Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Malformed utf8 message; earlier bug fixed, was use heap after free #16020

Open
p5pRT opened this issue Jun 15, 2017 · 6 comments
Open

Malformed utf8 message; earlier bug fixed, was use heap after free #16020

p5pRT opened this issue Jun 15, 2017 · 6 comments

Comments

@p5pRT
Copy link

p5pRT commented Jun 15, 2017

Migrated from rt.perl.org#131577 (status was 'open')

Searchable as RT131577$

@p5pRT
Copy link
Author

p5pRT commented Jun 15, 2017

From @geeknik

Triggered with Perl v5.27.0-97-gd555ed0, compiled with afl-clang-fast on
Debian 8 x64.

Unescaped left brace in regex is deprecated here (and will be fatal in Perl
5.30), passed through in regex; marked by <-- HERE in m/[k@​▒l]s{ <-- HERE *
/ at test581 line 1, <DATA> line 5.
Unescaped left brace in regex is deprecated here (and will be fatal in Perl
5.30), passed through in regex; marked by <-- HERE in m/[k@​▒l]s{ <-- HERE *
/ at test581 line 1, <DATA> line 5.
Unescaped left brace in regex is deprecated here (and will be fatal in Perl
5.30), passed through in regex; marked by <-- HERE in m/[k@​▒l]s{ <-- HERE *
/ at test581 line 1, <DATA> line 5.
Malformed UTF-8 character (unexpected end of string) in substitution (s///)
at test581 line 1, <DATA> line 5.

==22553==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x60300000ea47 at pc 0xf21e80 bp 0x7fff9a7bca70 sp 0x7fff9a7bca68
READ of size 1 at 0x60300000ea47 thread T0
  #0 0xf21e7f in S_reghop4 /root/perl/regexec.c​:9494
  #1 0xfc84f0 in Perl_re_intuit_start /root/perl/regexec.c​:1054
  #2 0xfcae37 in Perl_regexec_flags /root/perl/regexec.c​:3001
  #3 0xac86d2 in Perl_pp_subst /root/perl/pp_hot.c​:3229
  #4 0x926e76 in Perl_runops_debug /root/perl/dump.c​:2451
  #5 0x59f02a in S_run_body /root/perl/perl.c​:2543
  #6 0x59f02a in perl_run /root/perl/perl.c​:2471
  #7 0x43506d in main /root/perl/perlmain.c​:123
  #8 0x7f3350585b44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
  #9 0x436015 (/root/perl/perl+0x436015)

0x60300000ea47 is located 7 bytes inside of 24-byte region
[0x60300000ea40,0x60300000ea58)
freed by thread T0 here​:
  #0 0x7f33516d79f6 in __interceptor_realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6)
  #1 0x96d481 in Perl_safesysrealloc /root/perl/util.c​:274

previously allocated by thread T0 here​:
  #0 0x7f33516d79f6 in __interceptor_realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6)
  #1 0x96d481 in Perl_safesysrealloc /root/perl/util.c​:274

SUMMARY​: AddressSanitizer​: heap-use-after-free /root/perl/regexec.c​:9494
S_reghop4

@p5pRT
Copy link
Author

p5pRT commented Jun 15, 2017

From @geeknik

test581.gz

@p5pRT
Copy link
Author

p5pRT commented Jun 22, 2017

From @tonycoz

On Wed, 14 Jun 2017 17​:50​:42 -0700, brian.carpenter@​gmail.com wrote​:

Triggered with Perl v5.27.0-97-gd555ed0, compiled with afl-clang-fast on
Debian 8 x64.

Unescaped left brace in regex is deprecated here (and will be fatal in Perl
5.30), passed through in regex; marked by <-- HERE in m/[k@​▒l]s{ <-- HERE *
/ at test581 line 1, <DATA> line 5.
Unescaped left brace in regex is deprecated here (and will be fatal in Perl
5.30), passed through in regex; marked by <-- HERE in m/[k@​▒l]s{ <-- HERE *
/ at test581 line 1, <DATA> line 5.
Unescaped left brace in regex is deprecated here (and will be fatal in Perl
5.30), passed through in regex; marked by <-- HERE in m/[k@​▒l]s{ <-- HERE *
/ at test581 line 1, <DATA> line 5.
Malformed UTF-8 character (unexpected end of string) in substitution (s///)
at test581 line 1, <DATA> line 5.

==22553==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x60300000ea47 at pc 0xf21e80 bp 0x7fff9a7bca70 sp 0x7fff9a7bca68
READ of size 1 at 0x60300000ea47 thread T0
#0 0xf21e7f in S_reghop4 /root/perl/regexec.c​:9494
#1 0xfc84f0 in Perl_re_intuit_start /root/perl/regexec.c​:1054
#2 0xfcae37 in Perl_regexec_flags /root/perl/regexec.c​:3001
#3 0xac86d2 in Perl_pp_subst /root/perl/pp_hot.c​:3229
#4 0x926e76 in Perl_runops_debug /root/perl/dump.c​:2451
#5 0x59f02a in S_run_body /root/perl/perl.c​:2543
#6 0x59f02a in perl_run /root/perl/perl.c​:2471
#7 0x43506d in main /root/perl/perlmain.c​:123
#8 0x7f3350585b44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#9 0x436015 (/root/perl/perl+0x436015)

0x60300000ea47 is located 7 bytes inside of 24-byte region
[0x60300000ea40,0x60300000ea58)
freed by thread T0 here​:
#0 0x7f33516d79f6 in __interceptor_realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6)
#1 0x96d481 in Perl_safesysrealloc /root/perl/util.c​:274

previously allocated by thread T0 here​:
#0 0x7f33516d79f6 in __interceptor_realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6)
#1 0x96d481 in Perl_safesysrealloc /root/perl/util.c​:274

SUMMARY​: AddressSanitizer​: heap-use-after-free /root/perl/regexec.c​:9494
S_reghop4

Attached is a partial minimization.

This patch​:

Inline Patch
diff --git a/regexec.c b/regexec.c
index 05675ad..29ec5c7 100644
--- a/regexec.c
+++ b/regexec.c
@@ -9524,6 +9524,9 @@ S_reghopmaybe3(U8* s, SSize_t off, const U8* const lim)
        }
        if (off >= 0)
            return NULL;
+        if (s > lim) {
+            Perl_croak_nocontext("Malformed UTF-8 character (fatal)");
+        }
     }
     else {
         while (off++ && s > lim) {

prevents the crash[1], but I suspect the problem is the code is doing a substitution on $_ while a substitution on $_ is in progress.

Tony

[1] and is a little broken, since s might be beyond the end of the allocated string

@p5pRT
Copy link
Author

p5pRT commented Jun 22, 2017

From @tonycoz

131577b.pl

@p5pRT
Copy link
Author

p5pRT commented Jun 22, 2017

The RT System itself - Status changed from 'new' to 'open'

@khwilliamson
Copy link
Contributor

On blead, @tonycoz reduction doesn't generate any problem. The original generates

Malformed UTF-8 character (unexpected end of string) in substitution (s///) at /var/tmp/test581 line 1, line 5.
perl: util.c:830: char *Perl_fbm_instr(PerlInterpreter *, unsigned char *, unsigned char *, SV *, U32): Assertion `bigend >= big' failed.

@khwilliamson khwilliamson changed the title heap-use-after-free (READ of size 1) in S_reghop4() Malformed utf8 message; earlier bug fixed, was use heap after free Mar 20, 2020
@xenu xenu removed the Severity Low label Dec 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants