From @dur-randir

Created by @dur-randir

While fuzzing perl v5.29.8-21-gde59f38ed9 built with afl and run
under libdislocator, I found the following program

/(?|(())|())|/

to cause a heap-buffer-overflow read. This is a regression in blead,
so not a security issue, bisect points to​:

7c932d0 is the first bad commit
commit 7c932d0
Author​: Karl Williamson <khw@​cpan.org>
Date​: Fri Oct 19 09​:48​:34 2018 -0600

  Remove sizing pass from regular expression compiler

  This commit removes the sizing pass for regular expression compilation.
  It attempts to be the minimum required to do this. Future patches are
  in the works that improve it,, and there is certainly lots more that
  could be done.

ASAN trace is following​:

=================================================================
==48675==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x60200000dc80 at pc 0x000000818fa4 bp 0x7ffebb1d2230 sp
0x7ffebb1d2228
READ of size 8 at 0x60200000dc80 thread T0
  #0 0x818fa3 in S_reginsert /home/afl/afl-asan/regcomp.c​:19439​:27
  #1 0x759279 in S_reg /home/afl/afl-asan/regcomp.c​:12024​:6
  #2 0x73b5ed in Perl_re_op_compile /home/afl/afl-asan/regcomp.c​:7665​:9
  #3 0x53fb8d in Perl_pmruntime /home/afl/afl-asan/op.c​:7094​:6
  #4 0x70be8c in Perl_yyparse /home/afl/afl-asan/perly.y​:1228​:23
  #5 0x5eba6a in S_parse_body /home/afl/afl-asan/perl.c​:2507​:9
  #6 0x5e1e23 in perl_parse /home/afl/afl-asan/perl.c​:1798​:2
  #7 0x50b5de in main /home/afl/afl-asan/perlmain.c​:126​:10
  #8 0x7f2684ba309a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
  #9 0x43bdc9 in _start (/home/afl/afl-asan/perl+0x43bdc9)

0x60200000dc80 is located 0 bytes to the right of 16-byte region
[0x60200000dc70,0x60200000dc80)
allocated by thread T0 here​:
  #0 0x4da570 in calloc (/home/afl/afl-asan/perl+0x4da570)
  #1 0x896bce in Perl_safesyscalloc /home/afl/afl-asan/util.c​:439​:18
  #2 0x758969 in S_reg /home/afl/afl-asan/regcomp.c​:11962​:21
  #3 0x81c995 in S_regatom /home/afl/afl-asan/regcomp.c​:13155​:15
  #4 0x7fe6f9 in S_regpiece /home/afl/afl-asan/regcomp.c​:12372​:11
  #5 0x7fe6f9 in S_regbranch /home/afl/afl-asan/regcomp.c​:12290
  #6 0x7599be in S_reg /home/afl/afl-asan/regcomp.c​:12055​:14
  #7 0x81c995 in S_regatom /home/afl/afl-asan/regcomp.c​:13155​:15
  #8 0x7fe6f9 in S_regpiece /home/afl/afl-asan/regcomp.c​:12372​:11
  #9 0x7fe6f9 in S_regbranch /home/afl/afl-asan/regcomp.c​:12290
  #10 0x759015 in S_reg /home/afl/afl-asan/regcomp.c​:12011​:10
  #11 0x73b5ed in Perl_re_op_compile /home/afl/afl-asan/regcomp.c​:7665​:9
  #12 0x53fb8d in Perl_pmruntime /home/afl/afl-asan/op.c​:7094​:6
  #13 0x70be8c in Perl_yyparse /home/afl/afl-asan/perly.y​:1228​:23
  #14 0x5eba6a in S_parse_body /home/afl/afl-asan/perl.c​:2507​:9
  #15 0x5e1e23 in perl_parse /home/afl/afl-asan/perl.c​:1798​:2
  #16 0x50b5de in main /home/afl/afl-asan/perlmain.c​:126​:10
  #17 0x7f2684ba309a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

Flags:
    category=core
    severity=low

Site configuration information for perl 5.29.9:

Configured by dur-randir at Wed Feb 27 14:51:01 MSK 2019.

Summary of my perl5 (revision 5 version 29 subversion 9) configuration:
  Commit id: c1e47bad34ce1d9c84ed57c9b8978bcbd5a02e98
  Platform:
    osname=darwin
    osvers=13.4.0
    archname=darwin-thread-multi-2level
    uname='darwin isengard.local 13.4.0 darwin kernel version 13.4.0:
mon jan 11 18:17:34 pst 2016; root:xnu-2422.115.15~1release_x86_64
x86_64 '
    config_args='-de -Dusedevel -DDEBUGGING -Dusethreads'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=define
    usemultiplicity=define
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
    bincompat5005=undef
  Compiler:
    cc='cc'
    ccflags ='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include -DPERL_USE_SAFE_PUTENV'
    optimize='-O3 -g'
    cppflags='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='cc'
    ldflags =' -mmacosx-version-min=10.9 -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib
/usr/lib
    libs=-lpthread -lgdbm -ldbm -ldl -lm -lutil -lc
    perllibs=-lpthread -ldl -lm -lutil -lc
    libc=
    so=dylib
    useshrplib=false
    libperl=libperl.a
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=bundle
    d_dlsymun=undef
    ccdlflags=' '
    cccdlflags=' '
    lddlflags=' -mmacosx-version-min=10.9 -bundle -undefined
dynamic_lookup -L/usr/local/lib -fstack-protector'



@INC for perl 5.29.9:
    lib
    /usr/local/lib/perl5/site_perl/5.29.9/darwin-thread-multi-2level
    /usr/local/lib/perl5/site_perl/5.29.9
    /usr/local/lib/perl5/5.29.9/darwin-thread-multi-2level
    /usr/local/lib/perl5/5.29.9


Environment for perl 5.29.9:
    DYLD_LIBRARY_PATH (unset)
    HOME=/Users/dur-randir
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/texbin
    PERLBREW_HOME=/Users/dur-randir/.perlbrew
    PERLBREW_MANPATH=/Users/dur-randir/perlbrew/perls/perl-5.22.1/man
    PERLBREW_PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin
    PERLBREW_PERL=perl-5.22.1
    PERLBREW_ROOT=/Users/dur-randir/perlbrew
    PERLBREW_SHELLRC_VERSION=0.84
    PERLBREW_VERSION=0.84
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/zsh

From @khwilliamson

Fixed by
commit e081490
Author​: Karl Williamson <khw@​cpan.org>
Date​: Wed Mar 13 19​:11​:46 2019 -0600

  PATCH​: [perl #133871] heap-buffer-overflow in S_reginsert
 
  The regex compiler was written assuming it knew how many parentheses
  pairs there were at code generation time. When I converted to a single
  pass in 7c932d0, most things were
  straight forward to not have to know this number, but there were a few
  where it was non-trivial (for me anyway) to figure out how to handle.
  So I punted on these and do a second pass when these are encountered.
  There are few of them and are less commonly used, namely (?R), (?|...)
  and forward references to groups (which most commonly will end up being
  a syntax error anyway).
 
  The fix in this commit is to avoid doing some parentheses relocations
  when a regnode is inserted when it is known that the parentheses counts
  are unreliable (during initial parsing of one of these tricky
  constructs). The code in the ticket is using a branch reset '(?|...)'.
  A second pass will get done, and the insert properly handled then, after
  the counts are reliable.

--
Karl Williamson

The RT System itself - Status changed from 'new' to 'open'

@khwilliamson - Status changed from 'open' to 'resolved'