Use-After-Free in regcomp.c:5617

[p5pRT]

Migrated from rt.perl.org#134329 (status was 'pending release')

Searchable as RT134329$

[p5pRT]

From [email protected]

Hi All,
I found a Use-After-Free bug in the commit *a3c7756* on branch *blead*.
This bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on Ubuntu
16.04 (64 bit) as follows​:
  ./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g" -Dloclibpth='
'; make

Thanks,
Manh Dung

======================================
*perl -v*
This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-ga3c7756))
built for x86_64-linux

- Crafted PoC​:
https://github.com/strongcourage/PoCs/blob/master/perl_82007f7/PoC_uaf_regcomp.c:21226
- Command​: perl $PoC

ASAN says​:
==4224==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x7fd452ab983d at pc 0x00000053ebf4 bp 0x7ffc694c0050 sp 0x7ffc694c0040
READ of size 1 at 0x7fd452ab983d thread T0
  #0 0x53ebf3 in Perl_regnext
/home/dungnguyen/gueb-testing/perl-head/regcomp.c​:21226
  #1 0x53ec5d in S_regtail
/home/dungnguyen/gueb-testing/perl-head/regcomp.c​:19848
  #2 0x57e0fc in S_regbranch
/home/dungnguyen/gueb-testing/perl-head/regcomp.c​:12409
  #3 0x57ea40 in S_reg
/home/dungnguyen/gueb-testing/perl-head/regcomp.c​:12104
  #4 0x58bd22 in Perl_re_op_compile
/home/dungnguyen/gueb-testing/perl-head/regcomp.c​:7721
  #5 0x6b1a24 in Perl_pp_regcomp
/home/dungnguyen/gueb-testing/perl-head/pp_ctl.c​:108
  #6 0x5fa20a in Perl_runops_standard
/home/dungnguyen/gueb-testing/perl-head/run.c​:41
  #7 0x48f0b7 in S_run_body
/home/dungnguyen/gueb-testing/perl-head/perl.c​:2696
  #8 0x48f0b7 in perl_run
/home/dungnguyen/gueb-testing/perl-head/perl.c​:2624
  #9 0x425674 in main
/home/dungnguyen/gueb-testing/perl-head/perlmain.c​:127
  #10 0x7fd45a10582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #11 0x425be8 in _start
(/home/dungnguyen/PoCs/perl_82007f7/perl-asan+0x425be8)

0x7fd452ab983d is located 249917 bytes inside of 262672-byte region
[0x7fd452a7c800,0x7fd452abca10)
freed by thread T0 here​:
  #0 0x7fd45aea99c1 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989c1)
  #1 0x5aa2b1 in Perl_safesysrealloc
/home/dungnguyen/gueb-testing/perl-head/util.c​:279

previously allocated by thread T0 here​:
  #0 0x7fd45aea99c1 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989c1)
  #1 0x5aa2b1 in Perl_safesysrealloc
/home/dungnguyen/gueb-testing/perl-head/util.c​:279

[p5pRT]

From [email protected]

Hi All,
I found an invalid read bug in the commit *a3c7756* on branch *blead*. This
bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on Ubuntu 16.04
(64 bit) as follows​:
  ./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g" -Dloclibpth='
'; make

Thanks,
Manh Dung

======================================
*perl -v*
This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-ga3c7756))
built for x86_64-linux

- Crafted PoC​:
https://github.com/strongcourage/PoCs/blob/master/perl_82007f7/PoC_segv_regexec.c:7725
- Command​: perl $PoC

ASAN says​:
==22039==ERROR​: AddressSanitizer​: SEGV on unknown address 0x61200bb8b4c8
(pc 0x000000736366 bp 0x000000000000 sp 0x7fff387dc580 T0)
  #0 0x736365 in S_regmatch
/home/dungnguyen/gueb-testing/perl-head/regexec.c​:7725
  #1 0x736365 in S_regtry
/home/dungnguyen/gueb-testing/perl-head/regexec.c​:3987
  #2 0x75cb68 in Perl_regexec_flags
/home/dungnguyen/gueb-testing/perl-head/regexec.c​:3850
  #3 0x60a4f1 in Perl_pp_match
/home/dungnguyen/gueb-testing/perl-head/pp_hot.c​:3014
  #4 0x5fa20a in Perl_runops_standard
/home/dungnguyen/gueb-testing/perl-head/run.c​:41
  #5 0x48f0b7 in S_run_body
/home/dungnguyen/gueb-testing/perl-head/perl.c​:2696
  #6 0x48f0b7 in perl_run
/home/dungnguyen/gueb-testing/perl-head/perl.c​:2624
  #7 0x425674 in main
/home/dungnguyen/gueb-testing/perl-head/perlmain.c​:127
  #8 0x7f35ea82c82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #9 0x425be8 in _start
(/home/dungnguyen/PoCs/perl_82007f7/perl-asan+0x425be8)

