)
  #1 0xbc0dd0 in Perl_safesysmalloc
/home/eiichi/git/etfuzz/ext/perl/util.c​:153​:21
  #2 0x12feea3 in Perl_parse_uniprop_string
/home/eiichi/git/etfuzz/ext/perl/utf8.c​:5940​:5
  #3 0xae8828 in S_regclass
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:16783​:35
  #4 0xaafaa1 in S_regatom
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:13250​:19
  #5 0xa8f680 in S_regpiece
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:12002​:11
  #6 0xa5b595 in S_regbranch
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:11930​:18
  #7 0x96afa6 in S_reg /home/eiichi/git/etfuzz/ext/perl/regcomp.c​:11661​:10
  #8 0x940319 in Perl_re_op_compile
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:7432​:9
  #9 0x1023b4a in Perl_pp_regcomp
/home/eiichi/git/etfuzz/ext/perl/pp_ctl.c​:108​:14
  #10 0xd576df in Perl_runops_standard
/home/eiichi/git/etfuzz/ext/perl/run.c​:41​:26
  #11 0x68f523 in S_run_body /home/eiichi/git/etfuzz/ext/perl/perl.c
  #12 0x68f523 in perl_run /home/eiichi/git/etfuzz/ext/perl/perl.c​:2617
  #13 0x1415217 in main
/home/eiichi/git/etfuzz/ext/perl/miniperlmain.c​:128​:9
  #14 0x7fe94e5e2f29 in __libc_start_main (/lib64/libc.so.6+0x20f29)

SUMMARY​: AddressSanitizer​: heap-buffer-overflow
/home/eiichi/git/etfuzz/ext/perl/utf8.c​:6151​:30 in Perl_parse_uniprop_string
Shadow bytes around the buggy address​:
  0x0c047fff8240​: fa fa 00 01 fa fa 00 02 fa fa 00 05 fa fa 00 02
  0x0c047fff8250​: fa fa 00 fa fa fa 00 01 fa fa 00 00 fa fa 00 06
  0x0c047fff8260​: fa fa 07 fa fa fa 00 04 fa fa 02 fa fa fa fd fd
  0x0c047fff8270​: fa fa fd fd fa fa 00 02 fa fa 00 00 fa fa fd fd
  0x0c047fff8280​: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
=>0x0c047fff8290​: fa fa 00 04 fa fa 00[06]fa fa fa fa fa fa fa fa
  0x0c047fff82a0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff82b0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff82c0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff82d0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff82e0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  Array cookie​: ac
  Intra object redzone​: bb
  ASan internal​: fe
  Left alloca redzone​: ca
  Right alloca redzone​: cb
==23627==ABORTING
```

- without AddressSanitizer / Segmentation Fault

```
[eiichi@​x1 perl5]$ ./miniperl -le 'my $a = "\\p{numericvalue=/123456789/}";
qr/$a/'
Can't locate utf8.pm in @​INC (you may need to install the utf8 module)
(@​INC contains​: .) at -e line 1.
BEGIN failed--compilation aborted.
Segmentation fault (コアダンプ)

[eiichi@​x1 perl5]$ PERL5LIB=./lib ./miniperl -V

Summary of my perl5 (revision 5 version 28 subversion 0) configuration​:
  Commit id​: 38c84d6
  Platform​:
  osname=linux
  osvers=4.15.14-300.fc27.x86_64
  archname=x86_64-linux
  uname='linux x1 4.15.14-300.fc27.x86_64 #1 smp thu mar 29 16​:13​:44 utc
2018 x86_64 x86_64 x86_64 gnulinux '
  config_args='-des'
  hint=previous
  useposix=true
  d_sigaction=define
  useithreads=undef
  usemultiplicity=undef
  use64bitint=define
  use64bitall=define
  uselongdouble=undef
  usemymalloc=n
  default_inc_excludes_dot=define
  bincompat5005=undef
  Compiler​:
  cc='cc'
  ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong
-I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
-D_FORTIFY_SOURCE=2'
  optimize='-O2'
  cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong
-I/usr/local/include'
  ccversion=''
  gccversion='7.3.1 20180303 (Red Hat 7.3.1-5)'
  gccosandvers=''
  intsize=4
  longsize=8
  ptrsize=8
  doublesize=8
  byteorder=12345678
  doublekind=3
  d_longlong=define
  longlongsize=8
  d_longdbl=define
  longdblsize=16
  longdblkind=3
  ivtype='long'
  ivsize=8
  nvtype='double'
  nvsize=8
  Off_t='off_t'
  lseeksize=8
  alignbytes=8
  prototype=define
  Linker and Libraries​:
  ld='cc'
  ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/lib /lib/../lib64 /usr/lib/../lib64 /lib
/lib64 /usr/lib64 /usr/local/lib64 /usr/local/lib /usr/lib
  libs=-lpthread -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc
-lgdbm_compat
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.26.so
  so=so
  useshrplib=false
  libperl=libperl.a
  gnulibc_version='2.26'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs
  dlext=so
  d_dlsymun=undef
  ccdlflags='-Wl,-E'
  cccdlflags='-fPIC'
  lddlflags='-shared -O2 -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Compile-time options​:
  HAS_TIMES
  PERLIO_LAYERS
  PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_EXTERNAL_GLOB
  PERL_IS_MINIPERL
  PERL_MALLOC_WRAP
  PERL_OP_PARENT
  PERL_PRESERVE_IVUV
  USE_64_BIT_ALL
  USE_64_BIT_INT
  USE_LARGE_FILES
  USE_LOCALE
  USE_LOCALE_COLLATE
  USE_LOCALE_CTYPE
  USE_LOCALE_NUMERIC
  USE_LOCALE_TIME
  USE_PERLIO
  USE_PERL_ATOF
  USE_SITECUSTOMIZE
  Built under linux
  Compiled at May 6 2018 12​:40​:33
  %ENV​:
  PERL5LIB="./lib"
  @​INC​:
  ./lib
```

# Exploitability

- allows remote attackers to cause a denial of service (out-of-bounds
write) via a crafted regular expression.
  - will be the same as CVE-2017-12837
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=131582

# Additional Note

- 'nv' unicode property can also cause heap-buffer-overflow write​:
```
[eiichi@​x1 perl]$ ./miniperl -le 'my $a = "\\p{nv=/}"; qr/$a/'

