From @dur-randir

Created by @dur-randir

While fuzzing perl v5.29.8-106-gbfa9f5ee70 built with afl and run
under libdislocator, I found the program attached to this message
to cause a heap-buffer-overflow read. This is a regression in blead,
so not a security issue, bisect points to​:

7c932d0 is the first bad commit
commit 7c932d0
Author​: Karl Williamson <khw@​cpan.org>
Date​: Fri Oct 19 09​:48​:34 2018 -0600

  Remove sizing pass from regular expression compiler

  This commit removes the sizing pass for regular expression compilation.
  It attempts to be the minimum required to do this. Future patches are
  in the works that improve it,, and there is certainly lots more that
  could be done.

ASAN trace is following​:

==1208==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x7fe0847db9a9 at pc 0x000000770e74 bp 0x7ffdb5003b30 sp
0x7ffdb5003b28
READ of size 1 at 0x7fe0847db9a9 thread T0
  #0 0x770e73 in S_reg /home/afl/afl-asan/regcomp.c​:12154​:28
  #1 0x73b5dd in Perl_re_op_compile /home/afl/afl-asan/regcomp.c​:7678​:9
  #2 0x53fb86 in Perl_pmruntime /home/afl/afl-asan/op.c​:7131​:6
  #3 0x70bedc in Perl_yyparse /home/afl/afl-asan/perly.y​:1228​:23
  #4 0x5ebe5a in S_parse_body /home/afl/afl-asan/perl.c​:2507​:9
  #5 0x5e2213 in perl_parse /home/afl/afl-asan/perl.c​:1798​:2
  #6 0x50b5fe in main /home/afl/afl-asan/perlmain.c​:126​:10
  #7 0x7fe0933bd09a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
  #8 0x43bde9 in _start (/home/afl/afl-asan/perl+0x43bde9)

0x7fe0847db9a9 is located 4521 bytes inside of 524324-byte region
[0x7fe0847da800,0x7fe08485a824)
freed by thread T0 here​:
  #0 0x4da790 in realloc (/home/afl/afl-asan/perl+0x4da790)
  #1 0x8996a9 in Perl_safesysrealloc /home/afl/afl-asan/util.c​:271​:18
  #2 0x81df76 in S_change_engine_size /home/afl/afl-asan/regcomp.c​:19416​:5
  #3 0x81d167 in S_regnode_guts /home/afl/afl-asan/regcomp.c​:19439​:5
  #4 0x75ad5c in S_reg_node /home/afl/afl-asan/regcomp.c​:19469​:32
  #5 0x75ad5c in S_reg /home/afl/afl-asan/regcomp.c​:12120
  #6 0x73b5dd in Perl_re_op_compile /home/afl/afl-asan/regcomp.c​:7678​:9
  #7 0x53fb86 in Perl_pmruntime /home/afl/afl-asan/op.c​:7131​:6
  #8 0x70bedc in Perl_yyparse /home/afl/afl-asan/perly.y​:1228​:23
  #9 0x5ebe5a in S_parse_body /home/afl/afl-asan/perl.c​:2507​:9
  #10 0x5e2213 in perl_parse /home/afl/afl-asan/perl.c​:1798​:2
  #11 0x50b5fe in main /home/afl/afl-asan/perlmain.c​:126​:10
  #12 0x7fe0933bd09a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

previously allocated by thread T0 here​:
  #0 0x4da790 in realloc (/home/afl/afl-asan/perl+0x4da790)
  #1 0x8996a9 in Perl_safesysrealloc /home/afl/afl-asan/util.c​:271​:18
  #2 0x81df76 in S_change_engine_size /home/afl/afl-asan/regcomp.c​:19416​:5
  #3 0x82942d in S_regatom /home/afl/afl-asan/regcomp.c​:14582​:13
  #4 0x800619 in S_regpiece /home/afl/afl-asan/regcomp.c​:12385​:11
  #5 0x800619 in S_regbranch /home/afl/afl-asan/regcomp.c​:12303
  #6 0x759cb1 in S_reg /home/afl/afl-asan/regcomp.c​:12068​:14
  #7 0x73b5dd in Perl_re_op_compile /home/afl/afl-asan/regcomp.c​:7678​:9
  #8 0x53fb86 in Perl_pmruntime /home/afl/afl-asan/op.c​:7131​:6
  #9 0x70bedc in Perl_yyparse /home/afl/afl-asan/perly.y​:1228​:23
  #10 0x5ebe5a in S_parse_body /home/afl/afl-asan/perl.c​:2507​:9
  #11 0x5e2213 in perl_parse /home/afl/afl-asan/perl.c​:1798​:2
  #12 0x50b5fe in main /home/afl/afl-asan/perlmain.c​:126​:10
  #13 0x7fe0933bd09a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

Flags:
    category=core
    severity=medium

Site configuration information for perl 5.29.9:

Configured by dur-randir at Wed Feb 27 14:51:01 MSK 2019.

Summary of my perl5 (revision 5 version 29 subversion 9) configuration:
  Commit id: c1e47bad34ce1d9c84ed57c9b8978bcbd5a02e98
  Platform:
    osname=darwin
    osvers=13.4.0
    archname=darwin-thread-multi-2level
    uname='darwin isengard.local 13.4.0 darwin kernel version 13.4.0:
mon jan 11 18:17:34 pst 2016; root:xnu-2422.115.15~1release_x86_64
x86_64 '
    config_args='-de -Dusedevel -DDEBUGGING -Dusethreads'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=define
    usemultiplicity=define
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
    bincompat5005=undef
  Compiler:
    cc='cc'
    ccflags ='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include -DPERL_USE_SAFE_PUTENV'
    optimize='-O3 -g'
    cppflags='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='cc'
    ldflags =' -mmacosx-version-min=10.9 -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib
/usr/lib
    libs=-lpthread -lgdbm -ldbm -ldl -lm -lutil -lc
    perllibs=-lpthread -ldl -lm -lutil -lc
    libc=
    so=dylib
    useshrplib=false
    libperl=libperl.a
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=bundle
    d_dlsymun=undef
    ccdlflags=' '
    cccdlflags=' '
    lddlflags=' -mmacosx-version-min=10.9 -bundle -undefined
dynamic_lookup -L/usr/local/lib -fstack-protector'



@INC for perl 5.29.9:
    lib
    /usr/local/lib/perl5/site_perl/5.29.9/darwin-thread-multi-2level
    /usr/local/lib/perl5/site_perl/5.29.9
    /usr/local/lib/perl5/5.29.9/darwin-thread-multi-2level
    /usr/local/lib/perl5/5.29.9


Environment for perl 5.29.9:
    DYLD_LIBRARY_PATH (unset)
    HOME=/Users/dur-randir
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/texbin
    PERLBREW_HOME=/Users/dur-randir/.perlbrew
    PERLBREW_MANPATH=/Users/dur-randir/perlbrew/perls/perl-5.22.1/man
    PERLBREW_PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin
    PERLBREW_PERL=perl-5.22.1
    PERLBREW_ROOT=/Users/dur-randir/perlbrew
    PERLBREW_SHELLRC_VERSION=0.84
    PERLBREW_VERSION=0.84
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/zsh

From @dur-randir

0160

From @khwilliamson

It turns out that this was fixed by bf848a1
I've pushed 88b5a12 which adds the test for this ticket
--
Karl Williamson

The RT System itself - Status changed from 'new' to 'open'

@khwilliamson - Status changed from 'open' to 'resolved'