Valgrind says​:
==23196== Invalid read of size 8
==23196== at 0x52CAB8​: S_regmatch (regexec.c​:7725)
==23196== by 0x52CAB8​: S_regtry (regexec.c​:3987)
==23196== by 0x539FE3​: Perl_regexec_flags (regexec.c​:3850)
==23196== by 0x4C76DE​: Perl_pp_match (pp_hot.c​:3014)
==23196== by 0x4C1C72​: Perl_runops_standard (run.c​:41)
==23196== by 0x446595​: S_run_body (perl.c​:2701)
==23196== by 0x446595​: perl_run (perl.c​:2624)
==23196== by 0x421814​: main (perlmain.c​:127)
==23196== Address 0x11921468 is not stack'd, malloc'd or (recently) free'd

[p5pRT]

From [email protected]

Hi All,
I found an invalid read bug in the commit *a3c7756* on branch *blead*. This
bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on Ubuntu 16.04
(64 bit) as follows​:
  ./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g" -Dloclibpth='
'; make

Thanks,
Manh Dung

======================================
*perl -v*
This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-ga3c7756))
built for x86_64-linux

- Crafted PoC​:
https://github.com/strongcourage/PoCs/blob/master/perl_82007f7/PoC_segv_regexec.c:8492
- Command​: perl $PoC

ASAN says​:
==19686==ERROR​: AddressSanitizer​: SEGV on unknown address 0x000000000001
(pc 0x000000736755 bp 0x000000000000 sp 0x7ffc51d522a0 T0)
  #0 0x736754 in S_regmatch
/home/dungnguyen/gueb-testing/perl-head/regexec.c​:8492
  #1 0x736754 in S_regtry
/home/dungnguyen/gueb-testing/perl-head/regexec.c​:3987
  #2 0x75cb68 in Perl_regexec_flags
/home/dungnguyen/gueb-testing/perl-head/regexec.c​:3850
  #3 0x60a4f1 in Perl_pp_match
/home/dungnguyen/gueb-testing/perl-head/pp_hot.c​:3014
  #4 0x5fa20a in Perl_runops_standard
/home/dungnguyen/gueb-testing/perl-head/run.c​:41
  #5 0x48f0b7 in S_run_body
/home/dungnguyen/gueb-testing/perl-head/perl.c​:2696
  #6 0x48f0b7 in perl_run
/home/dungnguyen/gueb-testing/perl-head/perl.c​:2624
  #7 0x425674 in main
/home/dungnguyen/gueb-testing/perl-head/perlmain.c​:127
  #8 0x7fd73d8ab82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #9 0x425be8 in _start
(/home/dungnguyen/PoCs/perl_82007f7/perl-asan+0x425be8)

Valgrind says​:
==26873== Invalid read of size 1
==26873== at 0x52D52B​: S_regmatch (regexec.c​:8492)
==26873== by 0x52D52B​: S_regtry (regexec.c​:3987)
==26873== by 0x539FE3​: Perl_regexec_flags (regexec.c​:3850)
==26873== by 0x4C76DE​: Perl_pp_match (pp_hot.c​:3014)
==26873== by 0x4C1C72​: Perl_runops_standard (run.c​:41)
==26873== by 0x446595​: S_run_body (perl.c​:2701)
==26873== by 0x446595​: perl_run (perl.c​:2624)
==26873== by 0x421814​: main (perlmain.c​:127)
==26873== Address 0x1 is not stack'd, malloc'd or (recently) free'd

[p5pRT]

From [email protected]

Hi All,
I found a Use-After-Free bug in the commit *a3c7756* on branch *blead*.
This bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on Ubuntu
16.04 (64 bit) as follows​:
  ./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g" -Dloclibpth='
'; make

Thanks,
Manh Dung

======================================
*perl -v*
This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-ga3c7756))
built for x86_64-linux

- Crafted PoC​:
https://github.com/strongcourage/PoCs/blob/master/perl_82007f7/PoC_uaf_regcomp.c:5617
- Command​: perl $PoC

ASAN says​:
==32678==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x7fdbc9be4c3c at pc 0x0000005575b3 bp 0x7ffdb8f71020 sp 0x7ffdb8f71010
READ of size 1 at 0x7fdbc9be4c3c thread T0
  #0 0x5575b2 in S_study_chunk
/home/dungnguyen/gueb-testing/perl-head/regcomp.c​:5617
  #1 0x58dc6b in Perl_re_op_compile
/home/dungnguyen/gueb-testing/perl-head/regcomp.c​:8063
  #2 0x6b1a24 in Perl_pp_regcomp
/home/dungnguyen/gueb-testing/perl-head/pp_ctl.c​:108
  #3 0x5fa20a in Perl_runops_standard
/home/dungnguyen/gueb-testing/perl-head/run.c​:41
  #4 0x48f0b7 in S_run_body
/home/dungnguyen/gueb-testing/perl-head/perl.c​:2696
  #5 0x48f0b7 in perl_run
/home/dungnguyen/gueb-testing/perl-head/perl.c​:2624
  #6 0x425674 in main
/home/dungnguyen/gueb-testing/perl-head/perlmain.c​:127
  #7 0x7fdbd53b682f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #8 0x425be8 in _start
(/home/dungnguyen/PoCs/perl_82007f7/perl-asan+0x425be8)