==24715==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x602000001514 at pc 0x000001302300 bp 0x7ffcf68336f0 sp 0x7ffcf68336e8
WRITE of size 1 at 0x602000001514 thread T0
  #0 0x13022ff in Perl_parse_uniprop_string
/home/eiichi/git/etfuzz/ext/perl/utf8.c​:6151​:30
  #1 0xae8828 in S_regclass
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:16783​:35
  #2 0xaafaa1 in S_regatom
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:13250​:19
  #3 0xa8f680 in S_regpiece
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:12002​:11
  #4 0xa5b595 in S_regbranch
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:11930​:18
  #5 0x96afa6 in S_reg /home/eiichi/git/etfuzz/ext/perl/regcomp.c​:11661​:10
  #6 0x940319 in Perl_re_op_compile
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:7432​:9
  #7 0x1023b4a in Perl_pp_regcomp
/home/eiichi/git/etfuzz/ext/perl/pp_ctl.c​:108​:14
  #8 0xd576df in Perl_runops_standard
/home/eiichi/git/etfuzz/ext/perl/run.c​:41​:26
  #9 0x68f523 in S_run_body /home/eiichi/git/etfuzz/ext/perl/perl.c
  #10 0x68f523 in perl_run /home/eiichi/git/etfuzz/ext/perl/perl.c​:2617
  #11 0x1415217 in main
/home/eiichi/git/etfuzz/ext/perl/miniperlmain.c​:128​:9
  #12 0x7f964b94af29 in __libc_start_main (/lib64/libc.so.6+0x20f29)
  #13 0x41c3d9 in _start
(/home/eiichi/git/etfuzz/ext/perl/miniperl+0x41c3d9)

0x602000001514 is located 0 bytes to the right of 4-byte region
[0x602000001510,0x602000001514)
allocated by thread T0 here​:
  #0 0x4d8980 in malloc
(/home/eiichi/git/etfuzz/ext/perl/miniperl+0x4d8980)
  #1 0xbc0dd0 in Perl_safesysmalloc
/home/eiichi/git/etfuzz/ext/perl/util.c​:153​:21
  #2 0x12feea3 in Perl_parse_uniprop_string
/home/eiichi/git/etfuzz/ext/perl/utf8.c​:5940​:5
  #3 0xae8828 in S_regclass
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:16783​:35
  #4 0xaafaa1 in S_regatom
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:13250​:19
  #5 0xa8f680 in S_regpiece
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:12002​:11
  #6 0xa5b595 in S_regbranch
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:11930​:18
  #7 0x96afa6 in S_reg /home/eiichi/git/etfuzz/ext/perl/regcomp.c​:11661​:10
  #8 0x940319 in Perl_re_op_compile
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:7432​:9
  #9 0x1023b4a in Perl_pp_regcomp
/home/eiichi/git/etfuzz/ext/perl/pp_ctl.c​:108​:14
  #10 0xd576df in Perl_runops_standard
/home/eiichi/git/etfuzz/ext/perl/run.c​:41​:26
  #11 0x68f523 in S_run_body /home/eiichi/git/etfuzz/ext/perl/perl.c
  #12 0x68f523 in perl_run /home/eiichi/git/etfuzz/ext/perl/perl.c​:2617
  #13 0x1415217 in main
/home/eiichi/git/etfuzz/ext/perl/miniperlmain.c​:128​:9
  #14 0x7f964b94af29 in __libc_start_main (/lib64/libc.so.6+0x20f29)

SUMMARY​: AddressSanitizer​: heap-buffer-overflow
/home/eiichi/git/etfuzz/ext/perl/utf8.c​:6151​:30 in Perl_parse_uniprop_string
Shadow bytes around the buggy address​:
  0x0c047fff8250​: fa fa 00 fa fa fa 00 01 fa fa 00 00 fa fa 00 06
  0x0c047fff8260​: fa fa 07 fa fa fa 00 04 fa fa 02 fa fa fa fd fd
  0x0c047fff8270​: fa fa fd fd fa fa 00 02 fa fa 00 00 fa fa fd fd
  0x0c047fff8280​: fa fa fd fd fa fa fd fd fa fa 00 02 fa fa fd fa
  0x0c047fff8290​: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 00 04
=>0x0c047fff82a0​: fa fa[04]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff82b0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff82c0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff82d0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff82e0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff82f0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  Array cookie​: ac
  Intra object redzone​: bb
  ASan internal​: fe
  Left alloca redzone​: ca
  Right alloca redzone​: cb
==24715==ABORTING
```

Thanks

@p5pRT
Copy link
Author

p5pRT commented May 6, 2018

From @khwilliamson

On 05/05/2018 10​:44 PM, Eiichi Tsukata (via RT) wrote​:

# New Ticket Created by Eiichi Tsukata
# Please include the string​: [perl #133179]
# in the subject line of all future correspondence about this issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133179 >

Hello all,

I'm Eiichi Tsukata. Here is a security vulnerability report about a regexp
unicode properties bug I've found.
Please feel free to contact me if you have any questions.

# Brief

There is a potential heap-buffer-overflow write
in Perl_parse_uniprop_string() when compiling
specific regular expressions with 'numericvalue' or 'nv' unicode properties.

- Version​: 38c84d6(perl-5.28.0)
-
https://perl5.git.perl.org/perl.git/commit/2cdbf8d9c7a9b6f7640617efa7e5d24c9bedb9f2
or later

# PoC

- with AddressSanitizer

The attached patch fixes this.

```

[eiichi@​x1 perl]$ ./miniperl -le 'my $a = "\\p{numericvalue=/}"; qr/$a/'

=================================================================
==23627==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x6020000014be at pc 0x000001302300 bp 0x7fff061da630 sp 0x7fff061da628
WRITE of size 1 at 0x6020000014be thread T0
#0 0x13022ff in Perl_parse_uniprop_string
/home/eiichi/git/etfuzz/ext/perl/utf8.c​:6151​:30
#1 0xae8828 in S_regclass
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:16783​:35
#2 0xaafaa1 in S_regatom
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:13250​:19
#3 0xa8f680 in S_regpiece
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:12002​:11
#4 0xa5b595 in S_regbranch
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:11930​:18
#5 0x96afa6 in S_reg /home/eiichi/git/etfuzz/ext/perl/regcomp.c​:11661​:10
#6 0x940319 in Perl_re_op_compile
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:7432​:9
#7 0x1023b4a in Perl_pp_regcomp
/home/eiichi/git/etfuzz/ext/perl/pp_ctl.c​:108​:14
#8 0xd576df in Perl_runops_standard
/home/eiichi/git/etfuzz/ext/perl/run.c​:41​:26
#9 0x68f523 in S_run_body /home/eiichi/git/etfuzz/ext/perl/perl.c
#10 0x68f523 in perl_run /home/eiichi/git/etfuzz/ext/perl/perl.c​:2617
#11 0x1415217 in main
/home/eiichi/git/etfuzz/ext/perl/miniperlmain.c​:128​:9
#12 0x7fe94e5e2f29 in __libc_start_main (/lib64/libc.so.6+0x20f29)
#13 0x41c3d9 in _start
(/home/eiichi/git/etfuzz/ext/perl/miniperl+0x41c3d9)

0x6020000014be is located 0 bytes to the right of 14-byte region
[0x6020000014b0,0x6020000014be)
allocated by thread T0 here​:
#0 0x4d8980 in malloc
(/home/eiichi/git/etfuzz/ext/perl/miniperl+0x4d8980)
#1 0xbc0dd0 in Perl_safesysmalloc
/home/eiichi/git/etfuzz/ext/perl/util.c​:153​:21
#2 0x12feea3 in Perl_parse_uniprop_string
/home/eiichi/git/etfuzz/ext/perl/utf8.c​:5940​:5
#3 0xae8828 in S_regclass
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:16783​:35
#4 0xaafaa1 in S_regatom
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:13250​:19
#5 0xa8f680 in S_regpiece
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:12002​:11
#6 0xa5b595 in S_regbranch
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:11930​:18
#7 0x96afa6 in S_reg /home/eiichi/git/etfuzz/ext/perl/regcomp.c​:11661​:10
#8 0x940319 in Perl_re_op_compile
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:7432​:9
#9 0x1023b4a in Perl_pp_regcomp
/home/eiichi/git/etfuzz/ext/perl/pp_ctl.c​:108​:14
#10 0xd576df in Perl_runops_standard
/home/eiichi/git/etfuzz/ext/perl/run.c​:41​:26
#11 0x68f523 in S_run_body /home/eiichi/git/etfuzz/ext/perl/perl.c
#12 0x68f523 in perl_run /home/eiichi/git/etfuzz/ext/perl/perl.c​:2617
#13 0x1415217 in main
/home/eiichi/git/etfuzz/ext/perl/miniperlmain.c​:128​:9
#14 0x7fe94e5e2f29 in __libc_start_main (/lib64/libc.so.6+0x20f29)

SUMMARY​: AddressSanitizer​: heap-buffer-overflow
/home/eiichi/git/etfuzz/ext/perl/utf8.c​:6151​:30 in Perl_parse_uniprop_string
Shadow bytes around the buggy address​:
0x0c047fff8240​: fa fa 00 01 fa fa 00 02 fa fa 00 05 fa fa 00 02
0x0c047fff8250​: fa fa 00 fa fa fa 00 01 fa fa 00 00 fa fa 00 06
0x0c047fff8260​: fa fa 07 fa fa fa 00 04 fa fa 02 fa fa fa fd fd
0x0c047fff8270​: fa fa fd fd fa fa 00 02 fa fa 00 00 fa fa fd fd
0x0c047fff8280​: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
=>0x0c047fff8290​: fa fa 00 04 fa fa 00[06]fa fa fa fa fa fa fa fa
0x0c047fff82a0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82b0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82c0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82d0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82e0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
Addressable​: 00
Partially addressable​: 01 02 03 04 05 06 07
Heap left redzone​: fa
Freed heap region​: fd
Stack left redzone​: f1
Stack mid redzone​: f2
Stack right redzone​: f3
Stack after return​: f5
Stack use after scope​: f8
Global redzone​: f9
Global init order​: f6
Poisoned by user​: f7
Container overflow​: fc
Array cookie​: ac
Intra object redzone​: bb
ASan internal​: fe
Left alloca redzone​: ca
Right alloca redzone​: cb
==23627==ABORTING
```

- without AddressSanitizer / Segmentation Fault

```
[eiichi@​x1 perl5]$ ./miniperl -le 'my $a = "\\p{numericvalue=/123456789/}";
qr/$a/'
Can't locate utf8.pm in @​INC (you may need to install the utf8 module)
(@​INC contains​: .) at -e line 1.
BEGIN failed--compilation aborted.
Segmentation fault (コアダンプ)

[eiichi@​x1 perl5]$ PERL5LIB=./lib ./miniperl -V

Summary of my perl5 (revision 5 version 28 subversion 0) configuration​:
Commit id​: 38c84d6
Platform​:
osname=linux
osvers=4.15.14-300.fc27.x86_64
archname=x86_64-linux
uname='linux x1 4.15.14-300.fc27.x86_64 #1 smp thu mar 29 16​:13​:44 utc
2018 x86_64 x86_64 x86_64 gnulinux '
config_args='-des'
hint=previous
useposix=true
d_sigaction=define
useithreads=undef
usemultiplicity=undef
use64bitint=define
use64bitall=define
uselongdouble=undef
usemymalloc=n
default_inc_excludes_dot=define
bincompat5005=undef
Compiler​:
cc='cc'
ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong
-I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
-D_FORTIFY_SOURCE=2'
optimize='-O2'
cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong
-I/usr/local/include'
ccversion=''
gccversion='7.3.1 20180303 (Red Hat 7.3.1-5)'
gccosandvers=''
intsize=4
longsize=8
ptrsize=8
doublesize=8
byteorder=12345678
doublekind=3
d_longlong=define
longlongsize=8
d_longdbl=define
longdblsize=16
longdblkind=3
ivtype='long'
ivsize=8
nvtype='double'
nvsize=8
Off_t='off_t'
lseeksize=8
alignbytes=8
prototype=define
Linker and Libraries​:
ld='cc'
ldflags =' -fstack-protector-strong -L/usr/local/lib'
libpth=/usr/local/lib /usr/lib /lib/../lib64 /usr/lib/../lib64 /lib
/lib64 /usr/lib64 /usr/local/lib64 /usr/local/lib /usr/lib
libs=-lpthread -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc
-lgdbm_compat
perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
libc=libc-2.26.so
so=so
useshrplib=false
libperl=libperl.a
gnulibc_version='2.26'
Dynamic Linking​:
dlsrc=dl_dlopen.xs
dlext=so
d_dlsymun=undef
ccdlflags='-Wl,-E'
cccdlflags='-fPIC'
lddlflags='-shared -O2 -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
Compile-time options​:
HAS_TIMES
PERLIO_LAYERS
PERL_COPY_ON_WRITE
PERL_DONT_CREATE_GVSV
PERL_EXTERNAL_GLOB
PERL_IS_MINIPERL
PERL_MALLOC_WRAP
PERL_OP_PARENT
PERL_PRESERVE_IVUV
USE_64_BIT_ALL
USE_64_BIT_INT
USE_LARGE_FILES
USE_LOCALE
USE_LOCALE_COLLATE
USE_LOCALE_CTYPE
USE_LOCALE_NUMERIC
USE_LOCALE_TIME
USE_PERLIO
USE_PERL_ATOF
USE_SITECUSTOMIZE
Built under linux
Compiled at May 6 2018 12​:40​:33
%ENV​:
PERL5LIB="./lib"
@​INC​:
./lib
```

# Exploitability

- allows remote attackers to cause a denial of service (out-of-bounds
write) via a crafted regular expression.
- will be the same as CVE-2017-12837
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=131582

# Additional Note

- 'nv' unicode property can also cause heap-buffer-overflow write​:
```
[eiichi@​x1 perl]$ ./miniperl -le 'my $a = "\\p{nv=/}"; qr/$a/'

==24715==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x602000001514 at pc 0x000001302300 bp 0x7ffcf68336f0 sp 0x7ffcf68336e8
WRITE of size 1 at 0x602000001514 thread T0
#0 0x13022ff in Perl_parse_uniprop_string
/home/eiichi/git/etfuzz/ext/perl/utf8.c​:6151​:30
#1 0xae8828 in S_regclass
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:16783​:35
#2 0xaafaa1 in S_regatom
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:13250​:19
#3 0xa8f680 in S_regpiece
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:12002​:11
#4 0xa5b595 in S_regbranch
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:11930​:18
#5 0x96afa6 in S_reg /home/eiichi/git/etfuzz/ext/perl/regcomp.c​:11661​:10
#6 0x940319 in Perl_re_op_compile
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:7432​:9
#7 0x1023b4a in Perl_pp_regcomp
/home/eiichi/git/etfuzz/ext/perl/pp_ctl.c​:108​:14
#8 0xd576df in Perl_runops_standard
/home/eiichi/git/etfuzz/ext/perl/run.c​:41​:26
#9 0x68f523 in S_run_body /home/eiichi/git/etfuzz/ext/perl/perl.c
#10 0x68f523 in perl_run /home/eiichi/git/etfuzz/ext/perl/perl.c​:2617
#11 0x1415217 in main
/home/eiichi/git/etfuzz/ext/perl/miniperlmain.c​:128​:9
#12 0x7f964b94af29 in __libc_start_main (/lib64/libc.so.6+0x20f29)
#13 0x41c3d9 in _start
(/home/eiichi/git/etfuzz/ext/perl/miniperl+0x41c3d9)

0x602000001514 is located 0 bytes to the right of 4-byte region
[0x602000001510,0x602000001514)
allocated by thread T0 here​:
#0 0x4d8980 in malloc
(/home/eiichi/git/etfuzz/ext/perl/miniperl+0x4d8980)
#1 0xbc0dd0 in Perl_safesysmalloc
/home/eiichi/git/etfuzz/ext/perl/util.c​:153​:21
#2 0x12feea3 in Perl_parse_uniprop_string
/home/eiichi/git/etfuzz/ext/perl/utf8.c​:5940​:5
#3 0xae8828 in S_regclass
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:16783​:35
#4 0xaafaa1 in S_regatom
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:13250​:19
#5 0xa8f680 in S_regpiece
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:12002​:11
#6 0xa5b595 in S_regbranch
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:11930​:18
#7 0x96afa6 in S_reg /home/eiichi/git/etfuzz/ext/perl/regcomp.c​:11661​:10
#8 0x940319 in Perl_re_op_compile
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:7432​:9
#9 0x1023b4a in Perl_pp_regcomp
/home/eiichi/git/etfuzz/ext/perl/pp_ctl.c​:108​:14
#10 0xd576df in Perl_runops_standard
/home/eiichi/git/etfuzz/ext/perl/run.c​:41​:26
#11 0x68f523 in S_run_body /home/eiichi/git/etfuzz/ext/perl/perl.c
#12 0x68f523 in perl_run /home/eiichi/git/etfuzz/ext/perl/perl.c​:2617
#13 0x1415217 in main
/home/eiichi/git/etfuzz/ext/perl/miniperlmain.c​:128​:9
#14 0x7f964b94af29 in __libc_start_main (/lib64/libc.so.6+0x20f29)

SUMMARY​: AddressSanitizer​: heap-buffer-overflow
/home/eiichi/git/etfuzz/ext/perl/utf8.c​:6151​:30 in Perl_parse_uniprop_string
Shadow bytes around the buggy address​:
0x0c047fff8250​: fa fa 00 fa fa fa 00 01 fa fa 00 00 fa fa 00 06
0x0c047fff8260​: fa fa 07 fa fa fa 00 04 fa fa 02 fa fa fa fd fd
0x0c047fff8270​: fa fa fd fd fa fa 00 02 fa fa 00 00 fa fa fd fd
0x0c047fff8280​: fa fa fd fd fa fa fd fd fa fa 00 02 fa fa fd fa
0x0c047fff8290​: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 00 04
=>0x0c047fff82a0​: fa fa[04]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82b0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82c0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82d0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82e0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82f0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
Addressable​: 00
Partially addressable​: 01 02 03 04 05 06 07
Heap left redzone​: fa
Freed heap region​: fd
Stack left redzone​: f1
Stack mid redzone​: f2
Stack right redzone​: f3
Stack after return​: f5
Stack use after scope​: f8
Global redzone​: f9
Global init order​: f6
Poisoned by user​: f7
Container overflow​: fc
Array cookie​: ac
Intra object redzone​: bb
ASan internal​: fe
Left alloca redzone​: ca
Right alloca redzone​: cb
==24715==ABORTING
```

Thanks

@p5pRT
Copy link
Author

p5pRT commented May 6, 2018

From @khwilliamson

0001-PATCH-perl-133179-heap-buffer-overflow-write.patch 
From d1f889a81736e137c73a14bb7641299a76f6eef6 Mon Sep 17 00:00:00 2001
From: Karl Williamson <khw@cpan.org>
Date: Sun, 6 May 2018 02:27:01 -0600
Subject: [PATCH] PATCH: [perl # 133179] heap-buffer-overflow write

The code did not consider the case of a trailing slash with no
denominator following it.  Simply add a check.
---
 utf8.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/utf8.c b/utf8.c
index ceb4723113..ec67b08d50 100644
--- a/utf8.c
+++ b/utf8.c
@@ -6118,8 +6118,8 @@ Perl_parse_uniprop_string(pTHX_ const char * const name, const Size_t len, const
 
         lookup_name[j++] = cur;
 
-        /* Unless this is a slash, we are done with it */
-        if (cur != '/') {
+        /* Unless this is a non-trailing slash, we are done with it */
+        if (i >= len - 1 || cur != '/') {
             continue;
         }
 
-- 
2.11.0

@p5pRT
Copy link
Author

p5pRT commented May 6, 2018

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented May 6, 2018

From @Etsukata

The attached patch fixes this.

Thanks for your speedy handling.
LGTM.

2018-05-06 17​:31 GMT+09​:00 karl williamson via RT <
perl5-security-report-followup@​perl.org>​:

On 05/05/2018 10​:44 PM, Eiichi Tsukata (via RT) wrote​:

# New Ticket Created by Eiichi Tsukata
# Please include the string​: [perl #133179]
# in the subject line of all future correspondence about this issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133179 >

Hello all,

I'm Eiichi Tsukata. Here is a security vulnerability report about a
regexp
unicode properties bug I've found.
Please feel free to contact me if you have any questions.

# Brief

There is a potential heap-buffer-overflow write
in Perl_parse_uniprop_string() when compiling
specific regular expressions with 'numericvalue' or 'nv' unicode
properties.

- Version​: 38c84d6(perl-5.28.0)
-
https://perl5.git.perl.org/perl.git/commit/
2cdbf8d
or later

# PoC

- with AddressSanitizer

The attached patch fixes this.

