develooper Front page | perl.perl5.porters | Postings from February 2019

[perl #133606] heap use after free in S_regmatch (READ of size 1)

From:
Tony Cook via RT
Date:
February 20, 2019 02:33
Subject:
[perl #133606] heap use after free in S_regmatch (READ of size 1)
Message ID:
rt-4.0.24-20560-1550630019-4.133606-15-0@perl.org
On Sun, 10 Feb 2019 15:42:13 -0800, tonyc wrote:
> On Mon, 22 Oct 2018 02:09:01 -0700, davem wrote:
> > On Sun, Oct 21, 2018 at 09:13:42PM -0600, Karl Williamson wrote:
> > > On 10/21/18 2:24 PM, geeknik@protonmail.ch wrote:
> > > > # New Ticket Created by  geeknik@protonmail.ch
> > > > # Please include the string:  [perl #133606]
> > > > # in the subject line of all future correspondence about this
> > > > issue.
> > > > # <URL: https://rt.perl.org/Ticket/Display.html?id=133606 >
> > > >
> > > >
> > > > I'm not sure if this is the same bug as
> > > > https://rt.perl.org/Ticket/Display.html?id=130569, however I was
> > > > able to trigger this in Perl v5.29.4-6-gaa13068140 with the
> > > > following command line:
> > > >
> > > > ./perl -e
> > > > 'm(((?{m(((((?{m(((?{})))*s|||})))(?{})))*$^=~s||||0})))*0'
> > > >
> > > > ==7602==ERROR: AddressSanitizer: heap-use-after-free on address
> > > > 0x603000001c30 at pc 0x000000aba183 bp 0x7fffc8fc8250 sp
> > > > 0x7fffc8fc8248
> > >
> > > I verified that this predates 5.29.
> >
> > It can be reduced to
> >
> > $_ = "";
> >
> > m(
> >     (?{
> >         m(
> >             .?
> >         )x;
> >         s{}{};
> >     })
> > )x;
> >
> > $^=~s{}{};
> >
> > valgrind shows the use-after-free occurs in the last line. It looks
> > to
> > be
> > something to do with the empty pattern technique using the last
> > successful matched pattern. $^ is a magic var, but repacing with a
> > plain
> > var (created in such a way that it isn't COW) gives me an sv_chop
> > panic
> > instead.
> >
> > I haven't got the mental energy at the moment to diagnose this fully.
> 
> Since this requires feeding code to the regexp engine, I don't think
> it's a security issue, so I'll make it public in a couple of days
> unless someone objects.

Done.

Tony


---
via perlbug:  queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=133606



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About