0x7fdbc9be4c3c is located 177212 bytes inside of 262260-byte region
[0x7fdbc9bb9800,0x7fdbc9bf9874)
freed by thread T0 here​:
  #0 0x7fdbd615a9c1 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989c1)
  #1 0x5aa2b1 in Perl_safesysrealloc
/home/dungnguyen/gueb-testing/perl-head/util.c​:279

previously allocated by thread T0 here​:
  #0 0x7fdbd615a9c1 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989c1)
  #1 0x5aa2b1 in Perl_safesysrealloc
/home/dungnguyen/gueb-testing/perl-head/util.c​:279

Valgrind says​:
==1787== Invalid write of size 1
==1787== at 0x4849F7​: S_study_chunk.constprop.30 (regcomp.c​:5621)
==1787== by 0x49B066​: Perl_re_op_compile (regcomp.c​:8063)
==1787== by 0x4FFD2C​: Perl_pp_regcomp (pp_ctl.c​:108)
==1787== by 0x4C1C72​: Perl_runops_standard (run.c​:41)
==1787== by 0x446595​: S_run_body (perl.c​:2701)
==1787== by 0x446595​: perl_run (perl.c​:2624)
==1787== by 0x421814​: main (perlmain.c​:127)
==1787== Address 0x74c873c is 38,812 bytes inside a block of size 262,236
free'd
==1787== at 0x4C2FD5F​: realloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1787== by 0x4A6895​: Perl_safesysrealloc (util.c​:279)
==1787== by 0x47562D​: S_change_engine_size (regcomp.c​:19595)
==1787== by 0x475831​: S_regnode_guts (regcomp.c​:19633)
==1787== by 0x475831​: S_reg_node (regcomp.c​:19663)
==1787== by 0x49154C​: S_regpiece (regcomp.c​:12580)
==1787== by 0x495254​: S_regbranch (regcomp.c​:12393)
==1787== by 0x49565F​: S_reg (regcomp.c​:12104)
==1787== by 0x490674​: S_regatom (regcomp.c​:13370)
==1787== by 0x490674​: S_regpiece (regcomp.c​:12473)
==1787== by 0x495254​: S_regbranch (regcomp.c​:12393)
==1787== by 0x49565F​: S_reg (regcomp.c​:12104)
==1787== by 0x49A1EE​: Perl_re_op_compile (regcomp.c​:7721)
==1787== by 0x4FFD2C​: Perl_pp_regcomp (pp_ctl.c​:108)
==1787== Block was alloc'd at
==1787== at 0x4C2FD5F​: realloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1787== by 0x4A6895​: Perl_safesysrealloc (util.c​:279)
==1787== by 0x47562D​: S_change_engine_size (regcomp.c​:19595)
==1787== by 0x47589E​: S_reginsert (regcomp.c​:19744)
==1787== by 0x491509​: S_regpiece (regcomp.c​:12571)
==1787== by 0x495254​: S_regbranch (regcomp.c​:12393)
==1787== by 0x49565F​: S_reg (regcomp.c​:12104)
==1787== by 0x490674​: S_regatom (regcomp.c​:13370)
==1787== by 0x490674​: S_regpiece (regcomp.c​:12473)
==1787== by 0x495254​: S_regbranch (regcomp.c​:12393)
==1787== by 0x49565F​: S_reg (regcomp.c​:12104)
==1787== by 0x49A1EE​: Perl_re_op_compile (regcomp.c​:7721)
==1787== by 0x4FFD2C​: Perl_pp_regcomp (pp_ctl.c​:108)

[p5pRT]

From [email protected]

On Thu, 01 Aug 2019 02​:25​:16 -0700, nguyenmanhdung1710@​gmail.com wrote​:

Hi All,
I found a Use-After-Free bug in the commit *a3c7756* on branch
*blead*.
This bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on
Ubuntu
16.04 (64 bit) as follows​:
./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g"
-Dloclibpth='
'; make

Thanks,
Manh Dung

======================================
*perl -v*
This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-
ga3c7756))
built for x86_64-linux

- Crafted PoC​:
https://github.com/strongcourage/PoCs/blob/master/perl_82007f7/PoC_uaf_regcomp.c:21226
- Command​: perl $PoC

ASAN says​:
==4224==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x7fd452ab983d at pc 0x00000053ebf4 bp 0x7ffc694c0050 sp
0x7ffc694c0040
READ of size 1 at 0x7fd452ab983d thread T0
#0 0x53ebf3 in Perl_regnext
/home/dungnguyen/gueb-testing/perl-head/regcomp.c​:21226
#1 0x53ec5d in S_regtail
/home/dungnguyen/gueb-testing/perl-head/regcomp.c​:19848
#2 0x57e0fc in S_regbranch
/home/dungnguyen/gueb-testing/perl-head/regcomp.c​:12409
#3 0x57ea40 in S_reg
/home/dungnguyen/gueb-testing/perl-head/regcomp.c​:12104
#4 0x58bd22 in Perl_re_op_compile
/home/dungnguyen/gueb-testing/perl-head/regcomp.c​:7721
#5 0x6b1a24 in Perl_pp_regcomp
/home/dungnguyen/gueb-testing/perl-head/pp_ctl.c​:108
#6 0x5fa20a in Perl_runops_standard
/home/dungnguyen/gueb-testing/perl-head/run.c​:41
#7 0x48f0b7 in S_run_body
/home/dungnguyen/gueb-testing/perl-head/perl.c​:2696
#8 0x48f0b7 in perl_run
/home/dungnguyen/gueb-testing/perl-head/perl.c​:2624
#9 0x425674 in main
/home/dungnguyen/gueb-testing/perl-head/perlmain.c​:127
#10 0x7fd45a10582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#11 0x425be8 in _start
(/home/dungnguyen/PoCs/perl_82007f7/perl-asan+0x425be8)

0x7fd452ab983d is located 249917 bytes inside of 262672-byte region
[0x7fd452a7c800,0x7fd452abca10)
freed by thread T0 here​:
#0 0x7fd45aea99c1 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989c1)
#1 0x5aa2b1 in Perl_safesysrealloc
/home/dungnguyen/gueb-testing/perl-head/util.c​:279

previously allocated by thread T0 here​:
#0 0x7fd45aea99c1 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989c1)
#1 0x5aa2b1 in Perl_safesysrealloc
/home/dungnguyen/gueb-testing/perl-head/util.c​:279

As requested by James E Keenan, I add the binaries of Perl (commit 45f8e7b on the branch blead)​:
- Perl​: https://github.com/strongcourage/PoCs/blob/master/perl_45f8e7b/perl
- Perl with ASAN​: https://github.com/strongcourage/PoCs/blob/master/perl_45f8e7b/perl-asan

[p5pRT]

From [email protected]

On Thu, 01 Aug 2019 06​:35​:00 -0700, nguyenmanhdung1710@​gmail.com wrote​:

Hi All,
I found an invalid read bug in the commit *a3c7756* on branch *blead*.
This
bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on Ubuntu
16.04
(64 bit) as follows​:
./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g"
-Dloclibpth='
'; make

Thanks,
Manh Dung

======================================
*perl -v*
This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-
ga3c7756))
built for x86_64-linux

- Crafted PoC​:
https://github.com/strongcourage/PoCs/blob/master/perl_82007f7/PoC_segv_regexec.c:7725
- Command​: perl $PoC

ASAN says​:
==22039==ERROR​: AddressSanitizer​: SEGV on unknown address
0x61200bb8b4c8
(pc 0x000000736366 bp 0x000000000000 sp 0x7fff387dc580 T0)
#0 0x736365 in S_regmatch
/home/dungnguyen/gueb-testing/perl-head/regexec.c​:7725
#1 0x736365 in S_regtry
/home/dungnguyen/gueb-testing/perl-head/regexec.c​:3987
#2 0x75cb68 in Perl_regexec_flags
/home/dungnguyen/gueb-testing/perl-head/regexec.c​:3850
#3 0x60a4f1 in Perl_pp_match
/home/dungnguyen/gueb-testing/perl-head/pp_hot.c​:3014
#4 0x5fa20a in Perl_runops_standard
/home/dungnguyen/gueb-testing/perl-head/run.c​:41
#5 0x48f0b7 in S_run_body
/home/dungnguyen/gueb-testing/perl-head/perl.c​:2696
#6 0x48f0b7 in perl_run
/home/dungnguyen/gueb-testing/perl-head/perl.c​:2624
#7 0x425674 in main
/home/dungnguyen/gueb-testing/perl-head/perlmain.c​:127
#8 0x7f35ea82c82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x425be8 in _start
(/home/dungnguyen/PoCs/perl_82007f7/perl-asan+0x425be8)

Valgrind says​:
==23196== Invalid read of size 8
==23196== at 0x52CAB8​: S_regmatch (regexec.c​:7725)
==23196== by 0x52CAB8​: S_regtry (regexec.c​:3987)
==23196== by 0x539FE3​: Perl_regexec_flags (regexec.c​:3850)
==23196== by 0x4C76DE​: Perl_pp_match (pp_hot.c​:3014)
==23196== by 0x4C1C72​: Perl_runops_standard (run.c​:41)
==23196== by 0x446595​: S_run_body (perl.c​:2701)
==23196== by 0x446595​: perl_run (perl.c​:2624)
==23196== by 0x421814​: main (perlmain.c​:127)
==23196== Address 0x11921468 is not stack'd, malloc'd or (recently)
free'd

As requested by James E Keenan, I add the binaries of Perl (commit 45f8e7b on the branch blead)​:
- Perl​: https://github.com/strongcourage/PoCs/blob/master/perl_45f8e7b/perl
- Perl with ASAN​: https://github.com/strongcourage/PoCs/blob/master/perl_45f8e7b/perl-asan

[p5pRT]

From [email protected]

On Thu, 01 Aug 2019 06​:35​:21 -0700, nguyenmanhdung1710@​gmail.com wrote​:

Hi All,
I found an invalid read bug in the commit *a3c7756* on branch *blead*.
This
bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on Ubuntu
16.04
(64 bit) as follows​:
./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g"
-Dloclibpth='
'; make

Thanks,
Manh Dung

======================================
*perl -v*
This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-
ga3c7756))
built for x86_64-linux

- Crafted PoC​:
https://github.com/strongcourage/PoCs/blob/master/perl_82007f7/PoC_segv_regexec.c:8492
- Command​: perl $PoC

ASAN says​:
==19686==ERROR​: AddressSanitizer​: SEGV on unknown address
0x000000000001
(pc 0x000000736755 bp 0x000000000000 sp 0x7ffc51d522a0 T0)
#0 0x736754 in S_regmatch
/home/dungnguyen/gueb-testing/perl-head/regexec.c​:8492
#1 0x736754 in S_regtry
/home/dungnguyen/gueb-testing/perl-head/regexec.c​:3987
#2 0x75cb68 in Perl_regexec_flags
/home/dungnguyen/gueb-testing/perl-head/regexec.c​:3850
#3 0x60a4f1 in Perl_pp_match
/home/dungnguyen/gueb-testing/perl-head/pp_hot.c​:3014
#4 0x5fa20a in Perl_runops_standard
/home/dungnguyen/gueb-testing/perl-head/run.c​:41
#5 0x48f0b7 in S_run_body
/home/dungnguyen/gueb-testing/perl-head/perl.c​:2696
#6 0x48f0b7 in perl_run
/home/dungnguyen/gueb-testing/perl-head/perl.c​:2624
#7 0x425674 in main
/home/dungnguyen/gueb-testing/perl-head/perlmain.c​:127
#8 0x7fd73d8ab82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x425be8 in _start
(/home/dungnguyen/PoCs/perl_82007f7/perl-asan+0x425be8)

Valgrind says​:
==26873== Invalid read of size 1
==26873== at 0x52D52B​: S_regmatch (regexec.c​:8492)
==26873== by 0x52D52B​: S_regtry (regexec.c​:3987)
==26873== by 0x539FE3​: Perl_regexec_flags (regexec.c​:3850)
==26873== by 0x4C76DE​: Perl_pp_match (pp_hot.c​:3014)
==26873== by 0x4C1C72​: Perl_runops_standard (run.c​:41)
==26873== by 0x446595​: S_run_body (perl.c​:2701)
==26873== by 0x446595​: perl_run (perl.c​:2624)
==26873== by 0x421814​: main (perlmain.c​:127)
==26873== Address 0x1 is not stack'd, malloc'd or (recently) free'd

As requested by James E Keenan, I add the binaries of Perl (commit 45f8e7b on the branch blead)​:
- Perl​: https://github.com/strongcourage/PoCs/blob/master/perl_45f8e7b/perl
- Perl with ASAN​: https://github.com/strongcourage/PoCs/blob/master/perl_45f8e7b/perl-asan

[p5pRT]

From [email protected]

On Thu, 01 Aug 2019 06​:35​:55 -0700, nguyenmanhdung1710@​gmail.com wrote​:

Hi All,
I found a Use-After-Free bug in the commit *a3c7756* on branch
*blead*.
This bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on
Ubuntu
16.04 (64 bit) as follows​:
./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g"
-Dloclibpth='
'; make

Thanks,
Manh Dung

======================================
*perl -v*
This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-
ga3c7756))
built for x86_64-linux

- Crafted PoC​:
https://github.com/strongcourage/PoCs/blob/master/perl_82007f7/PoC_uaf_regcomp.c:5617
- Command​: perl $PoC

ASAN says​:
==32678==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x7fdbc9be4c3c at pc 0x0000005575b3 bp 0x7ffdb8f71020 sp
0x7ffdb8f71010
READ of size 1 at 0x7fdbc9be4c3c thread T0
#0 0x5575b2 in S_study_chunk
/home/dungnguyen/gueb-testing/perl-head/regcomp.c​:5617
#1 0x58dc6b in Perl_re_op_compile
/home/dungnguyen/gueb-testing/perl-head/regcomp.c​:8063
#2 0x6b1a24 in Perl_pp_regcomp
/home/dungnguyen/gueb-testing/perl-head/pp_ctl.c​:108
#3 0x5fa20a in Perl_runops_standard
/home/dungnguyen/gueb-testing/perl-head/run.c​:41
#4 0x48f0b7 in S_run_body
/home/dungnguyen/gueb-testing/perl-head/perl.c​:2696
#5 0x48f0b7 in perl_run
/home/dungnguyen/gueb-testing/perl-head/perl.c​:2624
#6 0x425674 in main
/home/dungnguyen/gueb-testing/perl-head/perlmain.c​:127
#7 0x7fdbd53b682f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x425be8 in _start
(/home/dungnguyen/PoCs/perl_82007f7/perl-asan+0x425be8)

0x7fdbc9be4c3c is located 177212 bytes inside of 262260-byte region
[0x7fdbc9bb9800,0x7fdbc9bf9874)
freed by thread T0 here​:
#0 0x7fdbd615a9c1 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989c1)
#1 0x5aa2b1 in Perl_safesysrealloc
/home/dungnguyen/gueb-testing/perl-head/util.c​:279

previously allocated by thread T0 here​:
#0 0x7fdbd615a9c1 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989c1)
#1 0x5aa2b1 in Perl_safesysrealloc
/home/dungnguyen/gueb-testing/perl-head/util.c​:279

Valgrind says​:
==1787== Invalid write of size 1
==1787== at 0x4849F7​: S_study_chunk.constprop.30 (regcomp.c​:5621)
==1787== by 0x49B066​: Perl_re_op_compile (regcomp.c​:8063)
==1787== by 0x4FFD2C​: Perl_pp_regcomp (pp_ctl.c​:108)
==1787== by 0x4C1C72​: Perl_runops_standard (run.c​:41)
==1787== by 0x446595​: S_run_body (perl.c​:2701)
==1787== by 0x446595​: perl_run (perl.c​:2624)
==1787== by 0x421814​: main (perlmain.c​:127)
==1787== Address 0x74c873c is 38,812 bytes inside a block of size
262,236
free'd
==1787== at 0x4C2FD5F​: realloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1787== by 0x4A6895​: Perl_safesysrealloc (util.c​:279)
==1787== by 0x47562D​: S_change_engine_size (regcomp.c​:19595)
==1787== by 0x475831​: S_regnode_guts (regcomp.c​:19633)
==1787== by 0x475831​: S_reg_node (regcomp.c​:19663)
==1787== by 0x49154C​: S_regpiece (regcomp.c​:12580)
==1787== by 0x495254​: S_regbranch (regcomp.c​:12393)
==1787== by 0x49565F​: S_reg (regcomp.c​:12104)
==1787== by 0x490674​: S_regatom (regcomp.c​:13370)
==1787== by 0x490674​: S_regpiece (regcomp.c​:12473)
==1787== by 0x495254​: S_regbranch (regcomp.c​:12393)
==1787== by 0x49565F​: S_reg (regcomp.c​:12104)
==1787== by 0x49A1EE​: Perl_re_op_compile (regcomp.c​:7721)
==1787== by 0x4FFD2C​: Perl_pp_regcomp (pp_ctl.c​:108)
==1787== Block was alloc'd at
==1787== at 0x4C2FD5F​: realloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1787== by 0x4A6895​: Perl_safesysrealloc (util.c​:279)
==1787== by 0x47562D​: S_change_engine_size (regcomp.c​:19595)
==1787== by 0x47589E​: S_reginsert (regcomp.c​:19744)
==1787== by 0x491509​: S_regpiece (regcomp.c​:12571)
==1787== by 0x495254​: S_regbranch (regcomp.c​:12393)
==1787== by 0x49565F​: S_reg (regcomp.c​:12104)
==1787== by 0x490674​: S_regatom (regcomp.c​:13370)
==1787== by 0x490674​: S_regpiece (regcomp.c​:12473)
==1787== by 0x495254​: S_regbranch (regcomp.c​:12393)
==1787== by 0x49565F​: S_reg (regcomp.c​:12104)
==1787== by 0x49A1EE​: Perl_re_op_compile (regcomp.c​:7721)
==1787== by 0x4FFD2C​: Perl_pp_regcomp (pp_ctl.c​:108)

As requested by James E Keenan, I add the binaries of Perl (commit 45f8e7b on the branch blead)​:
- Perl​: https://github.com/strongcourage/PoCs/blob/master/perl_45f8e7b/perl
- Perl with ASAN​: https://github.com/strongcourage/PoCs/blob/master/perl_45f8e7b/perl-asan

[p5pRT]

From @tonycoz

On Thu, 01 Aug 2019 06​:35​:55 -0700, nguyenmanhdung1710@​gmail.com wrote​:

Hi All,
I found a Use-After-Free bug in the commit *a3c7756* on branch
*blead*.
This bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on
Ubuntu
16.04 (64 bit) as follows​:
./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g"
-Dloclibpth='
'; make

This bisects down to

bf848a1 is the first bad commit
commit bf848a1
Author​: Karl Williamson <khw@​cpan.org>
Date​: Thu Mar 14 16​:46​:50 2019 -0600

  Add more checking for regnode offset overflowing
 
  This is part of the ongoing failures in [perl #133921].
 
  The bottom line cause is that there are generally 16 bits available for
  the address of the next regnode. On very large patterns, this may not
  be enough. When that happens, a long jump is used instead.
 
  What previous commits have done is to insert tests in a loop to detect
  that overflow isn't going to occur. But it turns out that there are
  other places where such overflow could occur. The real solution should
  be to detect overflow in the base level routine that would otherwise get
  things wrong. This entails making that routine be able to return
  failure. It turns out that another function is used under DEBUGGING, so
  that one must be changed as well. And the calls where it is possible
  for this to overflow are changed to look for failure return and proceed
  appropriately, which is to set a flag that we need to use long jumps,
  and restart the parse.

for me.

Bisected with​:

perl ../bisect.pl --start=v5.28.0 --end=v5.30.0 -DDEBUGGING -- ./perl ../134329.pl

Tony

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @tonycoz

On Sun, 11 Aug 2019 18​:58​:39 -0700, tonyc wrote​:

On Thu, 01 Aug 2019 06​:35​:55 -0700, nguyenmanhdung1710@​gmail.com
wrote​:

Hi All,
I found a Use-After-Free bug in the commit *a3c7756* on branch
*blead*.
This bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on
Ubuntu
16.04 (64 bit) as follows​:
./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g"
-Dloclibpth='
'; make

This bisects down to

bf848a1 is the first bad commit
commit bf848a1
Author​: Karl Williamson <khw@​cpan.org>
Date​: Thu Mar 14 16​:46​:50 2019 -0600

Add more checking for regnode offset overflowing

This commit changed allocation of the regexp program from​:

- Newxc(RExC_rxi, sizeof(regexp_internal) + (unsigned)RExC_size * sizeof(regnode),
- char, regexp_internal);

to​:

+ Newxc(RExC_rxi, sizeof(regexp_internal) + RExC_size, char, regexp_internal);

assuming I understand the code.