```

[eiichi@​x1 perl]$ ./miniperl -le 'my $a = "\\p{numericvalue=/}"; qr/$a/'

=================================================================
==23627==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x6020000014be at pc 0x000001302300 bp 0x7fff061da630 sp 0x7fff061da628
WRITE of size 1 at 0x6020000014be thread T0
#0 0x13022ff in Perl_parse_uniprop_string
/home/eiichi/git/etfuzz/ext/perl/utf8.c​:6151​:30
#1 0xae8828 in S_regclass
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:16783​:35
#2 0xaafaa1 in S_regatom
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:13250​:19
#3 0xa8f680 in S_regpiece
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:12002​:11
#4 0xa5b595 in S_regbranch
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:11930​:18
#5 0x96afa6 in S_reg /home/eiichi/git/etfuzz/ext/
perl/regcomp.c​:11661​:10
#6 0x940319 in Perl_re_op_compile
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:7432​:9
#7 0x1023b4a in Perl_pp_regcomp
/home/eiichi/git/etfuzz/ext/perl/pp_ctl.c​:108​:14
#8 0xd576df in Perl_runops_standard
/home/eiichi/git/etfuzz/ext/perl/run.c​:41​:26
#9 0x68f523 in S_run_body /home/eiichi/git/etfuzz/ext/perl/perl.c
#10 0x68f523 in perl_run /home/eiichi/git/etfuzz/ext/
perl/perl.c​:2617
#11 0x1415217 in main
/home/eiichi/git/etfuzz/ext/perl/miniperlmain.c​:128​:9
#12 0x7fe94e5e2f29 in __libc_start_main (/lib64/libc.so.6+0x20f29)
#13 0x41c3d9 in _start
(/home/eiichi/git/etfuzz/ext/perl/miniperl+0x41c3d9)

0x6020000014be is located 0 bytes to the right of 14-byte region
[0x6020000014b0,0x6020000014be)
allocated by thread T0 here​:
#0 0x4d8980 in malloc
(/home/eiichi/git/etfuzz/ext/perl/miniperl+0x4d8980)
#1 0xbc0dd0 in Perl_safesysmalloc
/home/eiichi/git/etfuzz/ext/perl/util.c​:153​:21
#2 0x12feea3 in Perl_parse_uniprop_string
/home/eiichi/git/etfuzz/ext/perl/utf8.c​:5940​:5
#3 0xae8828 in S_regclass
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:16783​:35
#4 0xaafaa1 in S_regatom
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:13250​:19
#5 0xa8f680 in S_regpiece
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:12002​:11
#6 0xa5b595 in S_regbranch
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:11930​:18
#7 0x96afa6 in S_reg /home/eiichi/git/etfuzz/ext/
perl/regcomp.c​:11661​:10
#8 0x940319 in Perl_re_op_compile
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:7432​:9
#9 0x1023b4a in Perl_pp_regcomp
/home/eiichi/git/etfuzz/ext/perl/pp_ctl.c​:108​:14
#10 0xd576df in Perl_runops_standard
/home/eiichi/git/etfuzz/ext/perl/run.c​:41​:26
#11 0x68f523 in S_run_body /home/eiichi/git/etfuzz/ext/perl/perl.c
#12 0x68f523 in perl_run /home/eiichi/git/etfuzz/ext/
perl/perl.c​:2617
#13 0x1415217 in main
/home/eiichi/git/etfuzz/ext/perl/miniperlmain.c​:128​:9
#14 0x7fe94e5e2f29 in __libc_start_main (/lib64/libc.so.6+0x20f29)

SUMMARY​: AddressSanitizer​: heap-buffer-overflow
/home/eiichi/git/etfuzz/ext/perl/utf8.c​:6151​:30 in
Perl_parse_uniprop_string
Shadow bytes around the buggy address​:
0x0c047fff8240​: fa fa 00 01 fa fa 00 02 fa fa 00 05 fa fa 00 02
0x0c047fff8250​: fa fa 00 fa fa fa 00 01 fa fa 00 00 fa fa 00 06
0x0c047fff8260​: fa fa 07 fa fa fa 00 04 fa fa 02 fa fa fa fd fd
0x0c047fff8270​: fa fa fd fd fa fa 00 02 fa fa 00 00 fa fa fd fd
0x0c047fff8280​: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
=>0x0c047fff8290​: fa fa 00 04 fa fa 00[06]fa fa fa fa fa fa fa fa
0x0c047fff82a0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82b0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82c0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82d0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82e0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
Addressable​: 00
Partially addressable​: 01 02 03 04 05 06 07
Heap left redzone​: fa
Freed heap region​: fd
Stack left redzone​: f1
Stack mid redzone​: f2
Stack right redzone​: f3
Stack after return​: f5
Stack use after scope​: f8
Global redzone​: f9
Global init order​: f6
Poisoned by user​: f7
Container overflow​: fc
Array cookie​: ac
Intra object redzone​: bb
ASan internal​: fe
Left alloca redzone​: ca
Right alloca redzone​: cb
==23627==ABORTING
```

- without AddressSanitizer / Segmentation Fault

```
[eiichi@​x1 perl5]$ ./miniperl -le 'my $a =
"\\p{numericvalue=/123456789/}";
qr/$a/'
Can't locate utf8.pm in @​INC (you may need to install the utf8 module)
(@​INC contains​: .) at -e line 1.
BEGIN failed--compilation aborted.
Segmentation fault (コアダンプ)

