develooper Front page | perl.perl5.porters | Postings from August 2019

[perl #134329] Use-After-Free in regcomp.c:5617

Thread Previous
From:
Manh-Dung Nguyen
Date:
August 2, 2019 04:21
Subject:
[perl #134329] Use-After-Free in regcomp.c:5617
Message ID:
rt-4.0.24-30556-1564666555-95.134329-75-0@perl.org
# New Ticket Created by  Manh-Dung Nguyen 
# Please include the string:  [perl #134329]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=134329 >


Hi All,
I found a Use-After-Free bug in the commit *a3c7756* on branch *blead*.
This bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on Ubuntu
16.04 (64 bit) as follows:
   ./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g" -Dloclibpth='
'; make

Thanks,
Manh Dung

======================================
*perl -v*
This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-ga3c7756))
built for x86_64-linux

- Crafted PoC:
https://github.com/strongcourage/PoCs/blob/master/perl_82007f7/PoC_uaf_regcomp.c:5617
- Command: perl $PoC

ASAN says:
==32678==ERROR: AddressSanitizer: heap-use-after-free on address
0x7fdbc9be4c3c at pc 0x0000005575b3 bp 0x7ffdb8f71020 sp 0x7ffdb8f71010
READ of size 1 at 0x7fdbc9be4c3c thread T0
    #0 0x5575b2 in S_study_chunk
/home/dungnguyen/gueb-testing/perl-head/regcomp.c:5617
    #1 0x58dc6b in Perl_re_op_compile
/home/dungnguyen/gueb-testing/perl-head/regcomp.c:8063
    #2 0x6b1a24 in Perl_pp_regcomp
/home/dungnguyen/gueb-testing/perl-head/pp_ctl.c:108
    #3 0x5fa20a in Perl_runops_standard
/home/dungnguyen/gueb-testing/perl-head/run.c:41
    #4 0x48f0b7 in S_run_body
/home/dungnguyen/gueb-testing/perl-head/perl.c:2696
    #5 0x48f0b7 in perl_run
/home/dungnguyen/gueb-testing/perl-head/perl.c:2624
    #6 0x425674 in main
/home/dungnguyen/gueb-testing/perl-head/perlmain.c:127
    #7 0x7fdbd53b682f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x425be8 in _start
(/home/dungnguyen/PoCs/perl_82007f7/perl-asan+0x425be8)

0x7fdbc9be4c3c is located 177212 bytes inside of 262260-byte region
[0x7fdbc9bb9800,0x7fdbc9bf9874)
freed by thread T0 here:
    #0 0x7fdbd615a9c1 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989c1)
    #1 0x5aa2b1 in Perl_safesysrealloc
/home/dungnguyen/gueb-testing/perl-head/util.c:279

previously allocated by thread T0 here:
    #0 0x7fdbd615a9c1 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989c1)
    #1 0x5aa2b1 in Perl_safesysrealloc
/home/dungnguyen/gueb-testing/perl-head/util.c:279

Valgrind says:
==1787== Invalid write of size 1
==1787==    at 0x4849F7: S_study_chunk.constprop.30 (regcomp.c:5621)
==1787==    by 0x49B066: Perl_re_op_compile (regcomp.c:8063)
==1787==    by 0x4FFD2C: Perl_pp_regcomp (pp_ctl.c:108)
==1787==    by 0x4C1C72: Perl_runops_standard (run.c:41)
==1787==    by 0x446595: S_run_body (perl.c:2701)
==1787==    by 0x446595: perl_run (perl.c:2624)
==1787==    by 0x421814: main (perlmain.c:127)
==1787==  Address 0x74c873c is 38,812 bytes inside a block of size 262,236
free'd
==1787==    at 0x4C2FD5F: realloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1787==    by 0x4A6895: Perl_safesysrealloc (util.c:279)
==1787==    by 0x47562D: S_change_engine_size (regcomp.c:19595)
==1787==    by 0x475831: S_regnode_guts (regcomp.c:19633)
==1787==    by 0x475831: S_reg_node (regcomp.c:19663)
==1787==    by 0x49154C: S_regpiece (regcomp.c:12580)
==1787==    by 0x495254: S_regbranch (regcomp.c:12393)
==1787==    by 0x49565F: S_reg (regcomp.c:12104)
==1787==    by 0x490674: S_regatom (regcomp.c:13370)
==1787==    by 0x490674: S_regpiece (regcomp.c:12473)
==1787==    by 0x495254: S_regbranch (regcomp.c:12393)
==1787==    by 0x49565F: S_reg (regcomp.c:12104)
==1787==    by 0x49A1EE: Perl_re_op_compile (regcomp.c:7721)
==1787==    by 0x4FFD2C: Perl_pp_regcomp (pp_ctl.c:108)
==1787==  Block was alloc'd at
==1787==    at 0x4C2FD5F: realloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1787==    by 0x4A6895: Perl_safesysrealloc (util.c:279)
==1787==    by 0x47562D: S_change_engine_size (regcomp.c:19595)
==1787==    by 0x47589E: S_reginsert (regcomp.c:19744)
==1787==    by 0x491509: S_regpiece (regcomp.c:12571)
==1787==    by 0x495254: S_regbranch (regcomp.c:12393)
==1787==    by 0x49565F: S_reg (regcomp.c:12104)
==1787==    by 0x490674: S_regatom (regcomp.c:13370)
==1787==    by 0x490674: S_regpiece (regcomp.c:12473)
==1787==    by 0x495254: S_regbranch (regcomp.c:12393)
==1787==    by 0x49565F: S_reg (regcomp.c:12104)
==1787==    by 0x49A1EE: Perl_re_op_compile (regcomp.c:7721)
==1787==    by 0x4FFD2C: Perl_pp_regcomp (pp_ctl.c:108)
======================================


Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About