I expect this is the cause for #134325 too.

Tony

[p5pRT]

From @tonycoz

Attached the PoC to save people time.

[p5pRT]

From @tonycoz

134329.pl

[p5pRT]

From @khwilliamson

On 8/12/19 12​:08 AM, Tony Cook via RT wrote​:

Attached the PoC to save people time.

---
via perlbug​: queue​: perl5 status​: open
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=134329

This is fixed by this commit, currently smoking as khw-134329

  PATCH​: [perl #134329] Use after free in regcomp.c

  A compiled regex is composed of nodes, forming a linked list, with
  normally a maximum of 16 bits used to specify the offset of the next
  link. For patterns that require more space than this, the 16 bit
links
  are replaced by using separate nodes especially for the purpose that
  have longer offsets.

  When compiling a pattern, the 16 bit mechanism is used, until it
  overflows, at which point the pattern is recompiled with the long
jumps
  instead.

  When I rewrote the compiler last year to make it generally one pass, I
  noticed a lot of the cases where a node was added didn't check if the
  result overflowed (the function that does this returns FALSE in that
  case). I presumed the prior authors knew better, and did not change
  things, except to put in a bogus value in the link (offset) field that
  should cause a crash if it were used. That's what's happening in this
  ticket.

  But seeing this example, it's clear that the return value should be
  checked every time, because you can reach the limit at any time. This
  commit changes to do that, and to require the function's return
value to
  not be ignored, to guard against future changes.
 

[p5pRT]

From @tonycoz

On Thu, 01 Aug 2019 06​:35​:21 -0700, nguyenmanhdung1710@​gmail.com wrote​:

Hi All,
I found an invalid read bug in the commit *a3c7756* on branch *blead*.
This
bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on Ubuntu
16.04
(64 bit) as follows​:
./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g"
-Dloclibpth='
'; make

Attached the POC.

This looks like it's the same problem as with 134329.

On a debug build the tail of the run is​:

65565​: END (0)
minlen 0
Matching REx "((8|||%x{d5}%x{b8}%20%x{d7}%x{b8}||(G|||,%0d%0%20^Z)*(8|||cc"... against ""
  0 <> <> | 0| 1​:CURLYX[0]{0,INFTY}(65536)
  0 <> <> | 1| 65535​:CURLY{9216,3}(0)
miniperl​: regexec.c​:8491​: S_regmatch​: Assertion `ST.min <= ST.max' failed.

The offset there is wrong, so it's trying to interpret from the middle of a regexp op.

If I test with khw-134329 I get​:

162257​: EXACT <n> (0)
162259​: EXACT <\0G\x{ff}p\x{ff}\x{ff}\x{ff}\177> (162262)
162262​: END (0)
floating "%0G%x{ff}p%x{ff}%x{ff}%x{ff}%177" at 1..9223372036854775807 (checking floating) minlen 9
String shorter than min possible regex match (0 < 9)
Freeing REx​: "((8|||%x{d5}%x{b8}%20%x{d7}%x{b8}||(G|||,%0d%0%20^Z)*(8|||cc"...

Tony

[p5pRT]

From @tonycoz

134328.pl

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @tonycoz

On Thu, 01 Aug 2019 06​:35​:00 -0700, nguyenmanhdung1710@​gmail.com wrote​:

Hi All,
I found an invalid read bug in the commit *a3c7756* on branch *blead*.
This
bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on Ubuntu
16.04
(64 bit) as follows​:
./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g"
-Dloclibpth='
'; make

Thanks,
Manh Dung

======================================
*perl -v*
This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-
ga3c7756))
built for x86_64-linux

- Crafted PoC​:
https://github.com/strongcourage/PoCs/blob/master/perl_82007f7/PoC_segv_regexec.c:7725
- Command​: perl $PoC

Attached the PoC.

Also appears to be fixed by khw-134329

blead​:

65665​: EXACT <n> (0)
65667​: EXACT <\0G\x{ff}p\x{ff}\x{ff}\x{ff}\177> (65670)
65670​: END (0)
minlen 0
Matching REx "((8|||%x{d5}%x{b8}%20%x{d7}%x{b8}||(G|||,%0d%0%20^Z)*(8|||cc"... against ""
  0 <> <> | 0| 1​:CURLYX[0]{0,INFTY}(65536)
  0 <> <> | 1| 65535​:CLOSE8192005(65537)
Segmentation fault

Note the 65535 offset and the bad close paren.

khw-134329​:

162495​: CURLY{0,1} (162499)
162497​: EXACT <n> (0)
162499​: EXACT <\0G\x{ff}p\x{ff}\x{ff}\x{ff}\177> (162502)
162502​: END (0)
floating "%0G%x{ff}p%x{ff}%x{ff}%x{ff}%177" at 1..9223372036854775807 (checking floating) minlen 9
String shorter than min possible regex match (0 < 9)
Freeing REx​: "((8|||%x{d5}%x{b8}%20%x{d7}%x{b8}||(G|||,%0d%0%20^Z)*(8|||cc"...