[eiichi@​x1 perl5]$ PERL5LIB=./lib ./miniperl -V

Summary of my perl5 (revision 5 version 28 subversion 0) configuration​:
Commit id​: 38c84d6
Platform​:
osname=linux
osvers=4.15.14-300.fc27.x86_64
archname=x86_64-linux
uname='linux x1 4.15.14-300.fc27.x86_64 #1 smp thu mar 29 16​:13​:44
utc
2018 x86_64 x86_64 x86_64 gnulinux '
config_args='-des'
hint=previous
useposix=true
d_sigaction=define
useithreads=undef
usemultiplicity=undef
use64bitint=define
use64bitall=define
uselongdouble=undef
usemymalloc=n
default_inc_excludes_dot=define
bincompat5005=undef
Compiler​:
cc='cc'
ccflags ='-fwrapv -fno-strict-aliasing -pipe
-fstack-protector-strong
-I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
-D_FORTIFY_SOURCE=2'
optimize='-O2'
cppflags='-fwrapv -fno-strict-aliasing -pipe
-fstack-protector-strong
-I/usr/local/include'
ccversion=''
gccversion='7.3.1 20180303 (Red Hat 7.3.1-5)'
gccosandvers=''
intsize=4
longsize=8
ptrsize=8
doublesize=8
byteorder=12345678
doublekind=3
d_longlong=define
longlongsize=8
d_longdbl=define
longdblsize=16
longdblkind=3
ivtype='long'
ivsize=8
nvtype='double'
nvsize=8
Off_t='off_t'
lseeksize=8
alignbytes=8
prototype=define
Linker and Libraries​:
ld='cc'
ldflags =' -fstack-protector-strong -L/usr/local/lib'
libpth=/usr/local/lib /usr/lib /lib/../lib64 /usr/lib/../lib64 /lib
/lib64 /usr/lib64 /usr/local/lib64 /usr/local/lib /usr/lib
libs=-lpthread -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc
-lgdbm_compat
perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
libc=libc-2.26.so
so=so
useshrplib=false
libperl=libperl.a
gnulibc_version='2.26'
Dynamic Linking​:
dlsrc=dl_dlopen.xs
dlext=so
d_dlsymun=undef
ccdlflags='-Wl,-E'
cccdlflags='-fPIC'
lddlflags='-shared -O2 -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
Compile-time options​:
HAS_TIMES
PERLIO_LAYERS
PERL_COPY_ON_WRITE
PERL_DONT_CREATE_GVSV
PERL_EXTERNAL_GLOB
PERL_IS_MINIPERL
PERL_MALLOC_WRAP
PERL_OP_PARENT
PERL_PRESERVE_IVUV
USE_64_BIT_ALL
USE_64_BIT_INT
USE_LARGE_FILES
USE_LOCALE
USE_LOCALE_COLLATE
USE_LOCALE_CTYPE
USE_LOCALE_NUMERIC
USE_LOCALE_TIME
USE_PERLIO
USE_PERL_ATOF
USE_SITECUSTOMIZE
Built under linux
Compiled at May 6 2018 12​:40​:33
%ENV​:
PERL5LIB="./lib"
@​INC​:
./lib
```

# Exploitability

- allows remote attackers to cause a denial of service (out-of-bounds
write) via a crafted regular expression.
- will be the same as CVE-2017-12837
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=131582

# Additional Note

- 'nv' unicode property can also cause heap-buffer-overflow write​:
```
[eiichi@​x1 perl]$ ./miniperl -le 'my $a = "\\p{nv=/}"; qr/$a/'

==24715==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x602000001514 at pc 0x000001302300 bp 0x7ffcf68336f0 sp 0x7ffcf68336e8
WRITE of size 1 at 0x602000001514 thread T0
#0 0x13022ff in Perl_parse_uniprop_string
/home/eiichi/git/etfuzz/ext/perl/utf8.c​:6151​:30
#1 0xae8828 in S_regclass
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:16783​:35
#2 0xaafaa1 in S_regatom
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:13250​:19
#3 0xa8f680 in S_regpiece
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:12002​:11
#4 0xa5b595 in S_regbranch
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:11930​:18
#5 0x96afa6 in S_reg /home/eiichi/git/etfuzz/ext/
perl/regcomp.c​:11661​:10
#6 0x940319 in Perl_re_op_compile
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:7432​:9
#7 0x1023b4a in Perl_pp_regcomp
/home/eiichi/git/etfuzz/ext/perl/pp_ctl.c​:108​:14
#8 0xd576df in Perl_runops_standard
/home/eiichi/git/etfuzz/ext/perl/run.c​:41​:26
#9 0x68f523 in S_run_body /home/eiichi/git/etfuzz/ext/perl/perl.c
#10 0x68f523 in perl_run /home/eiichi/git/etfuzz/ext/
perl/perl.c​:2617
#11 0x1415217 in main
/home/eiichi/git/etfuzz/ext/perl/miniperlmain.c​:128​:9
#12 0x7f964b94af29 in __libc_start_main (/lib64/libc.so.6+0x20f29)
#13 0x41c3d9 in _start
(/home/eiichi/git/etfuzz/ext/perl/miniperl+0x41c3d9)

0x602000001514 is located 0 bytes to the right of 4-byte region
[0x602000001510,0x602000001514)
allocated by thread T0 here​:
#0 0x4d8980 in malloc
(/home/eiichi/git/etfuzz/ext/perl/miniperl+0x4d8980)
#1 0xbc0dd0 in Perl_safesysmalloc
/home/eiichi/git/etfuzz/ext/perl/util.c​:153​:21
#2 0x12feea3 in Perl_parse_uniprop_string
/home/eiichi/git/etfuzz/ext/perl/utf8.c​:5940​:5
#3 0xae8828 in S_regclass
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:16783​:35
#4 0xaafaa1 in S_regatom
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:13250​:19
#5 0xa8f680 in S_regpiece
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:12002​:11
#6 0xa5b595 in S_regbranch
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:11930​:18
#7 0x96afa6 in S_reg /home/eiichi/git/etfuzz/ext/
perl/regcomp.c​:11661​:10
#8 0x940319 in Perl_re_op_compile
/home/eiichi/git/etfuzz/ext/perl/regcomp.c​:7432​:9
#9 0x1023b4a in Perl_pp_regcomp
/home/eiichi/git/etfuzz/ext/perl/pp_ctl.c​:108​:14
#10 0xd576df in Perl_runops_standard
/home/eiichi/git/etfuzz/ext/perl/run.c​:41​:26
#11 0x68f523 in S_run_body /home/eiichi/git/etfuzz/ext/perl/perl.c
#12 0x68f523 in perl_run /home/eiichi/git/etfuzz/ext/
perl/perl.c​:2617
#13 0x1415217 in main
/home/eiichi/git/etfuzz/ext/perl/miniperlmain.c​:128​:9
#14 0x7f964b94af29 in __libc_start_main (/lib64/libc.so.6+0x20f29)

SUMMARY​: AddressSanitizer​: heap-buffer-overflow
/home/eiichi/git/etfuzz/ext/perl/utf8.c​:6151​:30 in
Perl_parse_uniprop_string
Shadow bytes around the buggy address​:
0x0c047fff8250​: fa fa 00 fa fa fa 00 01 fa fa 00 00 fa fa 00 06
0x0c047fff8260​: fa fa 07 fa fa fa 00 04 fa fa 02 fa fa fa fd fd
0x0c047fff8270​: fa fa fd fd fa fa 00 02 fa fa 00 00 fa fa fd fd
0x0c047fff8280​: fa fa fd fd fa fa fd fd fa fa 00 02 fa fa fd fa
0x0c047fff8290​: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 00 04
=>0x0c047fff82a0​: fa fa[04]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82b0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82c0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82d0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82e0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82f0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
Addressable​: 00
Partially addressable​: 01 02 03 04 05 06 07
Heap left redzone​: fa
Freed heap region​: fd
Stack left redzone​: f1
Stack mid redzone​: f2
Stack right redzone​: f3
Stack after return​: f5
Stack use after scope​: f8
Global redzone​: f9
Global init order​: f6
Poisoned by user​: f7
Container overflow​: fc
Array cookie​: ac
Intra object redzone​: bb
ASan internal​: fe
Left alloca redzone​: ca
Right alloca redzone​: cb
==24715==ABORTING
```

Thanks

@p5pRT
Copy link
Author

p5pRT commented May 9, 2018

From @khwilliamson

On 05/06/2018 02​:48 AM, Eiichi Tsukata wrote​:

The attached patch fixes this.

Thanks for your speedy handling.
LGTM.

And thank you very much for finding and reporting the bugs you are finding.

2018-05-06 17​:31 GMT+09​:00 karl williamson via RT
<perl5-security-report-followup@​perl.org
<mailto​:perl5-security-report-followup@​perl.org>>​:

On 05/05/2018 10&#8203;:44 PM\, Eiichi Tsukata \(via RT\) wrote&#8203;:
 > \# New Ticket Created by  Eiichi Tsukata
 > \# Please include the string&#8203;:  \[perl \#133179\]
 > \# in the subject line of all future correspondence about this issue\.
 > \# \<URL&#8203;: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133179
\<https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133179> >
 >
 >
 > Hello all\,
 >
 > I'm Eiichi Tsukata\. Here is a security vulnerability report about
a regexp
 > unicode properties bug I've found\.
 > Please feel free to contact me if you have any questions\.
 >
 > \# Brief
 >
 > There is a potential heap\-buffer\-overflow write
 > in Perl\_parse\_uniprop\_string\(\) when compiling
 > specific regular expressions with 'numericvalue' or 'nv' unicode
properties\.
 >
 > \- Version&#8203;: 38c84d6ad1b77d7b1\(perl\-5\.28\.0\)
 >    \-
 >
https://perl5.git.perl.org/perl.git/commit/2cdbf8d9c7a9b6f7640617efa7e5d24c9bedb9f2
\<https://perl5.git.perl.org/perl.git/commit/2cdbf8d9c7a9b6f7640617efa7e5d24c9bedb9f2>
 > or later
 >
 > \# PoC
 >
 > \- with AddressSanitizer

The attached patch fixes this\.

This is not a security bug if we fix it in 5.28, because there is no
stable release that contains it. If we don't fix it now, then it does
become a security issue.

I propose to merge the patch now and move the ticket to the public
queue. I can add a test to the patch, but I'd rather wait until 5.29
and change mktables to generate this pattern for every possible property.

@p5pRT
Copy link
Author

p5pRT commented May 10, 2018

From @Etsukata

This is not a security bug if we fix it in 5.28, because there is no
stable release that contains it.

I'm happy to hear that it has been fixed prior to 5.28 release.

If we don't fix it now, then it does
become a security issue.

At https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133185

So if you're an application that executes arbitrary user-input
regular expressions, you're already vulnerable, without this new one.

Means that it does *NOT* become a security issue?

2018-05-10 8​:50 GMT+09​:00 karl williamson via RT <
perl5-security-report-followup@​perl.org>​:

On 05/06/2018 02​:48 AM, Eiichi Tsukata wrote​:

The attached patch fixes this.

Thanks for your speedy handling.
LGTM.

And thank you very much for finding and reporting the bugs you are finding.

2018-05-06 17​:31 GMT+09​:00 karl williamson via RT
<perl5-security-report-followup@​perl.org
<mailto​:perl5-security-report-followup@​perl.org>>​:

On 05/05/2018 10&#8203;:44 PM\, Eiichi Tsukata \(via RT\) wrote&#8203;:
 > \# New Ticket Created by  Eiichi Tsukata
 > \# Please include the string&#8203;:  \[perl \#133179\]
 > \# in the subject line of all future correspondence about this

issue.

 > \# \<URL&#8203;: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133179
\<https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133179> >
 >
 >
 > Hello all\,
 >
 > I'm Eiichi Tsukata\. Here is a security vulnerability report about
a regexp
 > unicode properties bug I've found\.
 > Please feel free to contact me if you have any questions\.
 >
 > \# Brief
 >
 > There is a potential heap\-buffer\-overflow write
 > in Perl\_parse\_uniprop\_string\(\) when compiling
 > specific regular expressions with 'numericvalue' or 'nv' unicode
properties\.
 >
 > \- Version&#8203;: 38c84d6ad1b77d7b1\(perl\-5\.28\.0\)
 >    \-
 >
https://perl5.git.perl.org/perl.git/commit/

2cdbf8d

\<https://perl5.git.perl.org/perl.git/commit/

2cdbf8d>

 > or later
 >
 > \# PoC
 >
 > \- with AddressSanitizer

The attached patch fixes this\.

This is not a security bug if we fix it in 5.28, because there is no
stable release that contains it. If we don't fix it now, then it does
become a security issue.

I propose to merge the patch now and move the ticket to the public
queue. I can add a test to the patch, but I'd rather wait until 5.29
and change mktables to generate this pattern for every possible property.

@p5pRT
Copy link
Author

p5pRT commented May 10, 2018

From @Etsukata

Means that it does *NOT* become a security issue?

According to the following criteria, it seems that it does become a
security issue.

2018-05-10 21​:40 GMT+09​:00 Dave Mitchell <davem@​iabyn.com>​:

On Thu, May 10, 2018 at 09​:29​:29PM +0900, Eiichi Tsukata wrote​:

But something
which is just a pure DoS (e.g. burning up CPU) doesn't usually worry
us.

A little confusing, so let me clarify the perl5 community's criteria.

Case​: (user input) regular expression, unicode character, JSON, XML, etc
... handling

- Out-of-Bound read or write => a security issue
- Infinite loop => *NOT* a security issue
- other => it depends

Yes to those three criteria *if* we are talking about a regex pattern.

If we are talking about something else, like data being read from a file
or socket, then our criteria would be stricter.

2018-05-10 10​:56 GMT+09​:00 Eiichi Tsukata <devel@​etsukata.com>​:

This is not a security bug if we fix it in 5.28, because there is no
stable release that contains it.

I'm happy to hear that it has been fixed prior to 5.28 release.

If we don't fix it now, then it does
become a security issue.

At https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133185

So if you're an application that executes arbitrary user-input
regular expressions, you're already vulnerable, without this new one.

Means that it does *NOT* become a security issue?

2018-05-10 8​:50 GMT+09​:00 karl williamson via RT <