Tony

[p5pRT]

From @tonycoz

134327.pl

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @tonycoz

On Thu, 01 Aug 2019 02​:25​:16 -0700, nguyenmanhdung1710@​gmail.com wrote​:

Hi All,
I found a Use-After-Free bug in the commit *a3c7756* on branch
*blead*.
This bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on
Ubuntu
16.04 (64 bit) as follows​:
./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g"
-Dloclibpth='
'; make

Thanks,
Manh Dung

======================================
*perl -v*
This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-
ga3c7756))
built for x86_64-linux

- Crafted PoC​:
https://github.com/strongcourage/PoCs/blob/master/perl_82007f7/PoC_uaf_regcomp.c:21226
- Command​: perl $PoC

Attached the PoC.

Also fixed by khw-134329.

blead​:

~ tying lastbr BRANCH (65473) to ender CLOSE7 (65480) offset 7
~ tying lastbr BRANCH (65504) to ender CLOSE8 (65511) offset 7
~ tying lastbr BRANCH (65532) to ender CLOSE1 (65535) offset 3
~ tying lastbr BRANCH (65588) to ender CLOSE9 (65602) offset 14
~ tying lastbr BRANCH (65644) to ender CLOSE10 (65647) offset 3
Segmentation fault

khw-134329​:

~ tying lastbr BRANCHJ (162406) to ender CLOSE1 (162410) offset 4
~ tying lastbr BRANCHJ (162490) to ender CLOSE9 (162505) offset 15
~ tying lastbr BRANCHJ (162571) to ender CLOSE10 (162575) offset 4
~ tying lastbr CURLYX[0]{0,INFTY} (1) to ender END (162590) offset 162589
Unmatched ) in regex; marked by <-- HERE in m/((8|||ո^P׸||(G|||,^@​d^@​^P^Z)*(8|||ccccc<9C><9C><9C><B8>GW2G2=@​^@​GG|G<D4><C0>ո<FF><D7>^A||G<F2>^Z<AB>^V!^@​G)*׸||
<83><D3>W2G<D4>i+<D6><D5>@​׸a׸|!^@​G)*(G<83><83><83><D3>?2G<D4>i+<D6><D5>@​<D7>|,W
<FA>^@​^@​<FA>@​^@​GG|<CC>|<FF>|,^@​h@​^?^@​^@​GG|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
...
at ../134326.pl line 1.
Freeing REx​: "((8|||%x{d5}%x{b8}%20%x{d7}%x{b8}||(G|||,%0d%0%20^Z)*(8|||cc"...

(some of the funny characters were probably mangled here)

Tony

[p5pRT]

From @tonycoz

134326.pl

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @khwilliamson

Thanks for finding and reporting this
Fixed by

3b2e562
--
Karl Williamson

[p5pRT]

@khwilliamson - Status changed from 'open' to 'pending release'

[p5pRT]

From [email protected]

On Fri, 30 Aug 2019 07​:23​:52 -0700, khw wrote​:

Thanks for finding and reporting this
Fixed by

3b2e562

Can I request a CVE for this bug? Thanks.

[p5pRT]

From @xsawyerx

On Sat, 31 Aug 2019 07​:40​:43 -0700, nguyenmanhdung1710@​gmail.com wrote​:

On Fri, 30 Aug 2019 07​:23​:52 -0700, khw wrote​:

Thanks for finding and reporting this
Fixed by

3b2e562

Can I request a CVE for this bug? Thanks.

Hi,

[I've included this response in RT#134325 as well.

I'm quoting Tony Cook here​:

  All cases for both tickets are bad reads, either of freed memory, or
  beyond the end of a buffer.

  None of the reads result in returning data to a potential attacker
  that I can see.

  According to our usual criteria such reads aren't a security issue.

  Can an attacker craft a regexp with data at the offset 65535 point to
  do undesirable things? Could they make the engine loop at regexp
  compile time or runtime so control isn't returned to the calling perl
  code?

  I'm not sure.

While we are looking into this, we would appreciate any help in proving this. If we can answer Tony's questions, we can discern better if this suits as a security issue.

[shlomif]

Hi all!

Was the fix to this issue incorporated into the 5.30.2 release? I am currently trying to update the perl package for mageia linux v8 (currently cauldron), and Patch58 (for this bug) does not get applied cleanly using git:

https://svnweb.mageia.org/packages/cauldron/perl/current/SPECS/perl.spec?revision=1552357&view=markup#l231 .

Update: randir_ on irc.perl.org informed me that it was applied as part of v5.30.2 in commit 9067ea0 . HTH.

[hvds]

Was the fix to this issue incorporated into the 5.30.2 release?

Yes, it was included as 9067ea0 annotated "cherry picked from commit 3b2e562". It looks like the only conflict bar fuzz was the change of s -> S in embed.fnc at 9f589e4 in blead.