perl5-security-report-followup@​perl.org>​:

On 05/06/2018 02​:48 AM, Eiichi Tsukata wrote​:

The attached patch fixes this.

Thanks for your speedy handling.
LGTM.

And thank you very much for finding and reporting the bugs you are
finding.

2018-05-06 17​:31 GMT+09​:00 karl williamson via RT
<perl5-security-report-followup@​perl.org
<mailto​:perl5-security-report-followup@​perl.org>>​:

On 05/05/2018 10&#8203;:44 PM\, Eiichi Tsukata \(via RT\) wrote&#8203;:
 > \# New Ticket Created by  Eiichi Tsukata
 > \# Please include the string&#8203;:  \[perl \#133179\]
 > \# in the subject line of all future correspondence about this

issue.

 > \# \<URL&#8203;: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133179
\<https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133179> >
 >
 >
 > Hello all\,
 >
 > I'm Eiichi Tsukata\. Here is a security vulnerability report about
a regexp
 > unicode properties bug I've found\.
 > Please feel free to contact me if you have any questions\.
 >
 > \# Brief
 >
 > There is a potential heap\-buffer\-overflow write
 > in Perl\_parse\_uniprop\_string\(\) when compiling
 > specific regular expressions with 'numericvalue' or 'nv' unicode
properties\.
 >
 > \- Version&#8203;: 38c84d6ad1b77d7b1\(perl\-5\.28\.0\)
 >    \-
 >
https://perl5.git.perl.org/perl.git/commit/2cdbf8d9c7a9b6f7

640617efa7e5d24c9bedb9f2

\<https://perl5.git.perl.org/perl.git/commit/2cdbf8d9c7a9b6f

7640617efa7e5d24c9bedb9f2>

 > or later
 >
 > \# PoC
 >
 > \- with AddressSanitizer

The attached patch fixes this\.

This is not a security bug if we fix it in 5.28, because there is no
stable release that contains it. If we don't fix it now, then it does
become a security issue.

I propose to merge the patch now and move the ticket to the public
queue. I can add a test to the patch, but I'd rather wait until 5.29
and change mktables to generate this pattern for every possible property.

@p5pRT
Copy link
Author

p5pRT commented May 10, 2018

From @khwilliamson

On 05/09/2018 07​:56 PM, Eiichi Tsukata wrote​:

This is not a security bug if we fix it in 5.28, because there is no
stable release that contains it.

I'm happy to hear that it has been fixed prior to 5.28 release.

If we don't fix it now, then it does
become a security issue.

At https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133185
<https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133185>

So if you're an application that executes arbitrary user-input
regular expressions, you're already vulnerable, without this new one.

Means that it does *NOT* become a security issue?

This would normally be a security issue. But it isn't here because this
code doesn't exist in any stable release of Perl. It's not in any 5.26,
nor in any 5.24, nor in any other release that we support. It's new
code that's in a development-only release, and I'm very glad that you
caught it in time to prevent us from putting it into 5.28, at which
point it would be in a stable release, and hence a security issue.

We are about to ship 5.28, and I have to get permission for any change
that I make to it. My email was advocating for what I believe needs to
be done. Since the person who can grant that permission is reasonable,
I'm confident that it will be granted. We are not going to ship
something with a newly introduced security bug! But I do have to wait
for the permission to be granted.

2018-05-10 8​:50 GMT+09​:00 karl williamson via RT
<perl5-security-report-followup@​perl.org
<mailto​:perl5-security-report-followup@​perl.org>>​:

On 05/06/2018 02&#8203;:48 AM\, Eiichi Tsukata wrote&#8203;:
 >  > The attached patch fixes this\.
 >
 > Thanks for your speedy handling\.
 > LGTM\.

And thank you very much for finding and reporting the bugs you are
finding\.
 >
 > 2018\-05\-06 17&#8203;:31 GMT\+09&#8203;:00 karl williamson via RT
 > \<perl5\-security\-report\-followup@&#8203;perl\.org
\<mailto&#8203;:perl5\-security\-report\-followup@&#8203;perl\.org>
 > \<mailto&#8203;:perl5\-security\-report\-followup@&#8203;perl\.org
\<mailto&#8203;:perl5\-security\-report\-followup@&#8203;perl\.org>>>&#8203;:
 >
 >     On 05/05/2018 10&#8203;:44 PM\, Eiichi Tsukata \(via RT\) wrote&#8203;:
 >      > \# New Ticket Created by  Eiichi Tsukata
 >      > \# Please include the string&#8203;:  \[perl \#133179\]
 >      > \# in the subject line of all future correspondence about
this issue\.
 >      > \# \<URL&#8203;: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133179
\<https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133179>
 >     \<https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133179
\<https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133179>> >
 >      >
 >      >
 >      > Hello all\,
 >      >
 >      > I'm Eiichi Tsukata\. Here is a security vulnerability
report about
 >     a regexp
 >      > unicode properties bug I've found\.
 >      > Please feel free to contact me if you have any questions\.
 >      >
 >      > \# Brief
 >      >
 >      > There is a potential heap\-buffer\-overflow write
 >      > in Perl\_parse\_uniprop\_string\(\) when compiling
 >      > specific regular expressions with 'numericvalue' or 'nv'
unicode
 >     properties\.
 >      >
 >      > \- Version&#8203;: 38c84d6ad1b77d7b1\(perl\-5\.28\.0\)
 >      >    \-
 >      >
 >
https://perl5.git.perl.org/perl.git/commit/2cdbf8d9c7a9b6f7640617efa7e5d24c9bedb9f2
\<https://perl5.git.perl.org/perl.git/commit/2cdbf8d9c7a9b6f7640617efa7e5d24c9bedb9f2>
 >   
  \<https&#8203;://perl5\.git\.perl\.org/perl\.git/commit/2cdbf8d9c7a9b6f7640617efa7e5d24c9bedb9f2 \<https://perl5.git.perl.org/perl.git/commit/2cdbf8d9c7a9b6f7640617efa7e5d24c9bedb9f2>>
 >      > or later
 >      >
 >      > \# PoC
 >      >
 >      > \- with AddressSanitizer
 >
 >     The attached patch fixes this\.

This is not a security bug if we fix it in 5\.28\, because there is no
stable release that contains it\.  If we don't fix it now\, then it does
become a security issue\.

I propose to merge the patch now and move the ticket to the public
queue\.  I can add a test to the patch\, but I'd rather wait until 5\.29
and change mktables to generate this pattern for every possible
property\.

@p5pRT
Copy link
Author

p5pRT commented May 12, 2018

From @iabyn

On Thu, May 10, 2018 at 09​:21​:24AM -0600, Karl Williamson wrote​:

We are about to ship 5.28, and I have to get permission for any change that
I make to it. My email was advocating for what I believe needs to be done.
Since the person who can grant that permission is reasonable, I'm confident
that it will be granted. We are not going to ship something with a newly
introduced security bug! But I do have to wait for the permission to be
granted.

+1 from me.

--
All wight. I will give you one more chance. This time, I want to hear
no Wubens. No Weginalds. No Wudolf the wed-nosed weindeers.
  -- Life of Brian

@p5pRT
Copy link
Author

p5pRT commented May 19, 2018

From @khwilliamson

Thanks for finding and reporting this

Fixed by commit da3e33c
--
Karl Williamson

@p5pRT
Copy link
Author

p5pRT commented May 19, 2018

@khwilliamson - Status changed from 'open' to 'resolved'

@p5pRT p5pRT closed this as completed May 19, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@p5pRT